A Cloud Data Loss Prevention action is something that occurs after a DLP job completes successfully or, in the case of emails, on error. For example, you can save findings to a BigQuery table, publish a notification to a Pub/Sub topic, or send an email when a job either finishes successfully or stops on error.
When you run a Cloud Data Loss Prevention job, a summary of its findings are saved by
default within Cloud DLP. You can see this summary using
Cloud DLP in the
Google Cloud console or retrieve summary information in
the DLP API using the
Cloud DLP supports different types of actions depending on the type of job being run (inspection or risk analysis scan jobs). Following are the currently supported actions:
- Save findings to BigQuery (inspection and risk jobs): Save the DLP job results to a BigQuery table. Before viewing or analyzing the results, you'll want to first ensure that the job has completed.
- Publish to Pub/Sub (inspection and risk jobs): Publish a notification that contains the name of the DLP job as an attribute to a Pub/Sub channel. You can specify a topic to send the notification message to, as long as it has granted publishing access to Cloud DLP service account running the DLP scan job.
- Publish to Security Command Center (risk jobs): Publishes a summary of the job results to Security Command Center. For more information, see Sending Cloud DLP scan results to Security Command Center.
- Publish to Data Catalog (risk jobs): Sends job results to Data Catalog, Google Cloud's metadata management service.
- Publish to Google Cloud's operations suite (risk jobs): Send inspection results to Cloud Monitoring in Google Cloud's operations suite.
- Notify by email (inspection and risk jobs): Sends an email to project owners and editors when the job completes.
You can specify one or more actions when you configure a Cloud DLP:
- When you create a new inspection or risk analysis job using Cloud DLP in the Google Cloud console, specify actions in the Add actions section of the job creation workflow.
- When you configure a new job request to send to the DLP API,
specify actions in the
For more information and sample code in several languages, see:
- Creating and scheduling inspection jobs
- Computing k-anonymity for a dataset
- Computing l-diversity for a dataset
Example action scenario
You can use Cloud DLP actions to automate processes based on
Cloud DLP scan results. Suppose you have a BigQuery
table shared with an external partner. You want to ensure both that this table
does not contain any sensitive identifiers like US Social Security numbers
and that, if you find any, access is revoked from the partner. Here is a rough
outline of a workflow that would use actions:
- Create a Cloud DLP job trigger to run an inspection scan of the BigQuery table every 24 hours.
- Set the action of these jobs to publish a Pub/Sub notification to the topic "projects/foo/scan_notifications."
- Create a Cloud Function that listens for incoming messages on "projects/foo/scan_notifications." This Cloud Function will receive the name of the DLP job every 24 hours, call Cloud DLP to get summary results from this job, and, if it finds any Social Security numbers, it can change settings in BigQuery or Identity and Access Management (IAM) to restrict access to the table.
- Learn about the actions available with inspection jobs.
- Learn about the actions available with risk analysis jobs.