cloudflare · maxvp · Mar 21, 2025 · Mar 19, 2025 · Mar 19, 2025 · Mar 19, 2025
@@ -1747,6 +1747,7 @@
 /cloudflare-one/api-terraform/gateway-api-examples/dns-policy/ /cloudflare-one/policies/gateway/dns-policies/common-policies/ 301
 /cloudflare-one/api-terraform/gateway-api-examples/network-policy/ /cloudflare-one/policies/gateway/network-policies/common-policies/ 301
 /cloudflare-one/api-terraform/gateway-api-examples/http-policy/ /cloudflare-one/policies/gateway/http-policies/common-policies/ 301
+/cloudflare-one/applications/casb/troubleshooting/ /cloudflare-one/applications/casb/troubleshooting/troubleshoot-integrations/ 301
 /cloudflare-one/applications/configure-apps/self-hosted-apps/ /cloudflare-one/applications/configure-apps/self-hosted-public-app/ 301
 /cloudflare-one/applications/non-http/arbitrary-tcp/ /cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/ 301
 /cloudflare-one/connections/connect-apps/configuration/ /cloudflare-one/connections/connect-networks/configure-tunnels/ 301

@@ -8,7 +8,10 @@ import { Render } from "~/components";
 
 <Render
 	file="casb/integration-description"
-	params={{ integrationName: "Amazon Web Services (AWS) S3", integrationAccountType: "AWS account" }}
+	params={{
+		integrationName: "Amazon Web Services (AWS) S3",
+		integrationAccountType: "AWS account",
+	}}
 />
 
 ## Integration prerequisites

@@ -0,0 +1,98 @@
+---
+pcx_content_type: reference
+title: Google Cloud Platform (GCP) Cloud Storage
+rss: file
+---
+
+import { Render } from "~/components";
+
+<Render
+	file="casb/integration-description"
+	params={{
+		integrationName: "Google Cloud Platform (GCP) Cloud Storage",
+		integrationAccountType: "GCP account",
+	}}
+/>
+
+## Integration prerequisites
+
+- A GCP account using Cloud Storage.
+- For initial setup, access to the GCP account with permission to create a new Service Account with the scopes listed below.
+
+## Integration permissions
+
+For the GCP Cloud Storage integration to function, Cloudflare CASB requires the following access scopes via a Service Account:
+
+- `roles/viewer`
+- `roles/storage.admin`
+
+These permissions follow the principle of least privilege to ensure that only the minimum required access is granted. To learn more about each permission scope, refer to the [GCP IAM roles for Cloud Storage documentation](https://cloud.google.com/storage/docs/access-control/iam-roles).
+
+## Compute account
+
+You can connect an GCP compute account to your CASB integration to perform [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/) scans within your Cloud Storage bucket and avoid data egress. CASB will scan any objects that exist in the bucket at the time of configuration.
+
+### Add a compute account
+
+To connect a compute account to your GCP integration:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Integrations**.
+2. Find and select your GCP integration.
+3. Select **Open connection instructions**.
+4. Follow the instructions provided to connect a new compute account.
+5. Select **Refresh**.
+
+You can only connect one computer account to an integration. To remove a compute account, select **Manage compute accounts**.
+
+### Configure compute account scanning
+
+Once your GCP compute account has successfully connected to your CASB integration, you can configure where and how to scan for sensitive data:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Integrations**.
+2. Find and select your GCP integration.
+3. Select **Create new configuration**.
+4. In **Resources**, choose the buckets you want to scan. Select **Continue**.
+5. Choose the file types, sampling percentage, and [DLP profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/) to scan for.
+6. (Optional) Configure additional settings, such as the limit of API calls over time for CASB to adhere to.
+7. Select **Continue**.
+8. Review the details of the scan, then select **Start scan**.
+
+CASB will take up to an hour to begin scanning. To view the scan results, go to **CASB** > **Content** > **Cloud**.
+
+To manage your resources, go to **CASB** > **Integrations**, then find and select your GCP integration. From here, you can pause all or individual scans, add or remove resources, and change scan settings.
+
+For more information, refer to [Content findings](/cloudflare-one/applications/casb/manage-findings/#content-findings).
+
+## Security findings
+
+<Render
+	file="casb/security-findings"
+	params={{
+		integrationName: "GCP Cloud Storage",
+		slugRelativePath: "gcp-cloud-storage",
+	}}
+/>
+
+### Cloud Storage Bucket security
+
+Flag security issues in Cloud Storage Buckets, including overpermissioning, access policies, and user security best practices.
+
+| Finding type                                                                     | FindingTypeID                          | Severity |
+| -------------------------------------------------------------------------------- | -------------------------------------- | -------- |
+| Google Cloud Platform: GCS Bucket Allows Public Write                            | `4583f5a9-a343-4e2f-a8b3-9237a911f337` | Critical |
+| Google Cloud Platform: GCS Bucket IAM Policy Allows Public Access                | `032c1e88-0cff-47f6-8d75-046e0a7330de` | Critical |
+| Google Cloud Platform: GCS Bucket Publicly Accessible                            | `cc028a95-46d4-4156-ac11-bc5713529824` | Critical |
+| Google Cloud Platform: Public Access Prevention Enabled But Policy Grants Public | `cc02680e-9cc3-49d1-99d5-29d425bf142f` | Critical |
+| Google Cloud Platform: GCS Bucket ACL Grants All Authenticated Users Access      | `e1a588af-0500-482e-b59d-fd2693ce7fc0` | Critical |
+| Google Cloud Platform: GCS Bucket ACL Grants All Users Public Access             | `1904c004-8d4f-470e-9460-e77db23d6a86` | Critical |
+| Google Cloud Platform: Public Access Prevention but ACL Grants allUsers          | `fcf2e27e-673f-4cd2-9b76-ec89c4c5872c` | Critical |
+| Google Cloud Platform: GCS Bucket Versioning Disabled                            | `bd66e214-f205-4e00-bd68-121dad0a7988` | High     |
+| Google Cloud Platform: GCS Bucket Without KMS Encryption                         | `0105d9c4-1a01-4b65-b33e-df6c55905147` | High     |
+| Google Cloud Platform: GCS Uniform Bucket-Level Access Disabled                  | `6960b459-aa9e-4b41-84f6-26cdb75a1995` | High     |
+| Google Cloud Platform: GCS Bucket IAM Policy Allows Public Read                  | `10420f34-8fdd-49cb-8d38-096a2de5824f` | High     |
+| Google Cloud Platform: GCS Bucket Lacks Lifecycle Rules                          | `edcd5a8b-b128-404b-8207-23a80f669b65` | Medium   |
+| Google Cloud Platform: GCS Bucket Logging Disabled                               | `d26f43c8-9406-481c-8c8b-1a7f05f3cc27` | Medium   |
+| Google Cloud Platform: GCS Bucket Not Using 'Soft Delete'                        | `5542ed8e-77a6-43c1-8b9e-935e66009d34` | Medium   |
+| Google Cloud Platform: GCS Bucket Retention Policy Disabled                      | `2d4a247c-8adb-4f2b-ae58-3568d633cb81` | Medium   |
+| Google Cloud Platform: GCS Bucket IAM Policy Not Version 3                       | `ade2ede6-08c7-4962-b084-f6a29ee4a5b8` | Low      |
+| Google Cloud Platform: GCS Bucket IAM Policy Using Legacy Roles                  | `11a592b9-4f51-4a1a-9925-a48a5ed01521` | Low      |
@@ -7,24 +7,25 @@ sidebar:
 
 You can integrate the following SaaS applications and cloud environments with Cloudflare CASB:
 
-- [Amazon Web Services (AWS) S3](/cloudflare-one/applications/casb/casb-integrations/aws-s3/)
-- [Atlassian Confluence](/cloudflare-one/applications/casb/casb-integrations/atlassian-confluence/)
-- [Atlassian Jira](/cloudflare-one/applications/casb/casb-integrations/atlassian-jira/)
-- [Bitbucket Cloud](/cloudflare-one/applications/casb/casb-integrations/bitbucket-cloud/)
-- [Box](/cloudflare-one/applications/casb/casb-integrations/box/)
-- [Dropbox](/cloudflare-one/applications/casb/casb-integrations/dropbox/)
-- [GitHub](/cloudflare-one/applications/casb/casb-integrations/github/)
-- [Google Workspace](/cloudflare-one/applications/casb/casb-integrations/google-workspace/)
-  - [Google Drive](/cloudflare-one/applications/casb/casb-integrations/google-workspace/google-drive/)
-  - [Gmail](/cloudflare-one/applications/casb/casb-integrations/google-workspace/gmail/)
-  - [Google Admin](/cloudflare-one/applications/casb/casb-integrations/google-workspace/google-admin/)
-  - [Google Calendar](/cloudflare-one/applications/casb/casb-integrations/google-workspace/google-calendar/)
-- [Microsoft 365](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/)
-  - [Admin Center](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/admin-center/)
-  - [OneDrive](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/onedrive/)
-  - [SharePoint](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/sharepoint/)
-  - [Outlook](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/outlook/)
-- [Salesforce](/cloudflare-one/applications/casb/casb-integrations/salesforce/)
-- [Salesforce (FedRAMP)](/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp/)
-- [ServiceNow](/cloudflare-one/applications/casb/casb-integrations/servicenow/)
-- [Slack](/cloudflare-one/applications/casb/casb-integrations/slack/)
+- [Amazon Web Services (AWS) S3](aws-s3/)
+- [Atlassian Confluence](atlassian-confluence/)
+- [Atlassian Jira](atlassian-jira/)
+- [Bitbucket Cloud](bitbucket-cloud/)
+- [Box](box/)
+- [Dropbox](dropbox/)
+- [GitHub](github/)
+- [Google Cloud Platform (GCP) Cloud Storage](gcp-cloud-storage)
+- [Google Workspace](google-workspace/)
+  - [Google Drive](google-workspace/google-drive/)
+  - [Gmail](google-workspace/gmail/)
+  - [Google Admin](google-workspace/google-admin/)
+  - [Google Calendar](google-workspace/google-calendar/)
+- [Microsoft 365](microsoft-365/)
+  - [Admin Center](microsoft-365/admin-center/)
+  - [OneDrive](microsoft-365/onedrive/)
+  - [SharePoint](microsoft-365/sharepoint/)
+  - [Outlook](microsoft-365/outlook/)
+- [Salesforce](salesforce/)
+- [Salesforce (FedRAMP)](salesforce-fedramp/)
+- [ServiceNow](servicenow/)
+- [Slack](slack/)
@@ -0,0 +1,12 @@
+---
+pcx_content_type: troubleshooting
+title: Troubleshooting
+sidebar:
+  order: 4
+  group:
+    hideIndex: true
+---
+
+import { DirectoryListing } from "~/components";
+
+<DirectoryListing />
@@ -0,0 +1,84 @@
+---
+pcx_content_type: troubleshooting
+title: Troubleshoot compute accounts
+sidebar:
+  order: 2
+---
+
+Cloudflare CASB detects when integrations are unhealthy or outdated.
+
+Common integration issues include changes to SaaS app or cloud environment configurations, user access, or permission scope. Integrations may need to be updated to support new features or permissions.
+
+## Upgrade a compute account
+
+Upgrading a compute account applies the latest software features, bug fixes, and infrastructure changes to a cloud compute account. Upgrades should be run periodically to keep the compute account software up to date or when recommended by Cloudflare to address an issue.
+
+To upgrade a compute account:
+
+1. Download the latest Terraform configuration using the "latest templates" API route.
+   1. Navigate to your integration in the CASB Dashboard
+   2. Select the integration you created for cloud scanning
+   3. You should see a "Connect a compute account" module. Click "Open Connection Instructions" Here, you'll be able to see the latest terraform that you can download
+2. Validate that your local machine has the AWS or GCP CLI installed
+3. Validate that an AWS or GCP profile is configured and set to the intended region, and using IAM credentials for a user in the intended AWS or GCP account
+4. Validate that the Terraform state file created during previous Terraform activities for this account is available
+5. Update cached version of the CDS Terraform modules: terraform init --upgrade
+6. Apply the downloaded terraform configuration: terraform apply
+
+## Rotate API tokens
+
+Rotating the API token used by the compute account is useful when there is a security or operational need to use a new API Token. Note that if the API Token is rolled in the Cloudflare Dashboard but isn't updated in the Compute Account, the Compute Account will get unhealthy and stop reporting scan results.
+
+This procedure should be used whenever there is a need to updated the API Token or if the API Token is no longer present in the cloud Compute Account.
+
+Steps
+
+### Roll Token in the Cloudflare Dashboard
+
+1. Log in to the Cloudflare dashboard ↗ and go to My Profile > API Tokens.
+2. Next to the API token you want to roll, select the three dot icon > Roll.
+3. Select Confirm to generate a new API token.
+4. Record the newly created token
+
+### Set API key in Secrets Manager
+
+1. Open the AWS or GCP console and navigate to Secrets Manager
+2. Validate that the region in which Terraform deployed is selected
+   For AWS:
+   Click on the secret cloudflare-cds-secrets, click Retrieve secret value, and Edit
-   Click on the secret cloudflare-cds-secrets, click Retrieve secret value, and Edit
+   Click on the secret Cloudflare-cds-secrets, click Retrieve secret value, and Edit
-   Click on the secret cloudflare-cds-secrets, click Retrieve secret value, and Edit
+   Click on the secret Cloudflare-cds-secrets, click Retrieve secret value, and Edit
+   Paste in the Cloudflare API key previously created and click Save
+   For GCP:
+   Update the secret following the format below, replacing `<token>` with the recently created token: `{"cloudflare_api_token": "<token>"}`
+   Click Save
+
+### Common issues
+
+#### cloudflare-cds-secrets does not exist in AWS or GCP Secrets Manager
+
+Validate that the correct region is selected
+Rerun Terraform Apply to recreate the secret
+Apply repeat the steps above to edit the secret's value
+
+#### I no longer have access to the API token I created
+
+Following the above instructions, roll the API token again and add it to AWS or GCP Secrets Manager
+Validation: On the integration page, if the Compute Account is shown as "Healthy", the problem has been solved.
+
+## Troubleshoot an unhealthy compute account
+
+When a Compute Account becomes unhealthy, new scan configuration changes will not be put into use and new scan results will not appear in the dashboard.
+
+The following steps should be used when a Compute Account is appearing with the "Unhealthy" badge within the CASB Integration page. Example:
+
+Steps
+Rerun Terraform Apply
+Navigate to a directory that contains the Terraform state file created during previous Terraform activity for this Compute Account
+Pull the latest updates:
+terraform init --upgrade
+Recreate/Upgrade any missing resources:
+terraform apply
+After completion, review the health status of the Compute Account to verify recovery. If the Compute Account is now healthy, you can stop here. Else, continue to the next step.
+
+Roll API Token
+Follow the steps listed in "Rotating API Tokens" section
+Review the health status of the Compute Account to verify recovery.
@@ -2,11 +2,9 @@
 pcx_content_type: troubleshooting
 title: Troubleshoot integrations
 sidebar:
-  order: 3
+  order: 1
 ---
 
-import { TabItem, Tabs } from "~/components";
-
 Cloudflare CASB detects when integrations are unhealthy or outdated.
 
 Common integration issues include changes to SaaS app or cloud environment configurations, user access, or permission scope. Integrations may need to be updated to support new features or permissions.

@@ -2,8 +2,10 @@
 {}
 ---
 
+- [Amazon Web Services (AWS) S3](/cloudflare-one/applications/casb/casb-integrations/aws-s3/)
 - [Box](/cloudflare-one/applications/casb/casb-integrations/box/)
 - [Dropbox](/cloudflare-one/applications/casb/casb-integrations/dropbox/)
+- [Google Cloud Platform (GCP) Cloud Storage](/cloudflare-one/applications/casb/casb-integrations/gcp-cloud-storage)
 - [Google Drive](/cloudflare-one/applications/casb/casb-integrations/google-workspace/google-drive/)
 - [Microsoft OneDrive](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/onedrive/)
 - [Microsoft SharePoint](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/sharepoint/)