Prisma Cloud Compute Edition Administrator’s Guide
    : Onboard GCP Accounts for Agentless Scanning
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Agentless Scanning
    6. Onboard Accounts for Agentless Scanning
    7. Onboard GCP Accounts for Agentless Scanning
    Download PDF

    Prisma Cloud Compute Edition Administrator’s Guide

    Onboard GCP Accounts for Agentless Scanning

    Table of Contents

    Onboard GCP Accounts for Agentless Scanning

    Prisma Cloud gives you the flexibility to choose between agentless security and agent-based security using Defenders. Agentless scanning lets you inspect the risks and vulnerabilities of a cloud workload without installing an agent or affecting the execution of the workload. Prisma Cloud supports agentless scanning for vulnerabilities and compliance on hosts, clusters, and containers. To learn more about how agentless scanning works, see the How Agentless Scanning Works?[How Agentless Scanning Works?]
    Agentless scanning for GCP accounts can use one of the following scanning modes.

    Onboard your GCP Account in Same Account Mode

    The following procedure shows the steps required to configure Prisma Cloud agentless scanning for a GCP project using the same account scanning mode with Prisma Cloud Compute credentials.
    This document uses the same name for the following items. * Your GCP project * Its service account * Your Prisma Cloud account
    This choice creates a one-to-one mapping of projects, accounts, resources, and filenames. This mapping is not required, but it leads to simpler commands.

    Configure your GCP Project

    1. Setup your Google Cloud Project.
      1. Login to the Google Cloud shell.
      2. Set an environment variable with the name of your project.
        export PROJECT_NAME=example_project
      3. Create a Google Cloud project.
        export PROJECT_BILLING_ACCOUNT="ABCDE-12345-FGHIJ"
gcloud projects create ${PROJECT_NAME}
gcloud billing projects link ${PROJECT_NAME} --billing-account ${PROJECT_BILLING_ACCOUNT}
      4. Enable the Google Cloud APIs needed for agentless scanning.
        gcloud config set project ${PROJECT_NAME}
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable compute.googleapis.com
gcloud services enable iam.googleapis.com
gcloud services enable deploymentmanager.googleapis.com
    2. Create the needed service account.
      gcloud config set project ${PROJECT_NAME}
gcloud iam service-accounts create ${PROJECT_NAME} --display-name="Prisma Cloud Service Account for Agentless Scanning"
    3. Create and download the service account key file.
      cloud iam service-accounts keys create ${PROJECT_NAME}-service_account_key.json --iam-account=${PROJECT_NAME}@${PROJECT_NAME}.iam.gserviceaccount.com
[ "${GOOGLE_CLOUD_SHELL}X" == "trueX" ] && cloudshell download ${PROJECT_NAME}-service_account_key.json

    Configure Agentless Scanning

    Apply the Jinja Template in GCP

    1. Login to the Google Cloud shell.
    2. Set an environment variable with the project number.
      gcloud config set project ${PROJECT_NAME}
export PROJECT_NUMBER=$(gcloud projects list --filter=${PROJECT_NAME} --format="value(PROJECT_NUMBER)")
    3. Add the needed roles to apply the templates to the project using deployment manager.
      gcloud projects add-iam-policy-binding ${PROJECT_NAME} --member=serviceAccount:${PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.roleAdmin
gcloud projects add-iam-policy-binding ${PROJECT_NAME} --member=serviceAccount:${PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.securityAdmin
      1. If you use a shared VPC, add the following permissions to the service account used for scanning target projects for the project, which owns the VPC. Go to the GCP documentation to learn more about shared VPCs.
        compute.subnetworks.use
compute.subnetworks.useExternalIp
    4. On the Google Cloud shell page, click
      More
       - the three dots on the upper right corner.
      1. Click
        Upload
        .
      2. Select the downloaded template.
      3. Click
        Upload
        .
      4. Extract the template files.
        tar -xzf ${PROJECT_NAME}_templates.tar.gz
      5. Apply the downloaded Jinja template.
        gcloud deployment-manager deployments create pc-agentless-hub-user-local --project ${PROJECT_NAME} --template ${PROJECT_NAME}_target_user_permissions.yaml.jinja
      6. Remove the roles required to deploy the Jinja templates.
        gcloud projects remove-iam-policy-binding ${PROJECT_NAME} --member=serviceAccount:${PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.roleAdmin
gcloud projects remove-iam-policy-binding ${PROJECT_NAME} --member=serviceAccount:${PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.securityAdmin

    Onboard your GCP Accounts in Hub Account Mode

    The following procedure shows the steps required to configure Prisma Cloud agentless scanning for a GCP project using the hub account scanning mode with Prisma Cloud Compute credentials.
    This document uses the same name for the following items. * The GCP project used as a hub account.
    Its service account
    Its Prisma Cloud account
    • The GCP project used as a target account.
      • Its service account
      • Its Prisma Cloud account
    This choice creates a one-to-one mapping of projects, accounts, resources, and filenames. This mapping is not required, but it leads to simpler commands.
    The example hub account uses the example_hub_project name. The example target account uses the example_hub_project name.

    Configure your GCP Projects for Same Account Mode

    1. Setup your Google Cloud projects.
      1. Login to the Google Cloud shell.
      2. Set the environment variables with the names of your projects.
        export HUB_PROJECT_NAME="example_hub_project"
export TARGET_PROJECT_NAME="example_target_project"
      3. Create the Google Cloud projects.
        export PROJECT_BILLING_ACCOUNT="ABCDE-12345-FGHIJ"
gcloud projects create ${HUB_PROJECT_NAME}
gcloud projects create ${TARGET_PROJECT_NAME}
gcloud billing projects link ${HUB_PROJECT_NAME} --billing-account ${PROJECT_BILLING_ACCOUNT}
gcloud billing projects link ${TARGET_PROJECT_NAME} --billing-account ${PROJECT_BILLING_ACCOUNT}
      4. Enable the Google Cloud APIs needed for agentless scanning in the hub account.
        gcloud config set project ${HUB_PROJECT_NAME}
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable compute.googleapis.com
gcloud services enable iam.googleapis.com
gcloud services enable deploymentmanager.googleapis.com
      5. Enable the Google Cloud APIs needed for agentless scanning in the target account.
        gcloud config set project ${TARGET_PROJECT_NAME}
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable compute.googleapis.com
gcloud services enable iam.googleapis.com
gcloud services enable deploymentmanager.googleapis.com
    2. Create the needed service account for the hub account.
      gcloud config set project ${HUB_PROJECT_NAME}
export HUB_PROJECT_NUMBER=$(gcloud projects list --filter=${HUB_PROJECT_NAME} --format="value(PROJECT_NUMBER)")
gcloud iam service-accounts create ${HUB_PROJECT_NAME} --display-name="Prisma Cloud Service Account for Agentless Scanning"
    3. Create and download the service account key file for the hub account.
      gcloud iam service-accounts keys create ${HUB_PROJECT_NAME}-service_account_key.json --iam-account=${HUB_PROJECT_NAME}@${HUB_PROJECT_NAME}.iam.gserviceaccount.com
[ "${GOOGLE_CLOUD_SHELL}X" == "trueX" ] && cloudshell download ${HUB_PROJECT_NAME}-service_account_key.json
    4. Create the needed service account for the target account.
      gcloud config set project ${TARGET_PROJECT_NAME}
export TARGET_PROJECT_NUMBER=$(gcloud projects list --filter=${TARGET_PROJECT_NAME} --format="value(PROJECT_NUMBER)")
gcloud iam service-accounts create ${TARGET_PROJECT_NAME} --display-name="Prisma Cloud Service Account for Agentless Scanning"
    5. Create and download the service account key file for the target account.
      gcloud iam service-accounts keys create ${TARGET_PROJECT_NAME}-service_account_key.json --iam-account=${TARGET_PROJECT_NAME}@${TARGET_PROJECT_NAME}.iam.gserviceaccount.com
[ "${GOOGLE_CLOUD_SHELL}X" == "trueX" ] && cloudshell download ${TARGET_PROJECT_NAME}-service_account_key.json

    Configure Agentless Scanning for Hub Account Mode

    Apply the Jinja Template in GCP

    1. Login to the Google Cloud shell.
    2. Add the needed roles to apply the templates to the hub account using deployment manager.
      gcloud config set project ${HUB_PROJECT_NAME}
gcloud projects add-iam-policy-binding ${HUB_PROJECT_NAME} --member=serviceAccount:${HUB_PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.roleAdmin
gcloud projects add-iam-policy-binding ${HUB_PROJECT_NAME} --member=serviceAccount:${HUB_PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.securityAdmin
    3. Add the needed roles to apply the templates to the target account using deployment manager.
      gcloud config set project ${TARGET_PROJECT_NAME}
gcloud projects add-iam-policy-binding ${TARGET_PROJECT_NAME} --member=serviceAccount:${TARGET_PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.roleAdmin
gcloud projects add-iam-policy-binding ${TARGET_PROJECT_NAME} --member=serviceAccount:${TARGET_PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.securityAdmin
    4. On the Google Cloud shell page, click
      More
       - the three dots on the upper right corner.
      1. Click
        Upload
        .
      2. Select the downloaded templates for the hub and target accounts.
      3. Click
        Upload
        .
      4. Extract the template files.
        tar -xzf ${HUB_PROJECT_NAME}_templates.tar.gz
tar -xzf ${TARGET_PROJECT_NAME}_templates.tar.gz
      5. Apply the downloaded Jinja templates for the hub account.
        gcloud config set project ${HUB_PROJECT_NAME}
gcloud deployment-manager deployments create pc-agentless-hub-user --project ${HUB_PROJECT_NAME} --template ${HUB_PROJECT_NAME}_hub_user_permissions.yaml.jinja
gcloud deployment-manager deployments create pc-agentless-hub-user-local --project ${HUB_PROJECT_NAME} --template ${HUB_PROJECT_NAME}_target_user_permissions.yaml.jinja
      6. Apply the downloaded Jinja templates for the target account.
        gcloud config set project ${TARGET_PROJECT_NAME}
gcloud deployment-manager deployments create pc-agentless-target-user --project ${TARGET_PROJECT_NAME} --template ${TARGET_PROJECT_NAME}_hub_target_user_permissions.yaml.jinja
gcloud deployment-manager deployments create pc-agentless-target-access --project ${TARGET_PROJECT_NAME} --template ${HUB_PROJECT_NAME}_hub_target_access_permissions.yaml.jinja
      7. Remove the roles required to deploy the Jinja templates from the hub account.
        cloud config set project ${HUB_PROJECT_NAME}
gcloud projects remove-iam-policy-binding ${HUB_PROJECT_NAME} --member=serviceAccount:${HUB_PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.roleAdmin
gcloud projects remove-iam-policy-binding ${HUB_PROJECT_NAME} --member=serviceAccount:${HUB_PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.securityAdmin
      8. Remove the roles required to deploy the Jinja templates from the target account.
        gcloud config set project ${TARGET_PROJECT_NAME}
gcloud projects remove-iam-policy-binding ${TARGET_PROJECT_NAME} --member=serviceAccount:${TARGET_PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.roleAdmin
gcloud projects remove-iam-policy-binding ${TARGET_PROJECT_NAME} --member=serviceAccount:${TARGET_PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.securityAdmin

    Start an Agentless Scan

    Agentless scans start immediately after onboarding the cloud account. By default, agentless scans are performed every 24 hours, but you can change the interval on the
    Manage > System > Scan
     page under
    Scheduling > Agentless
    .
    To manually start a scan, complete the following steps.
    1. Go to
      Manage > Cloud accounts
      .
    2. Click the scan icon on the top right corner of the accounts table.
    3. Click
      Start Agentless scan
      .
    4. Click the scan icon in the top right corner of the console to view the scan status.
    5. View the results.
      1. Go to
        Monitor > Vulnerabilities > Hosts
         or
        Monitor > Vulnerabilities > Images
        .
      2. Click on the
        Filter hosts
         text bar.
      3. Select the
        Scanned by
         filter.
      4. Select the
        Agentless
         filter.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.