[CASB] GCP Cloud Storage integration (#20972)

* Add GCP page

* Add prereqs

* Add details

* Add supported DLP integrations

* Create troubleshooting folder

* Set up troubleshooting redirect

* Add compute account instructions

* Remove Upgrade partial

* Improve upgrade procedure

* Add token instructions

* Add troubleshooting steps

* Rearrange sections

* Add better intro paragraph

* Fix relative links

* Revert link directory changes

* Apply suggestions from code review

Co-authored-by: Patricia Santa Ana <[email protected]>

---------

Co-authored-by: Patricia Santa Ana <[email protected]>

Author: 2 people

public/__redirects

@@ -1747,6 +1747,7 @@
 /cloudflare-one/api-terraform/gateway-api-examples/dns-policy/ /cloudflare-one/policies/gateway/dns-policies/common-policies/ 301
 /cloudflare-one/api-terraform/gateway-api-examples/network-policy/ /cloudflare-one/policies/gateway/network-policies/common-policies/ 301
 /cloudflare-one/api-terraform/gateway-api-examples/http-policy/ /cloudflare-one/policies/gateway/http-policies/common-policies/ 301
+/cloudflare-one/applications/casb/troubleshooting/ /cloudflare-one/applications/casb/troubleshooting/troubleshoot-integrations/ 301
 /cloudflare-one/applications/configure-apps/self-hosted-apps/ /cloudflare-one/applications/configure-apps/self-hosted-public-app/ 301
 /cloudflare-one/applications/non-http/arbitrary-tcp/ /cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/ 301
 /cloudflare-one/connections/connect-apps/configuration/ /cloudflare-one/connections/connect-networks/configure-tunnels/ 301

src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx

@@ -8,7 +8,10 @@ import { Render } from "~/components";
 
 <Render
 	file="casb/integration-description"
-	params={{ integrationName: "Amazon Web Services (AWS) S3", integrationAccountType: "AWS account" }}
+	params={{
+		integrationName: "Amazon Web Services (AWS) S3",
+		integrationAccountType: "AWS account",
+	}}
 />
 
 ## Integration prerequisites

src/content/docs/cloudflare-one/applications/casb/casb-integrations/gcp-cloud-storage.mdx

@@ -0,0 +1,98 @@
+---
+pcx_content_type: reference
+title: Google Cloud Platform (GCP) Cloud Storage
+rss: file
+---
+
+import { Render } from "~/components";
+
+<Render
+	file="casb/integration-description"
+	params={{
+		integrationName: "Google Cloud Platform (GCP) Cloud Storage",
+		integrationAccountType: "GCP account",
+	}}
+/>
+
+## Integration prerequisites
+
+- A GCP account using Cloud Storage.
+- For initial setup, access to the GCP account with permission to create a new Service Account with the scopes listed below.
+
+## Integration permissions
+
+For the GCP Cloud Storage integration to function, Cloudflare CASB requires the following access scopes via a Service Account:
+
+- `roles/viewer`
+- `roles/storage.admin`
+
+These permissions follow the principle of least privilege to ensure that only the minimum required access is granted. To learn more about each permission scope, refer to the [GCP IAM roles for Cloud Storage documentation](https://cloud.google.com/storage/docs/access-control/iam-roles).
+
+## Compute account
+
+You can connect a GCP compute account to your CASB integration to perform [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/) scans within your Cloud Storage bucket and avoid data egress. CASB will scan any objects that exist in the bucket at the time of configuration.
+
+### Add a compute account
+
+To connect a compute account to your GCP integration:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Integrations**.
+2. Find and select your GCP integration.
+3. Select **Open connection instructions**.
+4. Follow the instructions provided to connect a new compute account.
+5. Select **Refresh**.
+
+You can only connect one compute account to an integration. To remove a compute account, select **Manage compute accounts**.
+
+### Configure compute account scanning
+
+Once your GCP compute account has successfully connected to your CASB integration, you can configure where and how to scan for sensitive data:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Integrations**.
+2. Find and select your GCP integration.
+3. Select **Create new configuration**.
+4. In **Resources**, choose the buckets you want to scan. Select **Continue**.
+5. Choose the file types, sampling percentage, and [DLP profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/) to scan for.
+6. (Optional) Configure additional settings, such as the limit of API calls over time for CASB to adhere to.
+7. Select **Continue**.
+8. Review the details of the scan, then select **Start scan**.
+
+CASB will take up to one hour to begin scanning. To view the scan results, go to **CASB** > **Content** > **Cloud**.
+
+To manage your resources, go to **CASB** > **Integrations**, then find and select your GCP integration. From here, you can pause all or individual scans, add or remove resources, and change scan settings.
+
+For more information, refer to [Content findings](/cloudflare-one/applications/casb/manage-findings/#content-findings).
+
+## Security findings
+
+<Render
+	file="casb/security-findings"
+	params={{
+		integrationName: "GCP Cloud Storage",
+		slugRelativePath: "gcp-cloud-storage",
+	}}
+/>
+
+### Cloud Storage Bucket security
+
+Flag security issues in Cloud Storage Buckets, including overpermissioning, access policies, and user security best practices.
+
+| Finding type                                                                     | FindingTypeID                          | Severity |
+| -------------------------------------------------------------------------------- | -------------------------------------- | -------- |
+| Google Cloud Platform: GCS Bucket Allows Public Write                            | `4583f5a9-a343-4e2f-a8b3-9237a911f337` | Critical |
+| Google Cloud Platform: GCS Bucket IAM Policy Allows Public Access                | `032c1e88-0cff-47f6-8d75-046e0a7330de` | Critical |
+| Google Cloud Platform: GCS Bucket Publicly Accessible                            | `cc028a95-46d4-4156-ac11-bc5713529824` | Critical |
+| Google Cloud Platform: Public Access Prevention Enabled But Policy Grants Public | `cc02680e-9cc3-49d1-99d5-29d425bf142f` | Critical |
+| Google Cloud Platform: GCS Bucket ACL Grants All Authenticated Users Access      | `e1a588af-0500-482e-b59d-fd2693ce7fc0` | Critical |
+| Google Cloud Platform: GCS Bucket ACL Grants All Users Public Access             | `1904c004-8d4f-470e-9460-e77db23d6a86` | Critical |
+| Google Cloud Platform: Public Access Prevention but ACL Grants allUsers          | `fcf2e27e-673f-4cd2-9b76-ec89c4c5872c` | Critical |
+| Google Cloud Platform: GCS Bucket Versioning Disabled                            | `bd66e214-f205-4e00-bd68-121dad0a7988` | High     |
+| Google Cloud Platform: GCS Bucket Without KMS Encryption                         | `0105d9c4-1a01-4b65-b33e-df6c55905147` | High     |
+| Google Cloud Platform: GCS Uniform Bucket-Level Access Disabled                  | `6960b459-aa9e-4b41-84f6-26cdb75a1995` | High     |
+| Google Cloud Platform: GCS Bucket IAM Policy Allows Public Read                  | `10420f34-8fdd-49cb-8d38-096a2de5824f` | High     |
+| Google Cloud Platform: GCS Bucket Lacks Lifecycle Rules                          | `edcd5a8b-b128-404b-8207-23a80f669b65` | Medium   |
+| Google Cloud Platform: GCS Bucket Logging Disabled                               | `d26f43c8-9406-481c-8c8b-1a7f05f3cc27` | Medium   |
+| Google Cloud Platform: GCS Bucket Not Using 'Soft Delete'                        | `5542ed8e-77a6-43c1-8b9e-935e66009d34` | Medium   |
+| Google Cloud Platform: GCS Bucket Retention Policy Disabled                      | `2d4a247c-8adb-4f2b-ae58-3568d633cb81` | Medium   |
+| Google Cloud Platform: GCS Bucket IAM Policy Not Version 3                       | `ade2ede6-08c7-4962-b084-f6a29ee4a5b8` | Low      |
+| Google Cloud Platform: GCS Bucket IAM Policy Using Legacy Roles                  | `11a592b9-4f51-4a1a-9925-a48a5ed01521` | Low      |

src/content/docs/cloudflare-one/applications/casb/casb-integrations/index.mdx

@@ -14,6 +14,7 @@ You can integrate the following SaaS applications and cloud environments with Cl
 - [Box](/cloudflare-one/applications/casb/casb-integrations/box/)
 - [Dropbox](/cloudflare-one/applications/casb/casb-integrations/dropbox/)
 - [GitHub](/cloudflare-one/applications/casb/casb-integrations/github/)
+- [Google Cloud Platform (GCP) Cloud Storage](/cloudflare-one/applications/casb/casb-integrations/gcp-cloud-storage/)
 - [Google Workspace](/cloudflare-one/applications/casb/casb-integrations/google-workspace/)
   - [Google Drive](/cloudflare-one/applications/casb/casb-integrations/google-workspace/google-drive/)
   - [Gmail](/cloudflare-one/applications/casb/casb-integrations/google-workspace/gmail/)

src/content/docs/cloudflare-one/applications/casb/troubleshooting/index.mdx

@@ -0,0 +1,12 @@
+---
+pcx_content_type: troubleshooting
+title: Troubleshooting
+sidebar:
+  order: 4
+  group:
+    hideIndex: true
+---
+
+import { DirectoryListing } from "~/components";
+
+<DirectoryListing />

src/content/docs/cloudflare-one/applications/casb/troubleshooting/troubleshoot-compute-accounts.mdx

@@ -0,0 +1,74 @@
+---
+pcx_content_type: troubleshooting
+title: Troubleshoot compute accounts
+sidebar:
+  order: 2
+---
+
+import { Render } from "~/components";
+
+Cloudflare CASB detects when compute accounts are unhealthy or outdated. Common compute account issues include security or functionality updates and API token misconfigurations.
+
+## Identify unhealthy compute accounts
+
+To identify unhealthy compute accounts:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **CASB** > **Integrations**.
+2. Choose the integration you created for cloud scanning.
+3. Select **Manage compute accounts**.
+
+CASB will display the status of each compute account next to its name. If a compute account is broken or outdated, CASB will set its status to **Unhealthy**. If the status is **Healthy**, no action is required.
+
+## Repair an unhealthy compute account
+
+When CASB marks a compute account as **Unhealthy**, CASB will not use new scan configuration changes and new scan results will not appear in the dashboard.
+
+To repair a compute account marked as **Unhealthy**, first [upgrade the compute account](#upgrade-a-compute-account). If the compute account is still unhealthy, [roll your API token](#roll-api-tokens).
+
+## Upgrade a compute account
+
+Upgrading a compute account applies the latest software features, bug fixes, and infrastructure changes to a cloud compute account. You should run upgrades periodically to keep the compute account software up to date or when recommended by Cloudflare to address an issue. CASB deploys compute account upgrades through Terraform updates.
+
+To upgrade a compute account:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **CASB** > **Integrations**.
+2. Choose the integration you created for cloud scanning.
+3. Select **Open connection instructions**.
+4. Follow the instructions provided to validate your local Terraform and CLI configuration.
+5. Under **Step 2: Deploy Terraform Configuration**, copy the template to your local configuration. This template will be the most up to date version of the integration's Terraform configuration.
+6. In a local terminal, update the cached version of the CDS Terraform modules:
+   ```bash
+   terraform init --upgrade
+   ```
+7. Apply the upgraded Terraform configuration to your compute account:
+   ```bash
+   terraform apply
+   ```
+
+## Roll API tokens
+
+:::caution
+If you roll your API token in CASB but do not update it in your compute account, CASB will set your compute account's status as **Broken** and stop reporting scan results.
+:::
+
+You may need to roll the Cloudflare API token used for your compute account if a security or operational issue appears, your API token is compromised, or your API token is removed from your compute account.
+
+<Render file="api-roll-token" product="fundamentals" />
+
+4. Copy your API token.
+
+Once you roll your API token in Cloudflare, you can update the API token value in your secrets manager for [Amazon Web Services (AWS)](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-secret-value.html) or [Google Cloud Platform (GCP)](https://cloud.google.com/secret-manager/docs/edit-secrets).
+
+### Common token issues
+
+#### `cloudflare-cds-secrets` does not exist in the compute account's secrets manager
+
+To recreate the secret in your compute account:
+
+1. Validate that you selected the correct region.
+2. [Upgrade the compute account](#upgrade-a-compute-account) to recreate the secret.
+3. [Update the secret value](#roll-api-tokens) in your compute account.
+
+#### I no longer have access to the Cloudflare API token I created
+
+[Roll your Cloudflare API token](#roll-api-tokens) and add it to your compute account. If the [status of the compute account](#identify-unhealthy-compute-accounts) is set to **Healthy**, the issue has been solved.

src/content/docs/cloudflare-one/applications/casb/troubleshooting.mdx renamed to src/content/docs/cloudflare-one/applications/casb/troubleshooting/troubleshoot-integrations.mdx

@@ -2,11 +2,9 @@
 pcx_content_type: troubleshooting
 title: Troubleshoot integrations
 sidebar:
-  order: 3
+  order: 1
 ---
 
-import { TabItem, Tabs } from "~/components";
-
 Cloudflare CASB detects when integrations are unhealthy or outdated.
 
 Common integration issues include changes to SaaS app or cloud environment configurations, user access, or permission scope. Integrations may need to be updated to support new features or permissions.

src/content/partials/cloudflare-one/casb/casb-dlp-integrations.mdx

@@ -2,8 +2,10 @@
 {}
 ---
 
+- [Amazon Web Services (AWS) S3](/cloudflare-one/applications/casb/casb-integrations/aws-s3/)
 - [Box](/cloudflare-one/applications/casb/casb-integrations/box/)
 - [Dropbox](/cloudflare-one/applications/casb/casb-integrations/dropbox/)
+- [Google Cloud Platform (GCP) Cloud Storage](/cloudflare-one/applications/casb/casb-integrations/gcp-cloud-storage)
 - [Google Drive](/cloudflare-one/applications/casb/casb-integrations/google-workspace/google-drive/)
 - [Microsoft OneDrive](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/onedrive/)
 - [Microsoft SharePoint](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/sharepoint/)