• A GCP account using Cloud Storage.
• For initial setup, access to the GCP account with permission to create a new Service Account with the scopes listed below.

For the GCP Cloud Storage integration to function, Cloudflare CASB requires the following access scopes via a Service Account:

• roles/viewer
• roles/storage.admin

These permissions follow the principle of least privilege to ensure that only the minimum required access is granted. To learn more about each permission scope, refer to theGCP IAM roles for Cloud Storage documentation ↗.

You can connect a GCP compute account to your CASB integration to performData Loss Prevention scans within your Cloud Storage bucket and avoid data egress. CASB will scan any objects that exist in the bucket at the time of configuration.

To connect a compute account to your GCP integration:

1. InCloudflare One ↗, go toIntegrations >Cloud & SaaS integrations.
2. Find and select your GCP integration.
3. SelectOpen connection instructions.
4. Follow the instructions provided to connect a new compute account.
5. SelectRefresh.

You can only connect one compute account to an integration. To remove a compute account, selectManage compute accounts.

Once your GCP compute account has successfully connected to your CASB integration, you can configure where and how to scan for sensitive data:

1. InCloudflare One ↗, go toIntegrations >Cloud & SaaS integrations.
2. Find and select your GCP integration.
3. SelectCreate new configuration.
4. InResources, choose the buckets you want to scan. SelectContinue.
5. Choose the file types, sampling percentage, andDLP profiles to scan for.
6. (Optional) Configure additional settings, such as the limit of API calls over time for CASB to adhere to.
7. SelectContinue.
8. Review the details of the scan, then selectStart scan.

CASB will take up to one hour to begin scanning. To view the scan results, go toCloud & SaaS findings >Content Findings.

To manage your resources, go toCloud & SaaS findings >Integrations, then find and select your GCP integration. From here, you can pause all or individual scans, add or remove resources, and change scan settings.

For more information, refer toContent findings.

The GCP Cloud Storage integration currently scans for the following findings, or security risks. Findings are grouped by category and then ordered byseverity level.

To stay up-to-date with new CASB findings as they are added, bookmark this page or subscribe to itsRSS feed.

Flag security issues in Cloud Storage Buckets, including overpermissioning, access policies, and user security best practices.