: Configure Agentless Scanning for GCP

Configure Agentless Scanning for GCP

Table of Contents

Configure Agentless Scanning for GCP

  1. Log in to your Prisma Cloud Compute Console.
  2. Go to
    Manage > Cloud
  3. Click
    +Add account
  4. Enter the following information for the hub account in the
    Account config
    1. Select Cloud provider
      : GCP
    2. Account ID:
      Enter your Google project ID for the hub account.
    3. Description:
      Provide an optional string.
    4. Service account:
      Paste the contents of the downloaded service account key file for the hub account.
    5. API token:
      Leave blank.
  5. Click
  6. In the Agentless scanning page, complete the following steps.
    1. Enable
      Agentless scanning
    2. Set the
      Console URL
      to the address of your Prisma Cloud console that can be reached from the internet. To create an address or FQDN reachable from the internet, complete the Subject Alternative Names procedure.
  7. Hub account
    : Enable the toggle to configure this account as a hub account.
  8. Expand the
    Advanced settings
    1. Select where to scan
      : For GCP accounts, you can decide between two scanning modes.
      1. Same Account
        : Perform the agentless scanning process using this account.
      2. Hub Account
        : Perform the agentless scanning process using a centralized hub account. Select another account from the list to use as the centralized hub account to scan this account. on the target accounts. If you wish Prisma Cloud to scan encrypted volumes on the target accounts, follow the steps on encrypted volumes.
    2. Auto-scale scanning
      : Automatically create the required amount of scanners to scan all of the hosts within a region, up to a limit of 50 scanners. To use a different limit specify the
      Max number of scanners
    3. Max number of scanners
      : Enter the upper limit of scanners that Prisma Cloud can automatically spin up within a region in your account for faster results.
    4. Enforce permissions check
      : In case of failure to validate the appropriate permissions, this account won’t be scanned. If this is a hub account, the associated target accounts won’t be scanned as well.
    5. Enter a
      value if traffic leaving your GCP tenant uses a proxy.
    6. Custom labels
      : Apply custom labels to any resources Prisma Cloud creates during agentless scanning.
    7. Under
      Scan scope
      you can refine the scope of the scanning by
      or using labels.
      1. All regions
        : Scan in all GCP regions.
      2. Custom regions
        : Specify the GCP regions, which you want scanned.
      3. Scan non running hosts
        : Choose whether or not to scan hosts that aren’t running.
      4. Exclude hosts by labels
        : Select a subset of hosts which you want to exclude from the scan process
        You can use wildcards to specify a range of labels in both keys and values following these examples:
        "abcd*" "*abcd" "abcd" "*" "*abcd*"
      5. Include hosts by labels
        : Select a subset of hosts to scan
        You can use wildcards to specify a range of labels in both keys and values following these examples:
        "abcd*" "*abcd" "abcd" "*" "*abcd*"
    8. Network resources
      : Configure custom network resources for agentless scanning
      1. Subnet
        : If left blank, agentless scanning uses the default networking infrastructure and assigns scanners with a public IP. Specify a subnet name to use an existing subnet in your environment and to use a private IP. The subnet must be unique and identical across all regions. If you are configuring a hub account, this requirement only applies to the hub account and not for the targets.
      2. Shared VPC
        : If you are using a shared VPC, enter the shared VPC path in this field with the following convention. Replace {host_project_name} with the ID of the project that owns the shared VPC.
        Using a shared VPC requires additional permissions on the shared VPC host project. Refer to the GCP documentation to learn more about shared VPCs.
  9. Click Next.
  10. Leave the
    Server scan
    toggle unchanged.
  11. Click Next.
  12. Leave the
    Discovery features
    toggle unchanged.
  13. Click

Scan Encrypted Volumes When Using Hub Mode

When you use hub and target projects, you can configure your hub project to access the encrypted volumes of the target accounts. To use encrypted volumes the service account of Google Compute Engine needs to have the cloudkms.cryptoKeyEncrypterDecrypter role. Without it, the service agent of the the hub project can’t access the KMS keys.
The Compute Engine service agent for your hub project is labeled with the following convention. service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com Replace PROJECT_NUMBER with the number of your hub project.
  1. Use the following command to apply the grant the role and permissions to the Compute Engine service agent.
    gcloud projects add-iam-policy-binding KMS_PROJECT_ID \ --member serviceAccount:service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com \ --role roles/cloudkms.cryptoKeyEncrypterDecrypter
  2. Replace KMS_PROJECT_ID with any project you need to use. The KMS project isn’t required to be the hub account or the target accounts you wish to scan.

Start an Agentless Scan

Agentless scans start immediately after onboarding the cloud account. By default, agentless scans are performed every 24 hours, but you can change the interval on the
Manage > System > Scan
page under
Scheduling > Agentless
To manually start a scan, complete the following steps.
  1. Go to
    Manage > Cloud accounts
  2. Click the scan icon on the top right corner of the accounts table.
  3. Click
    Start Agentless scan
  4. Click the scan icon in the top right corner of the console to view the scan status.
  5. View the results.
    1. Go to
      Monitor > Vulnerabilities > Hosts
      Monitor > Vulnerabilities > Images
    2. Click on the
      Filter hosts
      text bar.
    3. Select the
      Scanned by
    4. Select the

Recommended For You