Properly managing sensitive data that is stored in a storage repository starts with storage classification: identifying where your sensitive data is in the repository, what type of sensitive data it is, and how it's being used. This knowledge can help you properly set access control and sharing permissions, and it can be part of an ongoing monitoring plan.
Sensitive Data Protection can detect and classify sensitive data stored in a Cloud Storage location, Datastore kind, or BigQuery table. When scanning files in Cloud Storage locations, Sensitive Data Protection supports scanning of binary, text, image, Microsoft Word, Microsoft Excel, Microsoft Powerpoint, PDF, and Apache Avro files. Files of types that are unrecognized are scanned as binary files. For more information about supported files types, see Supported file types.
To inspect storage and databases for sensitive data, you specify the location of the data and the type of sensitive data that Sensitive Data Protection should look for. Sensitive Data Protection initiates a job that inspects the data at the given location, and then it makes available details about infoTypes found in the content, likelihood values, and more.
You can set up inspection of storage and databases using Sensitive Data Protection in the Google Cloud console, via the RESTful DLP API, or programmatically using a Sensitive Data Protection client library in one of several languages.
This topic includes:
- Best practices for setting up scans of Google Cloud storage repositories and databases.
- Instructions for setting up an inspection scan using Sensitive Data Protection in the Google Cloud console, and (optionally) for scheduling periodic repeating inspection scans.
- JSON and code samples for each Google Cloud storage repository type: (Cloud Storage, Firestore in Datastore mode (Datastore), and BigQuery).
- A detailed overview of the configuration options for scan jobs.
- Instructions for how to retrieve scan results and how to manage the scan jobs that are created from each successful request.
Best practices
Identify and prioritize scanning
It's important to first evaluate your assets and specify which have the highest priority for scanning. When just getting started you may have a large backlog of data that needs classification, and it will be impossible to scan it all immediately. Choose data initially that poses the highest potential risk—for example, data that is frequently accessed, widely accessible, or unknown.
Ensure that Sensitive Data Protection can access your data
Sensitive Data Protection must be able to access data to be scanned. Be sure that the Sensitive Data Protection service account is permitted to read your resources.
Limit the scope of your first scans
For best results, limit the scope of your first jobs instead of scanning all of
your data. Start with one table, one bucket, or a few files and use
sampling. By limiting the scope of your
first scans, you can better
determine what detectors to enable and what exclusion
rules might be needed to
reduce false positives so that your findings will be more meaningful. Avoid
turning on all infoTypes if you don't need them all, as false positives or
unusable findings may make it harder to assess your risk. While useful in
certain scenarios, infoTypes such as DATE
, TIME
, DOMAIN_NAME
, and URL
match on a broad range of findings and may not be useful to turn on for large
data scans.
When sampling a structured file—such as a CSV, TSV, or Avro file—make sure that the sample size is big enough to cover the file's full header and a row of data. For more information, see Scanning structured files in structured parsing mode.
Schedule your scans
Use Sensitive Data Protection job triggers to automatically run scans and generate findings daily, weekly, or quarterly. These scans can also be configured to only inspect data that has changed since the last scan, which can save time and reduce costs. Running scans on a regular basis can help you identify trends or anomalies in your scan results.
Job latency
There are no service level objectives (SLO) guaranteed for jobs and job triggers. Latency is affected by several factors, including the amount of data to scan, the storage repository being scanned, the type and number of infoTypes you are scanning for, the region where the job is processed, and the computing resources available in that region. Therefore, the latency of inspection jobs can't be determined in advance.
To help reduce job latency, you can try the following:
- If sampling is available for your job or job trigger, enable it.
Avoid enabling infoTypes that you don't need. Although the following are useful in certain scenarios, these infoTypes can make requests run much more slowly than requests that don't include them:
PERSON_NAME
FEMALE_NAME
MALE_NAME
FIRST_NAME
LAST_NAME
DATE_OF_BIRTH
LOCATION
STREET_ADDRESS
ORGANIZATION_NAME
Always specify infoTypes explicitly. Do not use an empty infoTypes list.
If possible, use a different processing region.
If you're still having latency issues with jobs after trying these techniques,
consider using
content.inspect
or
content.deidentify
requests instead of jobs. These methods are covered under the Service Level
Agreement. For more information, see Sensitive Data Protection Service Level
Agreement.
Before you begin
The instructions provided in this topic assume the following:
You have enabled billing.
You have enabled Sensitive Data Protection.
Storage classification requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
. For more information, see
Authenticating to the DLP API.
Inspect a Cloud Storage location
You can set up a Sensitive Data Protection inspection of a Cloud Storage location using the Google Cloud console, the DLP API via REST or RPC requests, or programmatically in several languages using a client library. For information about the parameters included with the following JSON and code samples, see "Configure storage inspection," later in this topic.
Sensitive Data Protection relies on file extensions and media (MIME) types to identify the types
of the files to be scanned and the scanning modes to
apply. For example, Sensitive Data Protection scans a .txt
file in
plain text mode, even if the file is structured as a CSV file, which is normally
scanned in structured parsing mode.
To set up a scan job of a Cloud Storage bucket using Sensitive Data Protection:
Console
This section describes how to inspect a Cloud Storage bucket or folder. If you also want Sensitive Data Protection to create a de-identified copy of your data, see De-identify sensitive data stored in Cloud Storage using the Google Cloud console.
In the Sensitive Data Protection section of the Google Cloud console, go to the Create job or job trigger page.
Enter the Sensitive Data Protection job information and click Continue to complete each step:
For Step 1: Choose input data, name the job by entering a value in the Name field. In Location, choose Cloud Storage from the Storage type menu, and then enter the location of the data to scan. The Sampling section is pre-configured to run a sample scan against your data. You can adjust the Percentage of objects scanned within bucket field to save resources if you have a large amount of data. For more details, see Choose input data.
(Optional) For Step 2: Configure detection, you can configure what types of data to look for, called "infoTypes." You can select from the list of pre-defined infoTypes, or you can select a template if one exists. For more details, see Configure detection.
(Optional) For Step 3: Add actions, make sure Notify by email is enabled.
Enable Save to BigQuery to publish your Sensitive Data Protection findings to a BigQuery table. Provide the following:
- For Project ID, enter the project ID where your results are stored.
- For Dataset ID, enter the name of the dataset that stores your results.
- (Optional) For Table ID, enter the name of the table that stores
your results. If no table ID is specified, a default name is assigned
to a new table similar to the following:
dlp_googleapis_[DATE]_1234567890
, where[DATE]
represents the date the scan is run. If you specify an existing table, findings are appended to it. - (Optional) Enable Include Quote to include the strings that match an infoType detector. Quotes are potentially sensitive, so by default, Sensitive Data Protection doesn't include them in findings.
When data is written to a BigQuery table, the billing and quota usage are applied to the project that contains the destination table.
If you want to create a de-identified copy of your data, enable Make a de-identified copy. For more information, see De-identify sensitive data stored in Cloud Storage using the Google Cloud console.
You can also save results to Pub/Sub, Security Command Center, Data Catalog, and Cloud Monitoring. For more details, see Add actions.
(Optional) For Step 4: Schedule, to run the scan one time only, leave the menu set to None. To schedule scans to run periodically, click Create a trigger to run the job on a periodic schedule. For more details, see Schedule.
Click Create.
After the Sensitive Data Protection job completes, you are redirected to the job details page and notified via email. You can view the results of the inspection on the job details page.
(Optional) If you chose to publish Sensitive Data Protection findings to BigQuery, on the Job details page, click View Findings in BigQuery to open the table in the BigQuery web UI. You can then query the table and analyze your findings. For more information on querying your results in BigQuery, see Querying Sensitive Data Protection findings in BigQuery.
Protocol
Following is sample JSON that can be sent in a POST request to the specified Sensitive Data Protection REST endpoint. This example JSON demonstrates how to use the DLP API to inspect Cloud Storage buckets. For information about the parameters included with the request, see "Configure storage inspection," later in this topic.
You can quickly try this out in the APIs Explorer on the reference page for
content.inspect
:
Keep in mind that a successful request, even in APIs Explorer, will create a new scan job. For information about how to control scan jobs, see "Retrieve inspection results," later in this topic. For general information about using JSON to send requests to the DLP API, see the JSON quickstart.
JSON input:
POST https://dlp.googleapis.com/v2/projects/[PROJECT-ID]/dlpJobs?key={YOUR_API_KEY}
{
"inspectJob":{
"storageConfig":{
"cloudStorageOptions":{
"fileSet":{
"url":"gs://[BUCKET-NAME]/*"
},
"bytesLimitPerFile":"1073741824"
},
"timespanConfig":{
"startTime":"2017-11-13T12:34:29.965633345Z",
"endTime":"2018-01-05T04:45:04.240912125Z"
}
},
"inspectConfig":{
"infoTypes":[
{
"name":"PHONE_NUMBER"
}
],
"excludeInfoTypes":false,
"includeQuote":true,
"minLikelihood":"LIKELY"
},
"actions":[
{
"saveFindings":{
"outputConfig":{
"table":{
"projectId":"[PROJECT-ID]",
"datasetId":"[DATASET-ID]"
}
}
}
}
]
}
}
JSON output:
{
"name":"projects/[PROJECT-ID]/dlpJobs/[JOB-ID]",
"type":"INSPECT_JOB",
"state":"PENDING",
"inspectDetails":{
"requestedOptions":{
"snapshotInspectTemplate":{
},
"jobConfig":{
"storageConfig":{
"cloudStorageOptions":{
"fileSet":{
"url":"gs://[BUCKET-NAME]/*"
},
"bytesLimitPerFile":"1073741824"
},
"timespanConfig":{
"startTime":"2017-11-13T12:34:29.965633345Z",
"endTime":"2018-01-05T04:45:04.240912125Z"
}
},
"inspectConfig":{
"infoTypes":[
{
"name":"PHONE_NUMBER"
}
],
"minLikelihood":"LIKELY",
"limits":{
},
"includeQuote":true
},
"actions":[
{
"saveFindings":{
"outputConfig":{
"table":{
"projectId":"[PROJECT-ID]",
"datasetId":"[DATASET-ID]",
"tableId":"[NEW-TABLE-ID]"
}
}
}
}
]
}
}
},
"createTime":"2018-11-07T18:01:14.225Z"
}
Java
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Node.js
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Go
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
PHP
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
C#
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Inspect a Datastore kind
You can set up an inspection of a Datastore kind using the Google Cloud console, the DLP API via REST or RPC requests, or programmatically in several languages using a client library.
To set up a scan job of a Datastore kind using Sensitive Data Protection:
Console
To set up a scan job of a Datastore kind using Sensitive Data Protection:
In the Sensitive Data Protection section of the Google Cloud console, go to the Create job or job trigger page.
Enter the Sensitive Data Protection job information and click Continue to complete each step:
For Step 1: Choose input data, enter the identifiers for the project, namespace (optional), and kind that you want to scan. For more details, see Choose input data.
(Optional) For Step 2: Configure detection, you can configure what types of data to look for, called "infoTypes." You can select from the list of pre-defined infoTypes, or you can select a template if one exists. For more details, see Configure detection.
(Optional) For Step 3: Add actions, make sure Notify by email is enabled.
Enable Save to BigQuery to publish your Sensitive Data Protection findings to a BigQuery table. Provide the following:
- For Project ID, enter the project ID where your results are stored.
- For Dataset ID, enter the name of the dataset that stores your results.
- (Optional) For Table ID, enter the name of the table that stores
your results. If no table ID is specified, a default name is assigned
to a new table similar to the following:
dlp_googleapis_[DATE]_1234567890
. If you specify an existing table, findings are appended to it.
When data is written to a BigQuery table, the billing and quota usage are applied to the project that contains the destination table.
For more information about the other actions listed, see Add actions.
(Optional) For Step 4: Schedule, configure a time span or schedule by selecting either Specify time span or Create a trigger to run the job on a periodic schedule. For more information, see Schedule.
Click Create.
After the Sensitive Data Protection job completes, you are redirected to the job details page and notified via email. You can view the results of the inspection on the job details page.
(Optional) If you chose to publish Sensitive Data Protection findings to BigQuery, on the Job details page, click View Findings in BigQuery to open the table in the BigQuery web UI. You can then query the table and analyze your findings. For more information on querying your results in BigQuery, see Querying Sensitive Data Protection findings in BigQuery.
Protocol
Following is sample JSON that can be sent in a POST request to the specified DLP API REST endpoint. This example JSON demonstrates how to use the DLP API to inspect Datastore kinds. For information about the parameters included with the request, see "Configure storage inspection," later in this topic.
You can quickly try this out in the APIs Explorer on the reference page for
dlpJobs.create
:
Keep in mind that a successful request, even in APIs Explorer, will create a new scan job. For information about how to control scan jobs, see Retrieve inspection results, later in this topic. For general information about using JSON to send requests to the DLP API, see the JSON quickstart.
JSON input:
POST https://dlp.googleapis.com/v2/projects/[PROJECT-ID]/dlpJobs?key={YOUR_API_KEY}
{
"inspectJob":{
"storageConfig":{
"datastoreOptions":{
"kind":{
"name":"Example-Kind"
},
"partitionId":{
"namespaceId":"[NAMESPACE-ID]",
"projectId":"[PROJECT-ID]"
}
}
},
"inspectConfig":{
"infoTypes":[
{
"name":"PHONE_NUMBER"
}
],
"excludeInfoTypes":false,
"includeQuote":true,
"minLikelihood":"LIKELY"
},
"actions":[
{
"saveFindings":{
"outputConfig":{
"table":{
"projectId":"[PROJECT-ID]",
"datasetId":"[BIGQUERY-DATASET-NAME]",
"tableId":"[BIGQUERY-TABLE-NAME]"
}
}
}
}
]
}
}
Java
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Node.js
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Go
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
PHP
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
C#
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Inspect a BigQuery table
You can set up an inspection of a BigQuery table using Sensitive Data Protection via REST requests, or programmatically in several languages using a client library.
To set up a scan job of a BigQuery table using Sensitive Data Protection:
Console
To set up a scan job of a BigQuery table using Sensitive Data Protection:
In the Sensitive Data Protection section of the Google Cloud console, go to the Create job or job trigger page.
Enter the Sensitive Data Protection job information and click Continue to complete each step:
For Step 1: Choose input data, name the job by entering a value in the Name field. In Location, choose BigQuery from the Storage type menu, and then enter the information for the table to scan.
The Sampling section is pre-configured to run a sample scan against your data. You can adjust the Limit rows by and Maximum number of rows fields to save resources if you have a large amount of data. For more details, see Choose input data.
(Optional) If you want to be able to link each finding to the row that contains it, set the Identifying fields field.
Enter the names of the columns that uniquely identify each row within the table. If necessary, use dot notation to specify nested fields. You can add as many fields as you want.
You must also turn on the Save to BigQuery action to export the findings to BigQuery. When the findings are exported to BigQuery, each finding contains the respective values of the identifying fields. For more information, see
identifyingFields
.(Optional) For Step 2: Configure detection, you can configure what types of data to look for, called "infoTypes." You can select from the list of pre-defined infoTypes, or you can select a template if one exists. For more details, see Configure detection.
(Optional) For Step 3: Add actions, make sure Notify by email is enabled.
Enable Save to BigQuery to publish your Sensitive Data Protection findings to a BigQuery table. Provide the following:
- For Project ID, enter the project ID where your results are stored.
- For Dataset ID, enter the name of the dataset that stores your results.
- (Optional) For Table ID, enter the name of the table that stores
your results. If no table ID is specified, a default name is assigned
to a new table similar to the following:
dlp_googleapis_[DATE]_1234567890
. If you specify an existing table, findings are appended to it.
When data is written to a BigQuery table, the billing and quota usage are applied to the project that contains the destination table.
You can also save results to Pub/Sub, Security Command Center, and Data Catalog. For more details, see Add actions.
(Optional) For Step 4: Schedule, to run the scan one time only, leave the menu set to None. To schedule scans to run periodically, click Create a trigger to run the job on a periodic schedule. For more details, see Schedule.
Click Create.
After the Sensitive Data Protection job completes, you are redirected to the job details page and notified via email. You can view the results of the inspection on the job details page.
(Optional) If you chose to publish Sensitive Data Protection findings to BigQuery, on the Job details page, click View Findings in BigQuery to open the table in the BigQuery web UI. You can then query the table and analyze your findings. For more information on querying your results in BigQuery, see Querying Sensitive Data Protection findings in BigQuery.
Protocol
Following is sample JSON that can be sent in a POST request to the specified DLP API REST endpoint. This example JSON demonstrates how to use the DLP API to inspect BigQuery tables. For information about the parameters included with the request, see "Configure storage inspection," later in this topic.You can quickly try this out in the APIs Explorer on the reference page for
dlpJobs.create
:
Keep in mind that a successful request, even in APIs Explorer, will create a new scan job. For information about how to control scan jobs, see "Retrieve inspection results," later in this topic. For general information about using JSON to send requests to the DLP API, see the JSON quickstart.
JSON input:
POST https://dlp.googleapis.com/v2/projects/[PROJECT-ID]/dlpJobs?key={YOUR_API_KEY}
{
"inspectJob":{
"storageConfig":{
"bigQueryOptions":{
"tableReference":{
"projectId":"[PROJECT-ID]",
"datasetId":"[BIGQUERY-DATASET-NAME]",
"tableId":"[BIGQUERY-TABLE-NAME]"
},
"identifyingFields":[
{
"name":"id"
}
]
},
"timespanConfig":{
"startTime":"2017-11-13T12:34:29.965633345Z ",
"endTime":"2018-01-05T04:45:04.240912125Z "
}
},
"inspectConfig":{
"infoTypes":[
{
"name":"PHONE_NUMBER"
}
],
"excludeInfoTypes":false,
"includeQuote":true,
"minLikelihood":"LIKELY"
},
"actions":[
{
"saveFindings":{
"outputConfig":{
"table":{
"projectId":"[PROJECT-ID]",
"datasetId":"[BIGQUERY-DATASET-NAME]",
"tableId":"[BIGQUERY-TABLE-NAME]"
},
"outputSchema": "BASIC_COLUMNS"
}
}
}
]
}
}
Java
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Node.js
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Go
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
PHP
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
C#
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Configure storage inspection
To inspect a Cloud Storage location, Datastore kind, or
BigQuery table, you send a request to the
projects.dlpJobs.create
method of the DLP API that contains at least the location of
the data to scan and what to scan for. Beyond those required parameters, you can
also specify where to write the scan results, size and likelihood thresholds,
and more. A successful request results in the creation of a
DlpJob
object instance, which is discussed in "Retrieve inspection
results."
The available configuration options are summarized here:
InspectJobConfig
object: Contains the configuration information for the inspection job. Note that theInspectJobConfig
object is also used by theJobTriggers
object for scheduling the creation ofDlpJob
s. This object includes:StorageConfig
object: Required. Contains details about the storage repository to scan:One of the following must be included in the
StorageConfig
object, depending on the type of storage repository being scanned:CloudStorageOptions
object: Contains information about the Cloud Storage bucket to scan.DatastoreOptions
object: Contains information about the Datastore data set to scan.BigQueryOptions
object: Contains information about the BigQuery table (and, optionally, identifying fields) to scan. This object also enables results sampling. For more information, see Enabling results sampling below.TimespanConfig
object: Optional. Specifies the timespan of the items to include in the scan.
InspectConfig
object: Required. Specifies what to scan for, such as infoTypes and likelihood values.InfoType
objects: Required. One or more infoType values to scan for.Likelihood
enumeration: Optional. When set, Sensitive Data Protection will only return findings equal to or above this likelihood threshold. If this enum is omitted, the default value isPOSSIBLE
.FindingLimits
object: Optional. When set, this object enables you to specify a limit for the number of findings returned.includeQuote
parameter: Optional. Defaults tofalse
. When set totrue
, each finding will include a contextual quote from the data that triggered it.excludeInfoTypes
parameter: Optional. Defaults tofalse
. When set totrue
, scan results will exclude type information for the findings.CustomInfoType
objects: One or more custom, user-created infoTypes. For more information about creating custom infoTypes, see Creating custom infoType detectors.
inspectTemplateName
string: Optional. Specifies a template to use to populate default values in theInspectConfig
object. If you've already specifiedInspectConfig
, template values will be merged in.Action
objects: Optional. One or more actions to execute at the completion of the job. Each action is executed in the order in which they're listed. This is where you specify where to write results, or whether to publish a notification to a Pub/Sub topic.
jobId
: Optional. An identifier for the job returned by Sensitive Data Protection. IfjobId
is omitted or empty, the system creates an ID for the job. If specified, the job is assigned this ID value. The job ID must be unique, and can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the following regular expression:[a-zA-Z\\d-]+
.
Limit the amount of content inspected
If you are scanning BigQuery tables or Cloud Storage buckets, Sensitive Data Protection includes a way to scan a subset of the dataset. This has the effect of providing a sampling of scan results without incurring the potential costs of scanning an entire dataset.
The following sections contain information about limiting the size of both Cloud Storage scans and BigQuery scans.
Limit Cloud Storage scans
You can enable sampling in Cloud Storage by limiting the amount of
data that is scanned. You can instruct the DLP API to scan
only files under a certain size, only certain file types, and only a certain
percentage of the total number of files in the input file set. To do so, specify
the following optional fields within
CloudStorageOptions
:
bytesLimitPerFile
: Sets the maximum number of bytes to scan from a file. If a scanned file's size is larger than this value, the rest of the bytes are omitted. Setting this field has no effect on certain file types. For more information, see Limits on bytes scanned per file.fileTypes[]
: Lists theFileTypes
to include in the scan. This can be set to one or more of the following enumerated types.filesLimitPercent
: Limits the number of files to scan to the specified percentage of the inputFileSet
. Specifying either0
or100
here indicates there is no limit.sampleMethod
: How to sample bytes if not all bytes are scanned. Specifying this value is meaningful only when used in conjunction withbytesLimitPerFile
. If not specified, scanning starts from the top. This field can be set to one of two values:TOP
: Scanning starts from the top.RANDOM_START
: For each file larger than the size specified inbytesLimitPerFile
, randomly pick the offset to start scanning. The scanned bytes are contiguous.
The following examples demonstrate using the DLP API to scan a 90% subset of a Cloud Storage bucket for person names. The scan starts from a random location in the dataset, and only includes text files under 200 bytes.
C#
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Go
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Node.js
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
PHP
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
REST
JSON input:
POST https://dlp.googleapis.com/v2/projects/[PROJECT-ID]/dlpJobs?key={YOUR_API_KEY}
{
"inspectJob":{
"storageConfig":{
"cloudStorageOptions":{
"fileSet":{
"url":"gs://[BUCKET-NAME]/*"
},
"bytesLimitPerFile":"200",
"fileTypes":[
"TEXT_FILE"
],
"filesLimitPercent":90,
"sampleMethod":"RANDOM_START"
}
},
"inspectConfig":{
"infoTypes":[
{
"name":"PERSON_NAME"
}
],
"excludeInfoTypes":true,
"includeQuote":true,
"minLikelihood":"POSSIBLE"
},
"actions":[
{
"saveFindings":{
"outputConfig":{
"table":{
"projectId":"[PROJECT-ID]",
"datasetId":"testingdlp"
},
"outputSchema":"BASIC_COLUMNS"
}
}
}
]
}
}
After sending the JSON input in a POST request to the specified endpoint, a Sensitive Data Protection job is created, and the API sends the following response.
JSON output:
{
"name":"projects/[PROJECT-ID]/dlpJobs/[JOB-ID]",
"type":"INSPECT_JOB",
"state":"PENDING",
"inspectDetails":{
"requestedOptions":{
"snapshotInspectTemplate":{
},
"jobConfig":{
"storageConfig":{
"cloudStorageOptions":{
"fileSet":{
"url":"gs://[BUCKET_NAME]/*"
},
"bytesLimitPerFile":"200",
"fileTypes":[
"TEXT_FILE"
],
"sampleMethod":"TOP",
"filesLimitPercent":90
}
},
"inspectConfig":{
"infoTypes":[
{
"name":"PERSON_NAME"
}
],
"minLikelihood":"POSSIBLE",
"limits":{
},
"includeQuote":true,
"excludeInfoTypes":true
},
"actions":[
{
"saveFindings":{
"outputConfig":{
"table":{
"projectId":"[PROJECT-ID]",
"datasetId":"[DATASET-ID]",
"tableId":"[TABLE-ID]"
},
"outputSchema":"BASIC_COLUMNS"
}
}
}
]
}
}
},
"createTime":"2018-05-30T22:22:08.279Z"
}
Limit BigQuery scans
To enable sampling in BigQuery by limiting the amount of
data that is scanned, specify the following optional fields within
BigQueryOptions
:
rowsLimit
: The maximum number of rows to scan. If the table has more rows than this value, the rest of the rows are omitted. If not set, or if set to 0, all rows will be scanned.rowsLimitPercent
: The maximum percentage of rows to scan (between 0 and 100). The remaining rows are omitted. Setting this value to either 0 or 100 means no limit. It defaults to 0. Only one ofrowsLimit
androwsLimitPercent
can be specified.sampleMethod
: How to sample rows if not all rows are scanned. If not specified, scanning starts from the top. This field can be set to one of two values:TOP
: Scanning starts from the top.RANDOM_START
: Scanning starts from a randomly selected row.
excludedFields
: Table fields that uniquely identify columns to exclude from being read. This can help reduce the amount of data scanned and bring down the overall cost of an inspection job.includedFields
: Table fields that uniquely identify specific rows within the table to scan.
Another feature that is useful for limiting the data being scanned, particularly
when scanning partitioned tables, is
TimespanConfig
.
TimespanConfig
allows you to filter out BigQuery table rows by
providing start and end time values to define a timespan. Sensitive Data Protection
then only scans rows that contain a timestamp within that timespan.
The following examples demonstrate using the DLP API to scan a 1000-row subset of a BigQuery table. The scan starts from a random row.
Go
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Node.js
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
PHP
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
C#
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries.
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
REST
JSON input:
POST https://dlp.googleapis.com/v2/projects/[PROJECT-ID]/dlpJobs?key={YOUR_API_KEY}
{
"inspectJob":{
"storageConfig":{
"bigQueryOptions":{
"tableReference":{
"projectId":"bigquery-public-data",
"datasetId":"usa_names",
"tableId":"usa_1910_current"
},
"rowsLimit":"1000",
"sampleMethod":"RANDOM_START",
"includedFields":[
{
"name":"name"
}
]
}
},
"inspectConfig":{
"infoTypes":[
{
"name":"FIRST_NAME"
}
],
"includeQuote":true
},
"actions":[
{
"saveFindings":{
"outputConfig":{
"table":{
"projectId":"[PROJECT-ID]",
"datasetId":"testingdlp",
"tableId":"bqsample3"
},
"outputSchema":"BASIC_COLUMNS"
}
}
}
]
}
}
After sending the JSON input in a POST request to the specified endpoint, a Sensitive Data Protection job is created, and the API sends the following response.
JSON output:
{
"name": "projects/[PROJECT-ID]/dlpJobs/[JOB-ID]",
"type": "INSPECT_JOB",
"state": "PENDING",
"inspectDetails": {
"requestedOptions": {
"snapshotInspectTemplate": {},
"jobConfig": {
"storageConfig": {
"bigQueryOptions": {
"tableReference": {
"projectId": "bigquery-public-data",
"datasetId": "usa_names",
"tableId": "usa_1910_current"
},
"rowsLimit": "1000",
"sampleMethod": "RANDOM_START",
"includedFields": [
{
"name": "name"
}
]
}
},
"inspectConfig": {
"infoTypes": [
{
"name": "FIRST_NAME"
}
],
"limits": {},
"includeQuote": true
},
"actions": [
{
"saveFindings": {
"outputConfig": {
"table": {
"projectId": "[PROJECT-ID]",
"datasetId": "[DATASET-ID]",
"tableId": "bqsample"
},
"outputSchema": "BASIC_COLUMNS"
}
}
}
]
}
},
"result": {}
},
"createTime": "2022-11-04T18:53:48.350Z"
}
When the inspect job finishes running and its results have been processed by BigQuery, the results of the scan are available in the specified BigQuery output table. For more information about retrieving inspection results, see the next section.
Retrieve inspection results
You can retrieve a summary of a
DlpJob
using the
projects.dlpJobs.get
method. The returned DlpJob
includes its
InspectDataSourceDetails
object, which contains both a summary of the job's configuration
(RequestedOptions
)
and a summary of the outcome of the job
(Result
).
The outcome summary includes:
processedBytes
: The total size in bytes that have been processed.totalEstimatedBytes
: Estimate of the number of bytes remaining to process.InfoTypeStatistics
object: Statistics of how many instances of each infoType were found during the inspection job.
For complete inspection job results, you have several options. Depending on the
Action
you've chosen, inspection jobs are:
- Saved to BigQuery (the
SaveFindings
object) in the table specified. Before viewing or analyzing the results, first ensure that the job has completed by using theprojects.dlpJobs.get
method, which is described below. Note that you can specify a schema for storing findings using theOutputSchema
object. - Published to a Pub/Sub topic (the
PublishToPubSub
object). The topic must have given publishing access rights to Sensitive Data Protection service account that runs theDlpJob
sending the notifications. - Published to Security Command Center.
- Published to Data Catalog.
- Published to Cloud Monitoring.
To help sift through large amounts of data generated by Sensitive Data Protection, you can use built-in BigQuery tools to run rich SQL analytics or tools such as Looker Studio to generate reports. For more information, see Analyzing and reporting on Sensitive Data Protection findings. For some sample queries, see Querying findings in BigQuery.
Sending a storage repository inspection request to Sensitive Data Protection
creates and runs a
DlpJob
object instance in response. These jobs can take seconds, minutes, or hours to
run depending on the size of your data and the configuration that you have
specified. Choosing to publish to a Pub/Sub topic (by specifying
PublishToPubSub
in Action
)
automatically sends notifications to the topic with the specified name when the
job's status changes. The name of the Pub/Sub topic is specified
in the form projects/[PROJECT-ID]/topics/[PUBSUB-TOPIC-NAME]
.
You have full control over the jobs you create, including the following management methods:
projects.dlpJobs.cancel
method: Stops a job that is currently in progress. The server makes a best effort to cancel the job, but success is not guaranteed. The job and its configuration will remain until you delete it (with .projects.dlpJobs.delete
method: Deletes a job and its configuration.projects.dlpJobs.get
method: Retrieves a single job and returns its status, its configuration, and, if the job is done, summary results.projects.dlpJobs.list
method: Retrieves a list of all jobs, and includes the ability to filter results.
Next steps
- Learn more about creating storage inspection jobs, see Creating and scheduling Sensitive Data Protection inspection jobs.
- Learn more about creating a de-identified copy of data in storage.
- Learn more about supported file types when inspecting Cloud Storage buckets, see Supported file types.