11-29-2022 03:21 PM - edited 09-19-2023 06:31 PM
Prisma Cloud Compute Agentless scanning enables you to quickly gain comprehensive visibility into vulnerability and compliance risks without having to install an agent on each host.
Cloud environments are dynamic in nature. Prisma Cloud gives you the flexibility to choose between agentless and agent-based security. At this time, Prisma Cloud supports agentless scanning of VMs on AWS, GCP and Azure.
This article outlines the process of setting Prisma Cloud Compute Agentless to scan Google Cloud Platform (GCP) Compute Engine to discover vulnerabilities and compliances.
The steps to enable Agentless Scanning on GCP are:
Roles to the Google APIs Service Agent (aka <project_number>@cloudservices.gserviceaccount.com)
Execute following gcloud commands:
$ gcloud config set project example-project-name
$ gcloud services enable cloudresourcemanager.googleapis.com
$ gcloud services enable compute.googleapis.com
$ gcloud services enable iam.googleapis.com
$ gcloud services enable deploymentmanager.googleapis.com
$ gcloud projects add-iam-policy-binding \
example-project-name \
--member=serviceAccount:example-project-number@cloudservices.gserviceaccount.com \
--role=roles/iam.roleAdmin
$ gcloud projects add-iam-policy-binding \
example-project-name \
--member=serviceAccount:example-project-number@cloudservices.gserviceaccount.com \
--role=roles/iam.securityAdmin
$ gcloud iam service-accounts create \
example-project-name \
--display-name="Prisma Cloud Service Account for Agentless Scanning"
$ gcloud iam service-accounts keys create \
example-project-name_service_account_key.json \
--iam-account=prisma-cloud-agentless@example-project-name.iam.gserviceaccount.com
Download the Service Account Key: example-project-name_service_account_key.json
Note: If the APIs are not enabled and the Roles are not added to the Google APIs Service Agent, the subsequent gcloud deployment-manager deployments create command will fail. If the gcloud deployment-manager deployments create command fails, enable the APIs and add the Roles and retry the command. Replace the create with update if you receive a "deployment already exists" error.
Login to the Compute console and navigate to Manage / Cloud Accounts
In CloudShell:
gcloud deployment-manager deployments create \
pc-agentless-hub-user-local \
--project example-project-name \
--template permission-template-file
Roles from the Google APIs Service Agent (aka <project_number>@cloudservices.gserviceaccount.com).
gcloud projects remove-iam-policy-binding \
example-project-name \
--member=serviceAccount:example-project-number@cloudservices.gserviceaccount.com \
--role=roles/iam.roleAdmin
gcloud projects remove-iam-policy-binding \
example-project-name \
--member=serviceAccount:example-project-number@cloudservices.gserviceaccount.com \
--role=roles/iam.securityAdmin
Those roles were only needed to execute gcloud deployment-manager commands to apply the permission templates.
To speed up testing, create VMs in just one Region, and configure Prisma Cloud to scan that Region via Custom Regions.
Prisma Cloud Compute Edition Administrator's Guide - Permissions
Prisma Cloud Compute Edition Administrator's Guide - Agentless Scanning
We recommend to leverage this reference article in order to gain visibility into vulnerability and compliance risks across your cloud accounts without having to install an agent on each host.
RD Singh is a senior customer success engineer specializing in Prisma Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. RD uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage his multi industry knowledge to inspire success.
