googleapis
diff --git a/‎packages/google-privacy-dlp/protos/google/privacy/dlp/v2/dlp.proto‎
Lines changed: 268 additions & 2 deletions b/‎packages/google-privacy-dlp/protos/google/privacy/dlp/v2/dlp.proto‎
Lines changed: 268 additions & 2 deletions
@@ -4897,6 +4897,12 @@ message DataProfileAction {
     ERROR_CHANGED = 4;
   }
 
+  // Message expressing intention to publish to Google Security Operations.
+  message PublishToChronicle {}
+
+  // If set, a summary finding will be created/updated in SCC for each profile.
+  message PublishToSecurityCommandCenter {}
+
   // If set, attaches the [tags]
   // (https://cloud.google.com/resource-manager/docs/tags/tags-overview)
   // provided to profiled resources. Tags support [access
@@ -4959,6 +4965,15 @@ message DataProfileAction {
     // Publish a message into the Pub/Sub topic.
     PubSubNotification pub_sub_notification = 2;
 
+    // Publishes generated data profiles to Google Security Operations.
+    // For more information, see [Use Sensitive Data Protection data in
+    // context-aware
+    // analytics](https://cloud.google.com/chronicle/docs/detection/usecase-dlp-high-risk-user-download).
+    PublishToChronicle publish_to_chronicle = 3;
+
+    // Publishes findings to SCC for each data profile.
+    PublishToSecurityCommandCenter publish_to_scc = 4;
+
     // Tags the profiled resources with the specified tag values.
     TagResources tag_resources = 8;
   }
@@ -4980,6 +4995,9 @@ message DataProfileJobConfig {
   // that are profiled, and the Cloud DLP API must be enabled.
   string project_id = 5;
 
+  // Must be set only when scanning other clouds.
+  OtherCloudDiscoveryStartingLocation other_cloud_starting_location = 8;
+
   // Detection logic for profile generation.
   //
   // Not all template features are used by profiles. FindingLimits,
@@ -5144,6 +5162,9 @@ message DiscoveryConfig {
   // Only set when the parent is an org.
   OrgConfig org_config = 2;
 
+  // Must be set only when scanning other clouds.
+  OtherCloudDiscoveryStartingLocation other_cloud_starting_location = 12;
+
   // Detection logic for profile generation.
   //
   // Not all template features are used by Discovery. FindingLimits,
@@ -5210,6 +5231,10 @@ message DiscoveryTarget {
     // Cloud Storage target for Discovery. The first target to match a table
     // will be the one applied.
     CloudStorageDiscoveryTarget cloud_storage_target = 4;
+
+    // Other clouds target for discovery. The first target to match a resource
+    // will be the one applied.
+    OtherCloudDiscoveryTarget other_cloud_target = 5;
   }
 }
 
@@ -5821,6 +5846,208 @@ message DiscoveryFileStoreConditions {
   }
 }
 
+// Target used to match against for discovery of resources from other clouds.
+// An [AWS connector in Security Command Center
+// (Enterprise](https://cloud.google.com/security-command-center/docs/connect-scc-to-aws)
+// is required to use this feature.
+message OtherCloudDiscoveryTarget {
+  // Required. The type of data profiles generated by this discovery target.
+  // Supported values are:
+  // * aws/s3/bucket
+  DataSourceType data_source_type = 1 [(google.api.field_behavior) = REQUIRED];
+
+  // Required. The resources that the discovery cadence applies to. The
+  // first target with a matching filter will be the one to apply to a resource.
+  DiscoveryOtherCloudFilter filter = 2 [(google.api.field_behavior) = REQUIRED];
+
+  // Optional. In addition to matching the filter, these conditions must be true
+  // before a profile is generated.
+  DiscoveryOtherCloudConditions conditions = 3
+      [(google.api.field_behavior) = OPTIONAL];
+
+  // Type of cadence.
+  oneof cadence {
+    // How often and when to update data profiles. New resources that match both
+    // the filter and conditions are scanned as quickly as possible depending on
+    // system capacity.
+    DiscoveryOtherCloudGenerationCadence generation_cadence = 4;
+
+    // Disable profiling for resources that match this filter.
+    Disabled disabled = 5;
+  }
+}
+
+// Determines which resources from the other cloud will have profiles generated.
+// Includes the ability to filter by resource names.
+message DiscoveryOtherCloudFilter {
+  // Whether the filter applies to a specific set of resources or all
+  // other resources. The first filter to match will be applied, regardless of
+  // the condition. Defaults to `others` if none is set.
+  oneof filter {
+    // A collection of resources for this filter to apply to.
+    OtherCloudResourceCollection collection = 1;
+
+    // The resource to scan. Configs using this filter can only have one target
+    // (the target with this single resource reference).
+    OtherCloudSingleResourceReference single_resource = 2;
+
+    // Optional. Catch-all. This should always be the last target in the list
+    // because anything above it will apply first. Should only appear once in a
+    // configuration. If none is specified, a default one will be added
+    // automatically.
+    AllOtherResources others = 100 [(google.api.field_behavior) = OPTIONAL];
+  }
+}
+
+// Match resources using regex filters.
+message OtherCloudResourceCollection {
+  // The first filter containing a pattern that matches a resource will be used.
+  oneof pattern {
+    // A collection of regular expressions to match a resource against.
+    OtherCloudResourceRegexes include_regexes = 1;
+  }
+}
+
+// A collection of regular expressions to determine what resources to match
+// against.
+message OtherCloudResourceRegexes {
+  // A group of regular expression patterns to match against one or more
+  // resources.
+  // Maximum of 100 entries. The sum of all regular expression's length can't
+  // exceed 10 KiB.
+  repeated OtherCloudResourceRegex patterns = 1;
+}
+
+// A pattern to match against one or more resources. At least one pattern must
+// be specified. Regular expressions use RE2
+// [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found
+// under the google/re2 repository on GitHub.
+message OtherCloudResourceRegex {
+  // The type of resource regex to use.
+  oneof resource_regex {
+    // Regex for Amazon S3 buckets.
+    AmazonS3BucketRegex amazon_s3_bucket_regex = 1;
+  }
+}
+
+// AWS account regex.
+message AwsAccountRegex {
+  // Optional. Regex to test the AWS account ID against.
+  // If empty, all accounts match.
+  string account_id_regex = 1 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// Amazon S3 bucket regex.
+message AmazonS3BucketRegex {
+  // The AWS account regex.
+  AwsAccountRegex aws_account_regex = 1;
+
+  // Optional. Regex to test the bucket name against.
+  // If empty, all buckets match.
+  string bucket_name_regex = 2 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// Identifies a single resource, like a single Amazon S3 bucket.
+message OtherCloudSingleResourceReference {
+  // The resource to scan.
+  oneof resource {
+    // Amazon S3 bucket.
+    AmazonS3Bucket amazon_s3_bucket = 1;
+  }
+}
+
+// AWS account.
+message AwsAccount {
+  // Required. AWS account ID.
+  string account_id = 1 [(google.api.field_behavior) = REQUIRED];
+}
+
+// Amazon S3 bucket.
+message AmazonS3Bucket {
+  // The AWS account.
+  AwsAccount aws_account = 1;
+
+  // Required. The bucket name.
+  string bucket_name = 2 [(google.api.field_behavior) = REQUIRED];
+}
+
+// Requirements that must be true before a resource is profiled for the first
+// time.
+message DiscoveryOtherCloudConditions {
+  // Minimum age a resource must be before Cloud DLP can profile it. Value must
+  // be 1 hour or greater.
+  google.protobuf.Duration min_age = 1;
+
+  // The conditions to apply.
+  oneof conditions {
+    // Amazon S3 bucket conditions.
+    AmazonS3BucketConditions amazon_s3_bucket_conditions = 2;
+  }
+}
+
+// Amazon S3 bucket conditions.
+message AmazonS3BucketConditions {
+  // Supported Amazon S3 bucket types.
+  // Defaults to TYPE_ALL_SUPPORTED.
+  enum BucketType {
+    // Unused.
+    TYPE_UNSPECIFIED = 0;
+
+    // All supported classes.
+    TYPE_ALL_SUPPORTED = 1;
+
+    // A general purpose Amazon S3 bucket.
+    TYPE_GENERAL_PURPOSE = 2;
+  }
+
+  // Supported Amazon S3 object storage classes.
+  // Defaults to ALL_SUPPORTED_CLASSES.
+  enum ObjectStorageClass {
+    // Unused.
+    UNSPECIFIED = 0;
+
+    // All supported classes.
+    ALL_SUPPORTED_CLASSES = 1;
+
+    // Standard object class.
+    STANDARD = 2;
+
+    // Standard - infrequent access object class.
+    STANDARD_INFREQUENT_ACCESS = 4;
+
+    // Glacier - instant retrieval object class.
+    GLACIER_INSTANT_RETRIEVAL = 6;
+
+    // Objects in the S3 Intelligent-Tiering access tiers.
+    INTELLIGENT_TIERING = 7;
+  }
+
+  // Optional. Bucket types that should be profiled.
+  // Optional. Defaults to TYPE_ALL_SUPPORTED if unspecified.
+  repeated BucketType bucket_types = 1 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Object classes that should be profiled.
+  // Optional. Defaults to ALL_SUPPORTED_CLASSES if unspecified.
+  repeated ObjectStorageClass object_storage_classes = 2
+      [(google.api.field_behavior) = OPTIONAL];
+}
+
+// How often existing resources should have their profiles refreshed.
+// New resources are scanned as quickly as possible depending on system
+// capacity.
+message DiscoveryOtherCloudGenerationCadence {
+  // Optional. Frequency to update profiles regardless of whether the underlying
+  // resource has changes. Defaults to never.
+  DataProfileUpdateFrequency refresh_frequency = 1
+      [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Governs when to update data profiles when the inspection rules
+  // defined by the `InspectTemplate` change.
+  // If not set, changing the template will not cause a data profile to update.
+  DiscoveryInspectTemplateModifiedCadence inspect_template_modified_cadence = 2
+      [(google.api.field_behavior) = OPTIONAL];
+}
+
 // The location to begin a discovery scan. Denotes an organization ID or folder
 // ID within an organization.
 message DiscoveryStartingLocation {
@@ -5834,6 +6061,31 @@ message DiscoveryStartingLocation {
   }
 }
 
+// The other cloud starting location for discovery.
+message OtherCloudDiscoveryStartingLocation {
+  // The AWS starting location for discovery.
+  message AwsDiscoveryStartingLocation {
+    // The scope of this starting location.
+    oneof scope {
+      // The AWS account ID that this discovery config applies to.
+      // Within an AWS organization, you can find the AWS account ID inside an
+      // AWS account ARN. Example:
+      // arn:{partition}:organizations::{management_account_id}:account/{org_id}/{account_id}
+      string account_id = 2;
+
+      // All AWS assets stored in Asset Inventory that didn't match other AWS
+      // discovery configs.
+      bool all_asset_inventory_assets = 3;
+    }
+  }
+
+  // The other cloud starting location for discovery.
+  oneof location {
+    // The AWS starting location for discovery.
+    AwsDiscoveryStartingLocation aws_location = 1;
+  }
+}
+
 // Match discovery resources not covered by any other filter.
 message AllOtherResources {}
 
@@ -6946,7 +7198,7 @@ message ProjectDataProfile {
   // The resource name of the profile.
   string name = 1;
 
-  // Project ID that was profiled.
+  // Project ID or account that was profiled.
   string project_id = 2;
 
   // The last time the profile was generated.
@@ -7364,6 +7616,7 @@ message ColumnDataProfile {
 // The profile for a file store.
 //
 // * Cloud Storage: maps 1:1 with a bucket.
+// * Amazon S3: maps 1:1 with a bucket.
 message FileStoreDataProfile {
   option (google.api.resource) = {
     type: "dlp.googleapis.com/FileStoreDataProfile"
@@ -7396,12 +7649,15 @@ message FileStoreDataProfile {
   string project_data_profile = 3;
 
   // The Google Cloud project ID that owns the resource.
+  // For Amazon S3 buckets, this is the AWS Account Id.
   string project_id = 4;
 
   // The location of the file store.
   //
   // * Cloud Storage:
   // https://cloud.google.com/storage/docs/locations#available-locations
+  // * Amazon S3:
+  // https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints
   string file_store_location = 5;
 
   // For resources that have multiple storage locations, these are those
@@ -7419,10 +7675,14 @@ message FileStoreDataProfile {
   // The file store path.
   //
   // * Cloud Storage: `gs://{bucket}`
+  // * Amazon S3: `s3://{bucket}`
   string file_store_path = 6;
 
   // The resource name of the resource profiled.
   // https://cloud.google.com/apis/design/resource_names#full_resource_name
+  //
+  // Example format of an S3 bucket full resource name:
+  // `//cloudasset.googleapis.com/organizations/{org_id}/otherCloudConnections/aws/arn:aws:s3:::{bucket_name}`
   string full_resource = 24;
 
   // The snapshot of the configurations used to generate the profile.
@@ -7599,6 +7859,7 @@ message ListFileStoreDataProfilesRequest {
   // * A restriction has the form of `{field} {operator} {value}`.
   // * Supported fields/values:
   //     - `project_id` - The Google Cloud project ID.
+  //     - `account_id` - The AWS account ID.
   //     - `file_store_path` - The path like "gs://bucket".
   //     - `data_source_type` - The profile's data source type, like
   //     "google/storage/bucket".
@@ -7995,7 +8256,12 @@ message DeleteTableDataProfileRequest {
 // Message used to identify the type of resource being profiled.
 message DataSourceType {
   // Output only. An identifying string to the type of resource being profiled.
-  // Current values: google/bigquery/table, google/project
+  // Current values:
+  //
+  // * google/bigquery/table
+  // * google/project
+  // * google/sql/table
+  // * google/gcs/bucket
   string data_source = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
 }