1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Administrator’s Guide (Compute)
    5. Agentless Scanning
    6. Onboard Accounts for Agentless Scanning
    7. Onboard GCP Accounts for Agentless Scanning

    Onboard GCP Accounts for Agentless Scanning

    Prisma Cloud gives you the flexibility to choose between agentless security and agent-based security using Defenders. Agentless scanning lets you inspect the risks and vulnerabilities of a cloud workload without installing an agent or affecting the execution of the workload. Prisma Cloud supports agentless scanning for vulnerabilities and compliance on hosts, clusters, and containers. To learn more about how agentless scanning works, see the How Agentless Scanning Works?[How Agentless Scanning Works?]
    Agentless scanning for GCP accounts can use one of the following scanning modes.
    To onboard your GCP account for agentless scanning in same account mode you need to complete the following tasks.
    1. Onboard the GCP account you want to use for agentless scanning in Prisma Cloud.
    2. Configure the onboarded account in Prisma Cloud.
    To use the hub account mode, you must complete the following steps.
    1. Onboard the GCP account to use as the hub account for agentless scanning to Prisma Cloud.
    2. Onboard the GCP account or accounts to Prisma Cloud that you want to scan using Prisma Cloud agentless scanning.
    3. Configure the onboarded target accounts to use the onboarded hub account.

    Prerequisites

    You need the following items to onboard a GCP account for agentless scanning.
    • A GCP project with the permissions needed to create a service account and roles under this project.
    • At least one Google Compute VM instance deployed with running containers to validate scanning.
    • A working connection from your cloud account to Prisma Cloud.

    Onboard your GCP Account to Prisma Cloud

    1. Log in to the Prisma Cloud administrative console.
    2. Select
      Settings > Cloud Accounts > Add Cloud Account
      .
    3. Select GCP as the cloud provider.
    4. Provide the following information in the
      Get Started
       page.
      1. Enter an account name to identify the account in Prisma Cloud.
    5. Click
      Next
      .
    6. Provide the following information in the
      Account Details
       page.
      1. Under
        Onboard
        , select
        Project
        .
      2. Enter the ID of your GCP project.
    7. Click
      Next
      .
    8. Select the
      Security Capabilities
       you need. The
      Agentless Scanning
       and
      Serverless Function Scanning
       are enabled by default.
    9. Click
      Next
      .
    10. In the
      Configure Account
       page, select
      Service Account Key
    11. Click
      Download Terraform Script
      .
    12. Login to the Google Cloud shell.
    13. Upload the Terraform script you downloaded from Prisma Cloud.
      1. On the Google Cloud shell page, click
        More
         - the three dots on the upper right corner.
      2. Click
        Upload
        .
      3. Select the downloaded Terraform script.
      4. Click
        Upload
        .
    14. Initialize the Terraform script with the following command in the Google Cloud shell console.
      terraform init
    15. Once initialization is complete, apply the Terraform script with the following command in the Google Cloud shell console.
      terraform apply
      1. If a popup to authorize appears, accept.
      2. Enter yes in the console when asked.
    16. Once the Terraform script is applied, it created the service account file on the same folder using the project ID as prefix. Download the service account file.
      1. On the Google Cloud shell page, click
        More
         - the three dots on the upper right corner.
      2. Click
        Download
        .
      3. Select the created service account file.
      4. Click
        Download
        .
    17. In the
      Configure Account
       page, drag and drop or upload the service account file.
    18. Click
      Next
      .
    19. Select the account group in Prisma Cloud to associate with your GCP account in the
      Assign Account Groups
       page.
    20. Click
      Next
      .
    21. Review the status of each of the services and fix any issues.
    22. Click
      Save
      .

    Configure Agentless Scanning for GCP Accounts

    1. Log in to the Prisma Cloud administrative console.
    2. Select
      Compute > Manage > Cloud Accounts
      .
    3. Click the edit button of your cloud account.
    4. Go to the
      Agentless Scanning
       section.
    5. Expand the
      Advanced settings
       and provide the following information.
      1. Enable Permissions check to verify that the permissions are correct before running a scan.
      2. Scanning type
        : For GCP accounts, you can decide between two scanning modes.
        1. Same Account
          : Scan hosts of your GCP account using that same account. Use this value for the account you want to use as the hub account.
        2. Hub Account
          : Scan hosts of your GCP account using a different account. Select another onboarded account from the list to scan the account you are configuring.
      3. Enter a
        Proxy
         value if traffic leaving your GCP tenant uses a proxy.
      4. Under
        Scan scope
         you can choose
        All regions
         to scan in all GCP regions. If you choose Custom regions, enter the AWS region in which you want Prisma Cloud to scan.
      5. Enter tags under
        Exclude VMs by tags
         to further limit the scope of the scan.
      6. Choose whether or not to
        Scan non running hosts
        .
      7. Choose whether or not to enable
        Auto-scale scanning
        . If you disable auto-scale, specify number of scanners Prisma Cloud should employ.
    6. Click Next.
    7. Leave the
      Discovery features
       unchanged.
    8. Click
      Save
       to return to
      Compute > Manage > Cloud accounts
      .

    Start an Agentless Scan

    Agentless scans start immediately after onboarding the cloud account. By default, agentless scans are performed every 24 hours, but you can change the interval on the
    Manage > System > Scan
     page under
    Scheduling > Agentless
    .
    To manually start a scan, complete the following steps.