Effective December 31, 2024, the Cloud Storage Scanning service has reached End of Life.
Cloud Storage Scanning supports scanning for malicious files in your Google Workspace. Configure a continuous or scheduled scan to check for malicious files in your users' Google Drive folders.
The following scan frequencies are available:
- On-demand: An on-demand scan of your cloud storage folders.
- Daily: A scheduled scan that runs daily at the specified time.
- Weekly: A scheduled scan that runs on certain days of the week at the specified time.
- Monthly: A scheduled scan that runs on a certain day of the month at the specified time.
- Continuous: A continuous scan that checks for new and updated files. Check Include existing files to initiate a scan on all files before monitoring for changes to them.
For more information, see Should I run a scheduled scan, continuous scan, or a combination of both.
Nebula Requirements
- The Nebula Super Admin or Administrator must be a Google Workspace Super Admin.
Google Workspace Configuration
A Cloud Storage Scanning app must be created in Google Workspace before creating the configuration in Nebula.
Setup Service Account
- Create a project. For more information, see Creating a project.
- Create a service account. For more information, see Create a service account. Note: No IAM roles are required for the service account.
- Record the service account's OAuth 2 Client ID value. You will need this for a later step.
- Create a service account key and save it as JSON. For more information, see Create a service account key.
- Enable the Admin SDK API and Google Drive API for the service account. For more information, see Enabling an API.
Assign Domain-Wide Delegation to Service Account
- Using the OAuth 2 Client ID previously captured, assign Domain-Wide delegation to your service account. For more information, see Control API access with domain-wide delegation.
- Add the following OAuth scopes:
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.domain.readonly
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/drive.file
https://www.googleapis.com/auth/drive.readonly
https://www.googleapis.com/auth/drive.metadata.readonly
Assign roles to service account
- Create a custom role. For more information, see Create, edit, and delete custom admin roles.
- Assign the following privileges to the role:
- Admin console privileges
- Organizational Units
- Read
- Users
- Read
- Domain Settings
- Organizational Units
- Admin API privileges
- Organizational Units
- Read
- Users
- Read
- Billing Management
- Billing Read
- Domain Management
- Organizational Units
- Admin console privileges
- Assign the following privileges to the role:
- Assign the custom role to the service account. For more information, see Assign a role to a service account.
Nebula Configuration
- On the left navigation menu, go to Configure > Cloud Storage Scans.
- Click Add a Scan.
- Enter a name for the scan configuration.
- Select Google Drive and upload the service account key JSON key previously generated.
- Under Customer Id, enter your Customer Id. For more information on locating your Customer Id, see Find your customer ID.
- Click Connect to Provider.
- In the Items to scan tab, select which users or folders to scan.
- In the Quarantine tab, toggle on Enable Quarantine to allow Cloud Storage Scanning to quarantine malicious files automatically.
- Select a user for the quarantine folder. A folder that contains all quarantined objects from this scan configuration is automatically created in the selected user's directory.
- Select the default or customize the tombstone file. A tombstone file is created and replaces the original file when a file is quarantined. It is designed to provide information or instructions for users.
- In the Scan frequency tab, select a scan frequency.
Note: Scheduled scans run in Coordinated Universal Time (UTC). - Click Save.
Note: Once a scan has been saved, it cannot be modified. Delete the existing scan and create a new one if changes are required.
Return to Cloud Storage Scanning guide.