GCP Buckets
Similar to scanning AWS storage volumes you can also scan GCP Buckets.
How It Works
When linking an account in the CSS console, we deploy resources in a new CSS Project created in GCP through our Terraform module. Those resources will have access to the customer project(s) denoted in the deployments parameters (projects_to_protect).
Once the projects are linked, GCP buckets will be made available to be scan through the CSS Console in the Protection > GCP Buckets page. You can select buckets to scan or run scans on a schedule basis.
We offer two types of scanning for GCP: Event-Based Scanning and Retro scanning.
Users or apps place files into Google Cloud Storage.
The Pub/Sub service has a Topic set up to notify whenever new objects are created in designated Buckets.
The Cloud Run Job's subscription to the Topic activates whenever a new file is created.
The Cloud Run Job accesses the designated Bucket and loads that new object in memory to scan.
Files in the protected Bucket are tagged with their scan result.
(Optional) The Cloud Run Job will move infected files to a Quarantine Cloud Storage that resides in CSS' Project.
Results are returned to the Console service for processing.
Protecting Buckets
"Protection" can mean multiple things: real-time scanning (event-based), schedule scanning (pre-defined schedule based) and on-demand (pick one or more buckets and scan immediately whenever you want).
Shield Status
The shield color shown on this page will reflect how a bucket is being protected with event-based scanning. A red shield means a bucket is not protected and a green shield means a bucket is protected.
Schedule Status
The schedule icons shown below will reflect whether an object is associated with a schedule and whether that schedule is active or not.
Protected by Active Schedule -
Part of an Inactive Schedule -
Not a Part of any Schedule -
Enable event-based protection on a Bucket
Similar to protecting Amazon S3 buckets, you can click the red shield associated with each Bucket to enable event-based protection on a bucket and scan any new files being uploaded to the Bucket automatically.
You can also select multiple buckets at the same time, go to the Actions menu, and select Turn On Event AV to enable event-based protection on multiple buckets at the same time.
Retro-based scanning on a bucket
On-demand Scanning
You can scan pre-existing files in a bucket at anytime by selecting which bucket you'd like to scan and then selecting Scan Existing - AV in the Actions menu.
Navigate to Protection > GCP > Buckets page
Select the check mark next to the bucket name of your volume
Click Actions > Scan Existing - AV
Select your date range, prefixes (optional) and whether you'd like to scan files that have been already scanned.
Acknowledge that scanning files will result in a charge and scan selected.
Scheduled Scanning
You can add buckets to a schedule by selecting the buckets you want to scan on a scheduled basis and selecting Create AV Schedule in the Actions menu.
Navigate to Protection > GCP > Buckets page
Select the check mark next to the bucket name of your volume
Click Actions > Create AV Schedule
Select the Schedule tab and enter in your schedule name, scan period, schedule description (optional), files to scan, and prefixes to crawl (optional).
Acknowledge that scanning files will result in a charge and save the schedule.
Click on Schedules, find the schedule you created. Click the button with 3 dots on it and click Activate.
GCP On-demand and Scheduled Scan Job Status
If you go to Monitoring > Jobs you'll be able to see the status of on-demand and scheduled retro scans for GCP Buckets.
Last updated