In Cloud Data Loss Prevention (DLP), an action is something that occurs after a DLP job completes successfully. The Cloud DLP supports two types of actions:

  • Saving the DLP scan job results to BigQuery: You can specify a table for your DLP scan results to be saved to. Before viewing or analyzing the results, you’ll want to first ensure that the job has completed.
  • Publishing the DLP scan job to a Pub/Sub channel. You can specify a channel to send the notification message to, as long as it has granted publishing access to Cloud DLP service account running the DLP scan job. The notification message will include the name of the DLP scan job as an attribute.

Example action scenario

You can use Cloud DLP actions to automate processes based on Cloud DLP scan results. Suppose you have a BigQuery table shared with an external partner. You want to ensure that (1) this table does not contain any sensitive identifiers like Social Security numbers (the infoType US_SOCIAL_SECURITY_NUMBER), and that, (2) if you find any, access is revoked from this partner. Here is a rough outline of a workflow that would use actions:

  1. Create a Cloud DLP job trigger to run an inspection scan of the BigQuery table every 24 hours.
  2. Set the action of these jobs to publish a Pub/Sub notification to the topic “projects/foo/scan_notifications.”
  3. Create a Cloud Function that listens for incoming messages on “projects/foo/scan_notifications.” This Cloud Function will receive the name of the DLP job every 24 hours, call Cloud DLP to get summary results from this job, and, if it finds any Social Security numbers, it can change settings in BigQuery or Identity and Access Management (IAM) to restrict access to the table.