# GCP Buckets
{% hint style="info" %}
Before you can start protecting your data in GCP Buckets you'll need to [link in your GCP account(s)](https://help.cloudstoragesec.com/console-overview/access-management/linked-accounts/linking-a-gcp-account).
{% endhint %}
## How It Works
When linking an account in the CSS console, we deploy resources in a new CSS Project created in GCP through our Terraform module. Those resources will have access to the customer project(s) denoted in the deployments parameters (projects\_to\_protect).
Once the projects are linked, GCP buckets will be made available to be scan through the CSS Console in the Protection > GCP Buckets page. You can select buckets to scan or run scans on a schedule basis.
We offer two types of scanning for GCP: Event-Based Scanning and Retro scanning.
{% tabs %}
{% tab title="Event-Based Scanning" %}
1. Users or apps place files into Google Cloud Storage.
2. The Pub/Sub service has a Topic set up to notify whenever new objects are created in designated Buckets.
3. The Cloud Run Job's subscription to the Topic activates whenever a new file is created.
4. The Cloud Run Job accesses the designated Bucket and loads that new object in memory to scan.
5. Files in the protected Bucket are tagged with their scan result.
6. (Optional) The Cloud Run Job will move infected files to a Quarantine Cloud Storage that resides in CSS' Project.
7. Results are returned to the Console service for processing.
{% endtab %}
{% tab title="Retro Scanning" %}
1. Users or apps place files into Google Cloud Storage.
2. The Console Service initiates a scan request to the Cloud Run service that resides in CSS' Project that is provisioned via Terraform.
3. The Cloud Run Job accesses the customer's Cloud Storage and loads a list of its objects in memory, procedurally scanning each item.
4. (Optional) The Cloud Run Job will move infected files to a Quarantine Cloud Storage that resides in CSS' Project.
5. Results are returned to the Console service for processing.
{% endtab %}
{% endtabs %}
## Protecting Buckets
"Protection" can mean multiple things: real-time scanning (event-based), schedule scanning (pre-defined schedule based) and on-demand (pick one or more buckets and scan immediately whenever you want).
## Shield Status
The shield color shown on this page will reflect how a bucket is being protected with event-based scanning. A red shield means a bucket is not protected and a green shield means a bucket is protected.
## Schedule Status
The schedule icons shown below will reflect whether an object is associated with a schedule and whether that schedule is active or not.
* Protected by Active Schedule - 
* Part of an **Inactive** Schedule - 
* Not a Part of any Schedule - 
## Enable event-based protection on a Bucket
Similar to protecting Amazon S3 buckets, you can click the red shield associated with each Bucket to enable event-based protection on a bucket and scan any new files being uploaded to the Bucket automatically.
You can also select multiple buckets at the same time, go to the Actions menu, and select Turn On Event AV to enable event-based protection on multiple buckets at the same time.
## Retro-based scanning on a bucket
### On-demand Scanning
You can scan pre-existing files in a bucket at anytime by selecting which bucket you'd like to scan and then selecting Scan Existing - AV in the Actions menu.
* Navigate to Protection > GCP > Buckets page
* Select the check mark next to the bucket name of your volume
* Click Actions > Scan Existing - AV
* Select your date range, prefixes (optional) and whether you'd like to scan files that have been already scanned.
* Acknowledge that scanning files will result in a charge and scan selected.
### Scheduled Scanning
You can add buckets to a schedule by selecting the buckets you want to scan on a scheduled basis and selecting Create AV Schedule in the Actions menu.
* Navigate to Protection > GCP > Buckets page
* Select the check mark next to the bucket name of your volume
* Click Actions > Create AV Schedule
* Select the Schedule tab and enter in your schedule name, scan period, schedule description (optional), files to scan, and prefixes to crawl (optional).
* Acknowledge that scanning files will result in a charge and save the schedule.
Create AV Schedule
* Click on Schedules, find the schedule you created. Click the button with 3 dots on it and click Activate.
### GCP On-demand and Scheduled Scan Job Status
If you go to Monitoring > Jobs you'll be able to see the status of on-demand and scheduled retro scans for GCP Buckets.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://help.cloudstoragesec.com/console-overview/protection/gcp/gcp-buckets.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
.png?alt=media&token=9de10511-d532-40dd-9558-36aec9c0ab03)
.png?alt=media&token=9b9f2630-b6c0-4db3-9b3a-e13112bf00e5)
