Configure Google Workspace for AppFabric
Google Workspace is a collection of cloud computing, productivity and collaboration tools, software and products developed and marketed by Google.
You can use AWS AppFabric for security to audit logs and user data from Google Workspace, normalize the data into Open Cybersecurity Schema Framework (OCSF) format, and output the data to an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon Data Firehose stream.
AppFabric support for Google Workspace
AppFabric supports receiving user information and audit logs from Google Workspace.
Prerequisites
To use AppFabric to transfer audit logs from Google Workspace to supported destinations, you must meet the following requirements:
-
You must subscribe to the Google Workspace Enterprise Standard plan. For more information about creating or upgrading to the Google Workspace Enterprise Standard plan, see the Google Workspace Plans
website. -
You must have a user with the Administrator role in your Google Workspace.
-
For AppFabric to deliver logs, you need to enable Google Admin SDK API
on your Google Cloud project. For more information, see Enable Google Workspace APIs in the Google Workspace Developer Guide.
Rate limit considerations
Google Workspace imposes rate limits on the Google
Workspace API. For more information about Google
Workspace API rate limits, see Limits and
Quotas
Data delay considerations
You might see up to 30-minute delay for most of audit events and up to 4-hours
delay for certain audit events to be delivered to your destination. This is due to
delay in audit events made available by the application as well as due to
precautions taken to reduce data loss. For more information, see Data retention and lag
times
Connecting AppFabric to your Google Workspace account
After you create your app bundle within the AppFabric service, you must authorize AppFabric with Google Workspace. To find the information required to authorize Google Workspace with AppFabric, use the following steps.
Create an OAuth application
AppFabric integrates with Google Workspace using OAuth. To create an OAuth application in Google Workspace, use the following steps:
-
To configure your OAuth consent screen, follow the instructions in Configure the OAuth consent screen
in the Google Workspace Developer Guide on the Google Workspace website. Choose Internal for the User type.
-
To configure OAuth credentials for AppFabric, follow the instructions in the OAuth client ID credentials
section of the Create access credentials page in the Google Workspace Developer Guide. -
Use a redirect URL with the following format.
https://
<region>
.console.aws.amazon.com/appfabric/oauth2In this URL,
is the code for the AWS Region in which you’ve configured your AppFabric app bundle. For example, the code for the US East (N. Virginia) Region is<region>
us-east-1
. For that Region, the redirect URL ishttps://
.us-east-1
.console.aws.amazon.com/appfabric/oauth2
Required scopes
You must add the following scopes to your Google Workspace OAuth application:
-
https://www.googleapis.com/auth/admin.reports.audit.readonly
-
https://www.googleapis.com/auth/admin.directory.user
If you don't see these scopes, add the Admin SDK API to your Google Cloud API library.
App authorizations
Tenant ID
AppFabric will request your tenant ID. The tenant ID in AppFabric is your
Google Workspace project ID. To find your project ID, see
Locate the project ID
Tenant name
Enter a name that identifies this unique Google Workspace. AppFabric uses the tenant name to label the app authorizations and any ingestions created from the app authorization.
Client ID
AppFabric will request your client ID. To find your client ID, use the following steps:
-
Find your client ID using the information in the View Credentials
section of the Manage Credentials page in the Google Workspace Developer Guide. -
Enter the client ID for your OAuth client into the Client ID field in AppFabric.
Client secret
AppFabric will request your client secret. To find your client secret, use the following steps:
-
Find your client secret using the information in the View Credentials
section of the Manage Credentials page on the Google Workspace Developer Guide. -
If you need to reset your client secret, use the instructions in the Reset Client Secret
section of the Manage Credentials page on the Google Workspace Developer Guide. -
Enter the your client secret into the Client secret field in AppFabric.
Approve authorization
After creating the app authorization in AppFabric you will receive a pop-up window from Google Workspace to approve the authorization. To approve the AppFabric authorization, choose allow.