Agentless for GCP Compute Engine: Find Your Vulnerabilities

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter
Did you find this article helpful? Yes No
No ratings

Agentless for GCP Compute Engine: Find Your Vulnerabilities

 

By RDSingh

 

Introduction

 

Prisma Cloud Compute Agentless scanning enables you to quickly gain comprehensive visibility into vulnerability and compliance risks without having to install an agent on each host.

 

Cloud environments are dynamic in nature. Prisma Cloud gives you the flexibility to choose between agentless and agent-based security. At this time, Prisma Cloud supports agentless scanning of VMs on AWS, GCP and Azure.

 

This article outlines the process of setting Prisma Cloud Compute Agentless to scan Google Cloud Platform (GCP) Compute Engine to discover vulnerabilities and compliances.  

 

The steps to enable Agentless Scanning on GCP are:

  1. enabling GCP API
  2. using a predefined role 
  3. configuring agentless on Prisma Cloud

 

Option 1 - GCP Project:

  • Enable following APIs
    • Cloud Resource Manager API
    • Compute Engine API
    • Identity and Access Management API
    • Deployment Manager API (to execute gcloud deployment-manager commands to apply templates)
  • Temporarily add 
    • Roles > Role Administrator 
    • IAM > Security Admin 

Roles to the Google APIs Service Agent (aka <project_number>@cloudservices.gserviceaccount.com)

  • Create an IAM Service Account and download a Service Account Key

 

Option 2 - GCP CloudShell:

Execute following gcloud commands:

$ gcloud config set project example-project-name

$ gcloud services enable cloudresourcemanager.googleapis.com

$ gcloud services enable compute.googleapis.com

$ gcloud services enable iam.googleapis.com

$ gcloud services enable deploymentmanager.googleapis.com

$ gcloud projects add-iam-policy-binding \

   example-project-name \

   --member=serviceAccount:example-project-number@cloudservices.gserviceaccount.com \

   --role=roles/iam.roleAdmin

$ gcloud projects add-iam-policy-binding \

   example-project-name \

   --member=serviceAccount:example-project-number@cloudservices.gserviceaccount.com \

   --role=roles/iam.securityAdmin

$ gcloud iam service-accounts create \

   example-project-name \

   --display-name="Prisma Cloud Service Account for Agentless Scanning"

$ gcloud iam service-accounts keys create \

   example-project-name_service_account_key.json \      

   --iam-account=prisma-cloud-agentless@example-project-name.iam.gserviceaccount.com

 

Download the Service Account Key: example-project-name_service_account_key.json

Note: If the APIs are not enabled and the Roles are not added to the Google APIs Service Agent, the subsequent gcloud deployment-manager deployments create command will fail. If the gcloud deployment-manager deployments create command fails, enable the APIs and add the Roles and retry the command. Replace the create with update if you receive a "deployment already exists" error.

 

Prisma Cloud Compute onboard the GCP account:

Login to the Compute console and navigate to Manage / Cloud Accounts

  1. Click Add Account
  2. In the Service Account field, paste the Service Account Key (example-project-name_service_account_key.json) and leave the API Key field blank
  3. Download the permission templates
  4. Advanced Settings are all optional

 

GCP, apply the permission templates:

  • Upload all of the downloaded (and expanded) permission templates.

In CloudShell:

gcloud deployment-manager deployments create \

pc-agentless-hub-user-local \

--project example-project-name \

--template permission-template-file

 

Prisma Cloud Compute test Agentless Scanning:

  1. Return to the Compute console and the Cloud Accounts page
  2. Click Start Agentless Scan
  3. Monitor the scan, looking for errors in Scanning Job Progress, or summarized in the list of Cloud Accounts
  4. View the Agentless scan results in Compute > Monitor > Vulnerabilities > Hosts

 

GCP, in your Project, remove temporary Roles:

  • In IAM, remove 
    • Roles > Role Administrator 
    • IAM > Security Admin 

Roles from the Google APIs Service Agent (aka <project_number>@cloudservices.gserviceaccount.com).

 

CloudShell:

gcloud projects remove-iam-policy-binding \

   example-project-name \

   --member=serviceAccount:example-project-number@cloudservices.gserviceaccount.com \

   --role=roles/iam.roleAdmin

    

gcloud projects remove-iam-policy-binding \

   example-project-name \

   --member=serviceAccount:example-project-number@cloudservices.gserviceaccount.com \

   --role=roles/iam.securityAdmin

 

Those roles were only needed to execute gcloud deployment-manager commands to apply the permission templates.

 

Closing Thoughts:

 

To speed up testing, create VMs in just one Region, and configure Prisma Cloud to scan that Region via Custom Regions.

 

Prisma Cloud Compute Edition Administrator's Guide - Permissions

 

Prisma Cloud Compute Edition Administrator's Guide - Agentless Scanning

 

We recommend to leverage this reference article in order to gain visibility into vulnerability and compliance risks across your cloud accounts without having to install an agent on each host.

 

About the Author

RD Singh is a senior customer success engineer specializing in Prisma Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. RD uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage his multi industry knowledge to inspire success.  

Rate this article:
(1)
Register or Sign-in
Contributors
Article Dashboard
Version history
Last update:
‎11-29-2022 03:21 PM
Updated by: