@google-cloud/dlp 5.10.0 → 5.12.0

package/CHANGELOG.md

@@ -4,6 +4,20 @@
 
 [1]: https://www.npmjs.com/package/PACKAGE NAME?activeTab=versions
 
+## [5.12.0](https://github.com/googleapis/google-cloud-node/compare/dlp-v5.11.0...dlp-v5.12.0) (2024-10-30)
+
+
+### Features
+
+* [dlp] discovery of BigQuery snapshots ([#5757](https://github.com/googleapis/google-cloud-node/issues/5757)) ([3f262fc](https://github.com/googleapis/google-cloud-node/commit/3f262fc59aa6054bd22f6868e76e7c686a9444a3))
+
+## [5.11.0](https://github.com/googleapis/google-cloud-node/compare/dlp-v5.10.0...dlp-v5.11.0) (2024-09-24)
+
+
+### Features
+
+* [dlp] action for publishing data profiles to SecOps (formelly known as Chronicle) ([#5691](https://github.com/googleapis/google-cloud-node/issues/5691)) ([106d029](https://github.com/googleapis/google-cloud-node/commit/106d029eacd05fc890dffd1169a19d4596d93c54))
+
 ## [5.10.0](https://github.com/googleapis/google-cloud-node/compare/dlp-v5.9.0...dlp-v5.10.0) (2024-08-19)
 
 

package/README.md

@@ -44,7 +44,7 @@ Google APIs Client Libraries, in [Client Libraries Explained][explained].
 1.  [Select or create a Cloud Platform project][projects].
 1.  [Enable billing for your project][billing].
 1.  [Enable the Cloud Data Loss Prevention API][enable_api].
-1.  [Set up authentication with a service account][auth] so you can access the
+1.  [Set up authentication][auth] so you can access the
     API from your local workstation.
 
 ### Installing the client library
@@ -250,4 +250,4 @@ See [LICENSE](https://github.com/googleapis/google-cloud-node/blob/main/LICENSE)
 [projects]: https://console.cloud.google.com/project
 [billing]: https://support.google.com/cloud/answer/6293499#enable-billing
 [enable_api]: https://console.cloud.google.com/flows/enableapi?apiid=dlp.googleapis.com
-[auth]: https://cloud.google.com/docs/authentication/getting-started
+[auth]: https://cloud.google.com/docs/authentication/external/set-up-adc-local

package/build/protos/google/privacy/dlp/v2/dlp.proto

@@ -47,13 +47,9 @@ option (google.api.resource_definition) = {
   pattern: "organizations/{organization}/locations/{location}"
 };
 
-// The Cloud Data Loss Prevention (DLP) API is a service that allows clients
-// to detect the presence of Personally Identifiable Information (PII) and other
-// privacy-sensitive data in user-supplied, unstructured data streams, like text
-// blocks or images.
-// The service also includes methods for sensitive data redaction and
-// scheduling of data scans on Google Cloud Platform based data sets.
-//
+// Sensitive Data Protection provides access to a powerful sensitive data
+// inspection, classification, and de-identification platform that works
+// on text, images, and Google Cloud storage repositories.
 // To learn more about concepts and find how-to guides see
 // https://cloud.google.com/sensitive-data-protection/docs/.
 service DlpService {
@@ -4897,6 +4893,12 @@ message DataProfileAction {
     ERROR_CHANGED = 4;
   }
 
+  // Message expressing intention to publish to Google Security Operations.
+  message PublishToChronicle {}
+
+  // If set, a summary finding will be created/updated in SCC for each profile.
+  message PublishToSecurityCommandCenter {}
+
   // If set, attaches the [tags]
   // (https://cloud.google.com/resource-manager/docs/tags/tags-overview)
   // provided to profiled resources. Tags support [access
@@ -4959,6 +4961,15 @@ message DataProfileAction {
     // Publish a message into the Pub/Sub topic.
     PubSubNotification pub_sub_notification = 2;
 
+    // Publishes generated data profiles to Google Security Operations.
+    // For more information, see [Use Sensitive Data Protection data in
+    // context-aware
+    // analytics](https://cloud.google.com/chronicle/docs/detection/usecase-dlp-high-risk-user-download).
+    PublishToChronicle publish_to_chronicle = 3;
+
+    // Publishes findings to SCC for each data profile.
+    PublishToSecurityCommandCenter publish_to_scc = 4;
+
     // Tags the profiled resources with the specified tag values.
     TagResources tag_resources = 8;
   }
@@ -4980,6 +4991,9 @@ message DataProfileJobConfig {
   // that are profiled, and the Cloud DLP API must be enabled.
   string project_id = 5;
 
+  // Must be set only when scanning other clouds.
+  OtherCloudDiscoveryStartingLocation other_cloud_starting_location = 8;
+
   // Detection logic for profile generation.
   //
   // Not all template features are used by profiles. FindingLimits,
@@ -5033,8 +5047,8 @@ message BigQueryTableTypes {
   repeated BigQueryTableType types = 1;
 }
 
-// Over time new types may be added. Currently VIEW, MATERIALIZED_VIEW,
-// and SNAPSHOT are not supported.
+// Over time new types may be added. Currently VIEW, MATERIALIZED_VIEW, and
+// non-BigLake external tables are not supported.
 enum BigQueryTableTypeCollection {
   // Unused.
   BIG_QUERY_COLLECTION_UNSPECIFIED = 0;
@@ -5052,8 +5066,8 @@ enum BigQueryTableTypeCollection {
   BIG_QUERY_COLLECTION_ONLY_SUPPORTED_TYPES = 2;
 }
 
-// Over time new types may be added. Currently VIEW, MATERIALIZED_VIEW,
-// SNAPSHOT, and non-BigLake external tables are not supported.
+// Over time new types may be added. Currently VIEW, MATERIALIZED_VIEW, and
+// non-BigLake external tables are not supported.
 enum BigQueryTableType {
   // Unused.
   BIG_QUERY_TABLE_TYPE_UNSPECIFIED = 0;
@@ -5063,6 +5077,9 @@ enum BigQueryTableType {
 
   // A table that references data stored in Cloud Storage.
   BIG_QUERY_TABLE_TYPE_EXTERNAL_BIG_LAKE = 2;
+
+  // A snapshot of a BigQuery table.
+  BIG_QUERY_TABLE_TYPE_SNAPSHOT = 3;
 }
 
 // How frequently data profiles can be updated. New options can be added at a
@@ -5144,6 +5161,9 @@ message DiscoveryConfig {
   // Only set when the parent is an org.
   OrgConfig org_config = 2;
 
+  // Must be set only when scanning other clouds.
+  OtherCloudDiscoveryStartingLocation other_cloud_starting_location = 12;
+
   // Detection logic for profile generation.
   //
   // Not all template features are used by Discovery. FindingLimits,
@@ -5210,6 +5230,10 @@ message DiscoveryTarget {
     // Cloud Storage target for Discovery. The first target to match a table
     // will be the one applied.
     CloudStorageDiscoveryTarget cloud_storage_target = 4;
+
+    // Other clouds target for discovery. The first target to match a resource
+    // will be the one applied.
+    OtherCloudDiscoveryTarget other_cloud_target = 5;
   }
 }
 
@@ -5821,6 +5845,208 @@ message DiscoveryFileStoreConditions {
   }
 }
 
+// Target used to match against for discovery of resources from other clouds.
+// An [AWS connector in Security Command Center
+// (Enterprise](https://cloud.google.com/security-command-center/docs/connect-scc-to-aws)
+// is required to use this feature.
+message OtherCloudDiscoveryTarget {
+  // Required. The type of data profiles generated by this discovery target.
+  // Supported values are:
+  // * aws/s3/bucket
+  DataSourceType data_source_type = 1 [(google.api.field_behavior) = REQUIRED];
+
+  // Required. The resources that the discovery cadence applies to. The
+  // first target with a matching filter will be the one to apply to a resource.
+  DiscoveryOtherCloudFilter filter = 2 [(google.api.field_behavior) = REQUIRED];
+
+  // Optional. In addition to matching the filter, these conditions must be true
+  // before a profile is generated.
+  DiscoveryOtherCloudConditions conditions = 3
+      [(google.api.field_behavior) = OPTIONAL];
+
+  // Type of cadence.
+  oneof cadence {
+    // How often and when to update data profiles. New resources that match both
+    // the filter and conditions are scanned as quickly as possible depending on
+    // system capacity.
+    DiscoveryOtherCloudGenerationCadence generation_cadence = 4;
+
+    // Disable profiling for resources that match this filter.
+    Disabled disabled = 5;
+  }
+}
+
+// Determines which resources from the other cloud will have profiles generated.
+// Includes the ability to filter by resource names.
+message DiscoveryOtherCloudFilter {
+  // Whether the filter applies to a specific set of resources or all
+  // other resources. The first filter to match will be applied, regardless of
+  // the condition. Defaults to `others` if none is set.
+  oneof filter {
+    // A collection of resources for this filter to apply to.
+    OtherCloudResourceCollection collection = 1;
+
+    // The resource to scan. Configs using this filter can only have one target
+    // (the target with this single resource reference).
+    OtherCloudSingleResourceReference single_resource = 2;
+
+    // Optional. Catch-all. This should always be the last target in the list
+    // because anything above it will apply first. Should only appear once in a
+    // configuration. If none is specified, a default one will be added
+    // automatically.
+    AllOtherResources others = 100 [(google.api.field_behavior) = OPTIONAL];
+  }
+}
+
+// Match resources using regex filters.
+message OtherCloudResourceCollection {
+  // The first filter containing a pattern that matches a resource will be used.
+  oneof pattern {
+    // A collection of regular expressions to match a resource against.
+    OtherCloudResourceRegexes include_regexes = 1;
+  }
+}
+
+// A collection of regular expressions to determine what resources to match
+// against.
+message OtherCloudResourceRegexes {
+  // A group of regular expression patterns to match against one or more
+  // resources.
+  // Maximum of 100 entries. The sum of all regular expression's length can't
+  // exceed 10 KiB.
+  repeated OtherCloudResourceRegex patterns = 1;
+}
+
+// A pattern to match against one or more resources. At least one pattern must
+// be specified. Regular expressions use RE2
+// [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found
+// under the google/re2 repository on GitHub.
+message OtherCloudResourceRegex {
+  // The type of resource regex to use.
+  oneof resource_regex {
+    // Regex for Amazon S3 buckets.
+    AmazonS3BucketRegex amazon_s3_bucket_regex = 1;
+  }
+}
+
+// AWS account regex.
+message AwsAccountRegex {
+  // Optional. Regex to test the AWS account ID against.
+  // If empty, all accounts match.
+  string account_id_regex = 1 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// Amazon S3 bucket regex.
+message AmazonS3BucketRegex {
+  // The AWS account regex.
+  AwsAccountRegex aws_account_regex = 1;
+
+  // Optional. Regex to test the bucket name against.
+  // If empty, all buckets match.
+  string bucket_name_regex = 2 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// Identifies a single resource, like a single Amazon S3 bucket.
+message OtherCloudSingleResourceReference {
+  // The resource to scan.
+  oneof resource {
+    // Amazon S3 bucket.
+    AmazonS3Bucket amazon_s3_bucket = 1;
+  }
+}
+
+// AWS account.
+message AwsAccount {
+  // Required. AWS account ID.
+  string account_id = 1 [(google.api.field_behavior) = REQUIRED];
+}
+
+// Amazon S3 bucket.
+message AmazonS3Bucket {
+  // The AWS account.
+  AwsAccount aws_account = 1;
+
+  // Required. The bucket name.
+  string bucket_name = 2 [(google.api.field_behavior) = REQUIRED];
+}
+
+// Requirements that must be true before a resource is profiled for the first
+// time.
+message DiscoveryOtherCloudConditions {
+  // Minimum age a resource must be before Cloud DLP can profile it. Value must
+  // be 1 hour or greater.
+  google.protobuf.Duration min_age = 1;
+
+  // The conditions to apply.
+  oneof conditions {
+    // Amazon S3 bucket conditions.
+    AmazonS3BucketConditions amazon_s3_bucket_conditions = 2;
+  }
+}
+
+// Amazon S3 bucket conditions.
+message AmazonS3BucketConditions {
+  // Supported Amazon S3 bucket types.
+  // Defaults to TYPE_ALL_SUPPORTED.
+  enum BucketType {
+    // Unused.
+    TYPE_UNSPECIFIED = 0;
+
+    // All supported classes.
+    TYPE_ALL_SUPPORTED = 1;
+
+    // A general purpose Amazon S3 bucket.
+    TYPE_GENERAL_PURPOSE = 2;
+  }
+
+  // Supported Amazon S3 object storage classes.
+  // Defaults to ALL_SUPPORTED_CLASSES.
+  enum ObjectStorageClass {
+    // Unused.
+    UNSPECIFIED = 0;
+
+    // All supported classes.
+    ALL_SUPPORTED_CLASSES = 1;
+
+    // Standard object class.
+    STANDARD = 2;
+
+    // Standard - infrequent access object class.
+    STANDARD_INFREQUENT_ACCESS = 4;
+
+    // Glacier - instant retrieval object class.
+    GLACIER_INSTANT_RETRIEVAL = 6;
+
+    // Objects in the S3 Intelligent-Tiering access tiers.
+    INTELLIGENT_TIERING = 7;
+  }
+
+  // Optional. Bucket types that should be profiled.
+  // Optional. Defaults to TYPE_ALL_SUPPORTED if unspecified.
+  repeated BucketType bucket_types = 1 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Object classes that should be profiled.
+  // Optional. Defaults to ALL_SUPPORTED_CLASSES if unspecified.
+  repeated ObjectStorageClass object_storage_classes = 2
+      [(google.api.field_behavior) = OPTIONAL];
+}
+
+// How often existing resources should have their profiles refreshed.
+// New resources are scanned as quickly as possible depending on system
+// capacity.
+message DiscoveryOtherCloudGenerationCadence {
+  // Optional. Frequency to update profiles regardless of whether the underlying
+  // resource has changes. Defaults to never.
+  DataProfileUpdateFrequency refresh_frequency = 1
+      [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Governs when to update data profiles when the inspection rules
+  // defined by the `InspectTemplate` change.
+  // If not set, changing the template will not cause a data profile to update.
+  DiscoveryInspectTemplateModifiedCadence inspect_template_modified_cadence = 2
+      [(google.api.field_behavior) = OPTIONAL];
+}
+
 // The location to begin a discovery scan. Denotes an organization ID or folder
 // ID within an organization.
 message DiscoveryStartingLocation {
@@ -5834,6 +6060,31 @@ message DiscoveryStartingLocation {
   }
 }
 
+// The other cloud starting location for discovery.
+message OtherCloudDiscoveryStartingLocation {
+  // The AWS starting location for discovery.
+  message AwsDiscoveryStartingLocation {
+    // The scope of this starting location.
+    oneof scope {
+      // The AWS account ID that this discovery config applies to.
+      // Within an AWS organization, you can find the AWS account ID inside an
+      // AWS account ARN. Example:
+      // arn:{partition}:organizations::{management_account_id}:account/{org_id}/{account_id}
+      string account_id = 2;
+
+      // All AWS assets stored in Asset Inventory that didn't match other AWS
+      // discovery configs.
+      bool all_asset_inventory_assets = 3;
+    }
+  }
+
+  // The other cloud starting location for discovery.
+  oneof location {
+    // The AWS starting location for discovery.
+    AwsDiscoveryStartingLocation aws_location = 1;
+  }
+}
+
 // Match discovery resources not covered by any other filter.
 message AllOtherResources {}
 
@@ -6946,7 +7197,7 @@ message ProjectDataProfile {
   // The resource name of the profile.
   string name = 1;
 
-  // Project ID that was profiled.
+  // Project ID or account that was profiled.
   string project_id = 2;
 
   // The last time the profile was generated.
@@ -7049,13 +7300,14 @@ message TableDataProfile {
   // locations.
   string dataset_location = 29;
 
-  // If the resource is BigQuery, the  dataset ID.
+  // If the resource is BigQuery, the dataset ID.
   string dataset_id = 25;
 
-  // If the resource is BigQuery, the BigQuery table ID.
+  // The table ID.
   string table_id = 26;
 
-  // The resource name of the resource profiled.
+  // The Cloud Asset Inventory resource that was profiled in order to generate
+  // this TableDataProfile.
   // https://cloud.google.com/apis/design/resource_names#full_resource_name
   string full_resource = 3;
 
@@ -7314,15 +7566,15 @@ message ColumnDataProfile {
   // The Google Cloud project ID that owns the profiled resource.
   string dataset_project_id = 19;
 
-  // The BigQuery location where the dataset's data is stored.
+  // If supported, the location where the dataset's data is stored.
   // See https://cloud.google.com/bigquery/docs/locations for supported
-  // locations.
+  // BigQuery locations.
   string dataset_location = 20;
 
-  // The BigQuery dataset ID.
+  // The BigQuery dataset ID, if the resource profiled is a BigQuery table.
   string dataset_id = 21;
 
-  // The BigQuery table ID.
+  // The table ID.
   string table_id = 22;
 
   // The name of the column.
@@ -7364,6 +7616,7 @@ message ColumnDataProfile {
 // The profile for a file store.
 //
 // * Cloud Storage: maps 1:1 with a bucket.
+// * Amazon S3: maps 1:1 with a bucket.
 message FileStoreDataProfile {
   option (google.api.resource) = {
     type: "dlp.googleapis.com/FileStoreDataProfile"
@@ -7396,12 +7649,15 @@ message FileStoreDataProfile {
   string project_data_profile = 3;
 
   // The Google Cloud project ID that owns the resource.
+  // For Amazon S3 buckets, this is the AWS Account Id.
   string project_id = 4;
 
   // The location of the file store.
   //
   // * Cloud Storage:
   // https://cloud.google.com/storage/docs/locations#available-locations
+  // * Amazon S3:
+  // https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints
   string file_store_location = 5;
 
   // For resources that have multiple storage locations, these are those
@@ -7419,10 +7675,14 @@ message FileStoreDataProfile {
   // The file store path.
   //
   // * Cloud Storage: `gs://{bucket}`
+  // * Amazon S3: `s3://{bucket}`
   string file_store_path = 6;
 
   // The resource name of the resource profiled.
   // https://cloud.google.com/apis/design/resource_names#full_resource_name
+  //
+  // Example format of an S3 bucket full resource name:
+  // `//cloudasset.googleapis.com/organizations/{org_id}/otherCloudConnections/aws/arn:aws:s3:::{bucket_name}`
   string full_resource = 24;
 
   // The snapshot of the configurations used to generate the profile.
@@ -7599,6 +7859,7 @@ message ListFileStoreDataProfilesRequest {
   // * A restriction has the form of `{field} {operator} {value}`.
   // * Supported fields/values:
   //     - `project_id` - The Google Cloud project ID.
+  //     - `account_id` - The AWS account ID.
   //     - `file_store_path` - The path like "gs://bucket".
   //     - `data_source_type` - The profile's data source type, like
   //     "google/storage/bucket".
@@ -7995,7 +8256,12 @@ message DeleteTableDataProfileRequest {
 // Message used to identify the type of resource being profiled.
 message DataSourceType {
   // Output only. An identifying string to the type of resource being profiled.
-  // Current values: google/bigquery/table, google/project
+  // Current values:
+  //
+  // * google/bigquery/table
+  // * google/project
+  // * google/sql/table
+  // * google/gcs/bucket
   string data_source = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
 }