Skip to main content

Google Cloud - Agentless Workload Scanning Prerequisites

Summary of Access and Resource Requirements

Agentless Workload Scanning on GCP is performed by a combination of Cloud Run jobs and Compute Engine instances.

A Cloud Run job is invoked every hour by the Cloud Scheduler. The job checks if scanning needs to be performed and will clean up any lingering resources. If scanning needs to be performed, the job performs the following tasks:

  • Enumerates the monitored projects (or the entire organization) and finds Compute Engine instances.
  • Finds the associated disks for the Compute Engine instances and clones them in the scanning project where the Cloud Run job is hosted.
  • Launches Compute Engine instances to mount the cloned disks in the filesystem and then performs scanning.

A new VPC subnetwork is needed in each scanning zone within a single GCP project. By default, the scanning resource uses the default network unless a custom VPC is created during install (see Custom VPC Network/Subnetwork for GCP Terraform Integrations for an example of this). Agentless Workload Scanning also requires an egress rule on port 443 for telemetry logging.

Lacework recommends creating a separate project for hosting Lacework scanning resources.

Integration Requirements

  • Sufficient GCP IAM Permissions - See Required Permissions for Deployment to create your own custom IAM roles to ensure least-privilege access during deployment.
    • The IAM/user used to run Terraform must have sufficient privileges to create IAM roles on every GCP project or organization you intend to integrate with Lacework.
  • gcloud CLI - The Terraform Provider for gcloud leverages the configuration from the gcloud CLI, and it is recommended the gcloud CLI is installed and configured for the project being setup to deploy scanning resources.
  • Lacework Administrator - You must have a Lacework account with administrator privileges.
  • Lacework CLI - Lacework leverages the configuration from the Lacework CLI. It is recommended the Lacework CLI is installed and configured.
  • Terraform - ~> 0.14, ~> 0.15, ~> 1.0, ~> 1.1.

Module Dependencies

Lacework Terraform modules for GCP Agentless Workload Scanning have the following dependencies that will be installed when running terraform init: