Skip to content

Instantly share code, notes, and snippets.

@tkishel

tkishel/gcp_agentless_same_account_cwp.md

Last active January 24, 2023 22:29
Show Gist options
  • Save tkishel/53a27a8d9c84aa83fa21c839b2d0084d to your computer and use it in GitHub Desktop.
Save tkishel/53a27a8d9c84aa83fa21c839b2d0084d to your computer and use it in GitHub Desktop.
Download ZIP
GCP Agentless (Same Account Model, Compute)
Raw
gcp_agentless_same_account_cwp.md

Configure Agentless Scanning (GCP, Same Account Model, Compute)

This documents the steps to configure Prisma Cloud Agentless Scanning for GCP Projects, using the Same Account model, with Prisma Cloud Compute credentials.

In this document, the GCP Project, its Service Account, and its Prisma Cloud Account use the same name. Doing so creates a one-to-one mapping of projects, accounts, resources, and filenames. This mapping is not required, but results in a simple series of steps.

Step 1

Set the following environment variable (locally, or in CloudShell) to define the name of the Project:

export PROJECT_NAME=example_project

Optionally, create the Project:

# export PROJECT_BILLING_ACCOUNT="ABCDE-12345-FGHIJ"
# gcloud projects create ${PROJECT_NAME}
# gcloud billing projects link ${PROJECT_NAME} --billing-account ${PROJECT_BILLING_ACCOUNT}

Enable the APIs required by Agentless Scanning:

gcloud config set project ${PROJECT_NAME}
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable compute.googleapis.com
gcloud services enable iam.googleapis.com
gcloud services enable deploymentmanager.googleapis.com

Step 2

Create the Service Account, and create and download the Service Account Key:

gcloud config set project ${PROJECT_NAME}
gcloud iam service-accounts create ${PROJECT_NAME} --display-name="Prisma Cloud Service Account for Agentless Scanning"
gcloud iam service-accounts keys create ${PROJECT_NAME}-service_account_key.json --iam-account=${PROJECT_NAME}@${PROJECT_NAME}.iam.gserviceaccount.com
[ "${GOOGLE_CLOUD_SHELL}X" == "trueX" ] && cloudshell download ${PROJECT_NAME}-service_account_key.json

Step 3

In Prisma Cloud Compute > Cloud Accounts, onboard the Project:

  • Click Add Account
  • In the Service Account field, paste the Service Account Key for the Project
  • Leave the API Key field blank
  • Click Next
  • Enable Agentless Workload Scanning
  • Click Download
  • Select Advanced Settings > Scanning Type > Same Account
  • Optionally configure other Agentless settings
  • Click Next
  • Optionally configure other settings

Step 4

The Jinja templates provided by Prisma Cloud are applied via Deployment Manager, which requires the Roles > Role Administrator and IAM > Security Admin Roles to be added to the Google APIs Service Agent Principle:

gcloud config set project ${PROJECT_NAME}
export PROJECT_NUMBER=$(gcloud projects list --filter=${PROJECT_NAME} --format="value(PROJECT_NUMBER)")
gcloud projects add-iam-policy-binding ${PROJECT_NAME} --member=serviceAccount:${PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.roleAdmin
gcloud projects add-iam-policy-binding ${PROJECT_NAME} --member=serviceAccount:${PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.securityAdmin

Those roles can be removed after deploying the Jinja templates.

Step 5

Apply the permission templates downloaded from Prisma Cloud:

gcloud config set project ${PROJECT_NAME}
tar -xzf ${PROJECT_NAME}_templates.tar.gz
gcloud deployment-manager deployments create pc-agentless-hub-user-local --project ${PROJECT_NAME} --template ${PROJECT_NAME}_target_user_permissions.yaml.jinja

Step 6

Test Agentless scanning.

Optionally, create an instance to scan:

# gcloud config set project ${PROJECT_NAME}
# gcloud compute instances create ${PROJECT_NAME}-agentless-test-instance --machine-type=e2-micro --zone=us-central1-a

In Prisma Cloud, in Compute > Cloud Accounts, test Agentless Scanning:

  • Click Start Agentless Scan
  • Monitor the scan, via Job Progress, or summarized in the list of Cloud Accounts
  • Verify Agentless scan results in Compute > Monitor > Vulnerabilities > Hosts

Step 7

Remove the roles required to deploy the Jinja templates:

gcloud config set project ${PROJECT_NAME}
gcloud projects remove-iam-policy-binding ${PROJECT_NAME} --member=serviceAccount:${PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.roleAdmin  
gcloud projects remove-iam-policy-binding ${PROJECT_NAME} --member=serviceAccount:${PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.securityAdmin

Notes

  • You can speed up testing by create VMs in just one Region, and configuring Prisma Cloud to scan that Region via Custom Regions.
  • You cannot use a default subnet (or specify a custom subnet via Subnet) provided by a Shared VPC (https://prismacloud.ideas.aha.io/ideas/PANW-I-4147).
  • If the APIs are not enabled and the Roles are not added, the gcloud deployment-manager deployments create commands will fail. If so, enable the APIs and add the Roles, and retry the command, replacing create with update if you receive a deployment already exists error.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment