This documents the steps to configure Prisma Cloud Agentless Scanning for GCP Projects, using the Hub and Target model, with Prisma Cloud Compute credentials.
In this document, each GCP Project, its Service Account, and its Prisma Cloud Account use the same name. Doing so creates a one-to-one mapping of projects, accounts, resources, and filenames. This mapping is not required, but results in a simple series of steps.
Set the following environment variables (locally, or in CloudShell) to define the name of the Hub and Target Projects:
export HUB_PROJECT_NAME="example_hub_project"
export TARGET_PROJECT_NAME="example_target_project"
Optionally, create the Projects:
# export PROJECT_BILLING_ACCOUNT="ABCDE-12345-FGHIJ"
# gcloud projects create ${HUB_PROJECT_NAME}
# gcloud projects create ${TARGET_PROJECT_NAME}
# gcloud billing projects link ${HUB_PROJECT_NAME} --billing-account ${PROJECT_BILLING_ACCOUNT}
# gcloud billing projects link ${TARGET_PROJECT_NAME} --billing-account ${PROJECT_BILLING_ACCOUNT}
Enable the APIs required by Agentless Scanning:
# HUB
gcloud config set project ${HUB_PROJECT_NAME}
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable compute.googleapis.com
gcloud services enable iam.googleapis.com
gcloud services enable deploymentmanager.googleapis.com
# TARGET
gcloud config set project ${TARGET_PROJECT_NAME}
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable compute.googleapis.com
gcloud services enable iam.googleapis.com
gcloud services enable deploymentmanager.googleapis.com
Create the Service Accounts, and create and download the Service Account Keys:
# HUB
gcloud config set project ${HUB_PROJECT_NAME}
export HUB_PROJECT_NUMBER=$(gcloud projects list --filter=${HUB_PROJECT_NAME} --format="value(PROJECT_NUMBER)")
gcloud iam service-accounts create ${HUB_PROJECT_NAME} --display-name="Prisma Cloud Service Account for Agentless Scanning"
gcloud iam service-accounts keys create ${HUB_PROJECT_NAME}-service_account_key.json --iam-account=${HUB_PROJECT_NAME}@${HUB_PROJECT_NAME}.iam.gserviceaccount.com
[ "${GOOGLE_CLOUD_SHELL}X" == "trueX" ] && cloudshell download ${HUB_PROJECT_NAME}-service_account_key.json
# TARGET
gcloud config set project ${TARGET_PROJECT_NAME}
export TARGET_PROJECT_NUMBER=$(gcloud projects list --filter=${TARGET_PROJECT_NAME} --format="value(PROJECT_NUMBER)")
gcloud iam service-accounts create ${TARGET_PROJECT_NAME} --display-name="Prisma Cloud Service Account for Agentless Scanning"
gcloud iam service-accounts keys create ${TARGET_PROJECT_NAME}-service_account_key.json --iam-account=${TARGET_PROJECT_NAME}@${TARGET_PROJECT_NAME}.iam.gserviceaccount.com
[ "${GOOGLE_CLOUD_SHELL}X" == "trueX" ] && cloudshell download ${TARGET_PROJECT_NAME}-service_account_key.json
In Prisma Cloud Compute > Cloud Accounts, onboard the Hub Project:
- Click
Add Account - In the
Service Accountfield, paste theService Account Keyfor the Hub Project - Leave the
API Keyfield blank - Click
Next - Enable
Agentless Workload Scanning - Click
Downloadto download the permission templates - Select Advanced Settings > Scanning Type > Same Account
- Optionally configure other Agentless settings
- Click
Next - Optionally configure other settings
In Prisma Cloud Compute > Cloud Accounts, onboard the Target Project:
- Click Add Account
- In the Service Account field, paste the Service Account Key for the Target Project
- Leave the API Key field blank
- Click Next
- Enable Agentless
- Click Download to download the permission templates
- Select Advanced Settings > Scanning Type > Hub Account
- Select the Hub Account
- Optionally configure other Agentless settings
- Click Next
- Optionally configure other settings
The Jinja templates provided by Prisma Cloud are applied via Deployment Manager, which requires the Roles > Role Administrator and IAM > Security Admin Roles to be added to the Google APIs Service Agent Principle:
# HUB
# gcloud config set project ${HUB_PROJECT_NAME}
gcloud projects add-iam-policy-binding ${HUB_PROJECT_NAME} --member=serviceAccount:${HUB_PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.roleAdmin
gcloud projects add-iam-policy-binding ${HUB_PROJECT_NAME} --member=serviceAccount:${HUB_PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.securityAdmin
# TARGET
# gcloud config set project ${TARGET_PROJECT_NAME}
gcloud projects add-iam-policy-binding ${TARGET_PROJECT_NAME} --member=serviceAccount:${TARGET_PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.roleAdmin
gcloud projects add-iam-policy-binding ${TARGET_PROJECT_NAME} --member=serviceAccount:${TARGET_PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.securityAdmin
Those roles can be removed after deploying the Jinja templates.
Apply the permission templates downloaded from Prisma Cloud:
tar -xzf ${HUB_PROJECT_NAME}_templates.tar.gz
tar -xzf ${TARGET_PROJECT_NAME}_templates.tar.gz
# HUB
gcloud config set project ${HUB_PROJECT_NAME}
gcloud deployment-manager deployments create pc-agentless-hub-user --project ${HUB_PROJECT_NAME} --template ${HUB_PROJECT_NAME}_hub_user_permissions.yaml.jinja
gcloud deployment-manager deployments create pc-agentless-hub-user-local --project ${HUB_PROJECT_NAME} --template ${HUB_PROJECT_NAME}_target_user_permissions.yaml.jinja
# TARGET
gcloud config set project ${TARGET_PROJECT_NAME}
gcloud deployment-manager deployments create pc-agentless-target-user --project ${TARGET_PROJECT_NAME} --template ${TARGET_PROJECT_NAME}_hub_target_user_permissions.yaml.jinja
gcloud deployment-manager deployments create pc-agentless-target-access --project ${TARGET_PROJECT_NAME} --template ${HUB_PROJECT_NAME}_hub_target_access_permissions.yaml.jinja
Test Agentless scanning.
Optionally, create an instance to scan:
# gcloud config set project ${TARGET_PROJECT_NAME}
# gcloud compute instances create ${TARGET_PROJECT_NAME}-agentless-test-instance --machine-type=e2-micro --zone=us-central1-a
In Prisma Cloud, in Compute > Cloud Accounts, test Agentless Scanning:
- Click Start Agentless Scan
- Monitor the scan, via Job Progress, or summarized in the list of Cloud Accounts
- Verify Agentless scan results in Compute > Monitor > Vulnerabilities > Hosts
Remove the roles required to deploy the Jinja templates:
# HUB
# gcloud config set project ${HUB_PROJECT_NAME}
gcloud projects remove-iam-policy-binding ${HUB_PROJECT_NAME} --member=serviceAccount:${HUB_PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.roleAdmin
gcloud projects remove-iam-policy-binding ${HUB_PROJECT_NAME} --member=serviceAccount:${HUB_PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.securityAdmin
# TARGET
# gcloud config set project ${TARGET_PROJECT_NAME}
gcloud projects remove-iam-policy-binding ${TARGET_PROJECT_NAME} --member=serviceAccount:${TARGET_PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.roleAdmin
gcloud projects remove-iam-policy-binding ${TARGET_PROJECT_NAME} --member=serviceAccount:${TARGET_PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.securityAdmin
- You can speed up testing by create VMs in just one Region, and configuring Prisma Cloud to scan that Region via
Custom Regions. - You cannot use a default subnet (or specify a custom subnet via
Subnet) provided by a Shared VPC (https://prismacloud.ideas.aha.io/ideas/PANW-I-4147). - If the APIs are not enabled and the Roles are not added, the
gcloud deployment-manager deployments createcommands will fail. If so, enable the APIs and add the Roles, and retry the command, replacingcreatewithupdateif you receive adeployment already existserror.