This documents the steps to configure Prisma Cloud Agentless Scanning for GCP Projects, using the Hub and Target model with Prisma Cloud SaaS credentials.
Onboarding Projects in Prisma Cloud > Settings > Cloud Accounts provides almost all of the necessary configuration, with only cross-project configuration required to support the Hub and Target model.
In this document, each GCP Project and its Prisma Cloud Account use the same name. Doing so creates a one-to-one mapping of projects, accounts, resources, and filenames. This mapping is not required, but results in a simple series of steps.
Set the following environment variables (locally, or in CloudShell) to define the name of the Hub and Target Projects:
export HUB_PROJECT_NAME="example_hub_project"
export TARGET_PROJECT_NAME="example_target_project"
In Prisma Cloud > Settings > Cloud Accounts, onboard the Hub and Target Projects:
- Click
Add Cloud Account - Click
Google Cloud - Enter the Project ID in the
Account Namefield - Click
Next - Enter the Project ID in the
Project IDfield - Click
Next - Enable
Agentless Workload Scanning - Click
Next - Download the Terraform template
- Apply the Terraform template to the GCP Project
- Upload the resulting Service Account Key to Prisma Cloud
- Click
Next - Optionally configure other settings ...
In GCP, in the Target Project, grant access to the Hub Project Service Account.
Save the following as terraform.tf.json
{
"provider": {
"google": {}
},
"variable": {
"target_project_id": {
"type": "string"
},
"hub_project_service_account_email": {
"type": "string"
},
"target_project_iam_policy_custom_hub_role_permissions": {
"default": [
"compute.disks.createSnapshot"
],
"type": "list"
}
},
"resource": {
"google_project_iam_member": {
"bind_custom_hub_role_to_target_project_iam_policy": {
"role": "projects/${var.target_project_id}/roles/${google_project_iam_custom_role.prisma_cloud_target_project_custom_role.role_id}",
"member": "serviceAccount:${var.hub_project_service_account_email}",
"project": "${var.target_project_id}"
}
},
"google_project_iam_custom_role": {
"prisma_cloud_target_project_custom_role": {
"role_id": "prismaCloudHubAccess",
"permissions": "${var.target_project_iam_policy_custom_hub_role_permissions}",
"project": "${var.target_project_id}",
"description": "This is a custom role created for Prisma Cloud. Contains granular additional permission which is not covered by built-in roles",
"title": "Prisma Cloud Hub Project Access"
}
}
},
"terraform": {
"required_providers": {
"google-beta": "~> 3.90",
"google": "~> 3.90"
}
}
}
Apply:
export TF_VAR_target_project_id=${TARGET_PROJECT_NAME}
export TF_VAR_hub_project_service_account_email=$(gcloud iam service-accounts list --project ${HUB_PROJECT_NAME} --filter="displayName:Prisma Cloud Service Account" --format='value(email)' --sort-by=creationTimestamp --limit=1)
terraform init
terraform apply
Test Agentless scanning.
Optionally, create an instance to scan:
# gcloud config set project ${TARGET_PROJECT_NAME}
# gcloud compute instances create ${TARGET_PROJECT_NAME}-agentless-test-instance --machine-type=e2-micro --zone=us-central1-a
In Prisma Cloud > Compute > Cloud Accounts, test Agentless Scanning:
- Click Start Agentless Scan
- Monitor the scan, via Job Progress, or summarized in the list of Cloud Accounts
- Verify Agentless scan results in Compute > Monitor > Vulnerabilities > Hosts
- You can speed up testing by create VMs in just one Region, and configuring Prisma Cloud to scan that Region via
Custom Regions. - You cannot use a default subnet (or specify a custom subnet via
Subnet) provided by a Shared VPC (https://prismacloud.ideas.aha.io/ideas/PANW-I-4147).