Agentless Workload Scanning for Google Cloud - IAM Permissions Required for Deployment

Overview

You can use the following Google Cloud Identity and Access Management (IAM) permissions to create custom IAM roles for the purposes of an Agentless Workload Scanning deployment.

Using the permissions provided ensures that least-privilege access is granted for the purposes of the Agentless Workload Scanning deployment.

High-Level Deployment Requirements

• Set up Cloud Run jobs that will be triggered by the Cloud Scheduler.
• Set up Cloud Scheduler that invokes the Cloud Run job every hour.
• Create a new Cloud Storage bucket.
• Create a new secret in the Google Cloud Secret Manager.
• Create IAM role in each monitored project or at the organization level that allows listing instances, finding attached disks and cloning them to the scanning project.
• Create IAM roles in the scanning project that allows the following:
  • manage (creating, deleting) clones and compute instances in the scanning project.
  • read and write to the scanning storage bucket.
  • run the Cloud Run job and Compute Engine instances in the scanning project.
• Create service accounts in the scanning project associated with the IAM roles mentioned above.
• Create a VPC, subnets, and add firewall rules for the Compute Engine instances.

How to Use

After you have created the custom role(s), you can then grant them to the principal/resource that will be used for the integration.

Ensure that you are on or using the relevant principal/resource prior to running Terraform.

Project Integration

Use the following link to download these permissions in JSON format and create a custom IAM role:

• Project integration permissions

The tables below list all the required permissions.

Cloud Scheduler

Scope	IAM Permission
projects/PROJECT_ID	cloudscheduler.jobs.create
projects/PROJECT_ID	cloudscheduler.jobs.delete
projects/PROJECT_ID	cloudscheduler.jobs.enable
projects/PROJECT_ID	cloudscheduler.jobs.get
projects/PROJECT_ID	cloudscheduler.jobs.list

Compute

Scope	IAM Permission
projects/PROJECT_ID	compute.projects.get

IAM

Scope	IAM Permission
projects/PROJECT_ID	iam.roles.create
projects/PROJECT_ID	iam.roles.delete
projects/PROJECT_ID	iam.roles.get
projects/PROJECT_ID	iam.roles.list
projects/PROJECT_ID	iam.roles.undelete
projects/PROJECT_ID	iam.roles.update
projects/PROJECT_ID	iam.serviceAccountKeys.create
projects/PROJECT_ID	iam.serviceAccountKeys.delete
projects/PROJECT_ID	iam.serviceAccountKeys.get
projects/PROJECT_ID	iam.serviceAccountKeys.list
projects/PROJECT_ID	iam.serviceAccounts.create
projects/PROJECT_ID	iam.serviceAccounts.delete
projects/PROJECT_ID	iam.serviceAccounts.get
projects/PROJECT_ID	iam.serviceAccounts.list

Resource Manager

Scope	IAM Permission
projects/PROJECT_ID	resourcemanager.projects.get
projects/PROJECT_ID	resourcemanager.projects.getIamPolicy
projects/PROJECT_ID	resourcemanager.projects.setIamPolicy

Run

Scope	IAM Permission
projects/PROJECT_ID	run.jobs.create
projects/PROJECT_ID	run.jobs.delete
projects/PROJECT_ID	run.jobs.get
projects/PROJECT_ID	run.jobs.list
projects/PROJECT_ID	run.operations.get
projects/PROJECT_ID	run.operations.list

Secret Manager

Scope	IAM Permission
projects/PROJECT_ID	secretmanager.secrets.create
projects/PROJECT_ID	secretmanager.secrets.delete
projects/PROJECT_ID	secretmanager.secrets.get
projects/PROJECT_ID	secretmanager.secrets.getIamPolicy
projects/PROJECT_ID	secretmanager.secrets.list
projects/PROJECT_ID	secretmanager.secrets.setIamPolicy
projects/PROJECT_ID	secretmanager.versions.access
projects/PROJECT_ID	secretmanager.versions.add
projects/PROJECT_ID	secretmanager.versions.destroy
projects/PROJECT_ID	secretmanager.versions.enable
projects/PROJECT_ID	secretmanager.versions.get
projects/PROJECT_ID	secretmanager.versions.list

Service Usage

Scope	IAM Permission
projects/PROJECT_ID	serviceusage.quotas.get
projects/PROJECT_ID	serviceusage.services.get
projects/PROJECT_ID	serviceusage.services.list

Storage

Scope	IAM Permission
projects/PROJECT_ID	storage.buckets.create
projects/PROJECT_ID	storage.buckets.delete
projects/PROJECT_ID	storage.buckets.get
projects/PROJECT_ID	storage.buckets.getIamPolicy
projects/PROJECT_ID	storage.buckets.list
projects/PROJECT_ID	storage.buckets.setIamPolicy
projects/PROJECT_ID	storage.objects.delete

Organization Integration

Use the following links to download these permissions in JSON format and create custom IAM roles:

• Project level permissions
• Organization level permissions

The tables below list all the required permissions.

Cloud Scheduler

Scope	IAM Permission
projects/PROJECT_ID	cloudscheduler.jobs.create
projects/PROJECT_ID	cloudscheduler.jobs.delete
projects/PROJECT_ID	cloudscheduler.jobs.enable
projects/PROJECT_ID	cloudscheduler.jobs.get
projects/PROJECT_ID	cloudscheduler.jobs.list

Compute

Scope	IAM Permission
organizations/ORGANIZATION_ID	compute.projects.get
projects/PROJECT_ID	compute.projects.get

IAM

Scope	IAM Permission
organizations/ORGANIZATION_ID	iam.roles.create
organizations/ORGANIZATION_ID	iam.roles.delete
organizations/ORGANIZATION_ID	iam.roles.get
organizations/ORGANIZATION_ID	iam.roles.list
organizations/ORGANIZATION_ID	iam.roles.undelete
organizations/ORGANIZATION_ID	iam.roles.update
projects/PROJECT_ID	iam.roles.create
projects/PROJECT_ID	iam.roles.delete
projects/PROJECT_ID	iam.roles.get
projects/PROJECT_ID	iam.roles.list
projects/PROJECT_ID	iam.roles.undelete
projects/PROJECT_ID	iam.roles.update
projects/PROJECT_ID	iam.serviceAccountKeys.create
projects/PROJECT_ID	iam.serviceAccountKeys.delete
projects/PROJECT_ID	iam.serviceAccountKeys.get
projects/PROJECT_ID	iam.serviceAccountKeys.list
projects/PROJECT_ID	iam.serviceAccounts.create
projects/PROJECT_ID	iam.serviceAccounts.delete
projects/PROJECT_ID	iam.serviceAccounts.get
projects/PROJECT_ID	iam.serviceAccounts.list

Resource Manager

Scope	IAM Permission
organizations/ORGANIZATION_ID	resourcemanager.organizations.get
organizations/ORGANIZATION_ID	resourcemanager.organizations.getIamPolicy
organizations/ORGANIZATION_ID	resourcemanager.organizations.setIamPolicy
projects/PROJECT_ID	resourcemanager.projects.get
projects/PROJECT_ID	resourcemanager.projects.getIamPolicy
projects/PROJECT_ID	resourcemanager.projects.setIamPolicy

Run

Scope	IAM Permission
projects/PROJECT_ID	run.jobs.create
projects/PROJECT_ID	run.jobs.delete
projects/PROJECT_ID	run.jobs.get
projects/PROJECT_ID	run.jobs.list
projects/PROJECT_ID	run.operations.get
projects/PROJECT_ID	run.operations.list

Secret Manager

Scope	IAM Permission
projects/PROJECT_ID	secretmanager.secrets.create
projects/PROJECT_ID	secretmanager.secrets.delete
projects/PROJECT_ID	secretmanager.secrets.get
projects/PROJECT_ID	secretmanager.secrets.getIamPolicy
projects/PROJECT_ID	secretmanager.secrets.list
projects/PROJECT_ID	secretmanager.secrets.setIamPolicy
projects/PROJECT_ID	secretmanager.versions.access
projects/PROJECT_ID	secretmanager.versions.add
projects/PROJECT_ID	secretmanager.versions.destroy
projects/PROJECT_ID	secretmanager.versions.enable
projects/PROJECT_ID	secretmanager.versions.get
projects/PROJECT_ID	secretmanager.versions.list

Service Usage

Scope	IAM Permission
organizations/ORGANIZATION_ID	serviceusage.quotas.get
organizations/ORGANIZATION_ID	serviceusage.services.get
organizations/ORGANIZATION_ID	serviceusage.services.list
projects/PROJECT_ID	serviceusage.quotas.get
projects/PROJECT_ID	serviceusage.services.get
projects/PROJECT_ID	serviceusage.services.list

Storage

Scope	IAM Permission
projects/PROJECT_ID	storage.buckets.create
projects/PROJECT_ID	storage.buckets.delete
projects/PROJECT_ID	storage.buckets.get
projects/PROJECT_ID	storage.buckets.getIamPolicy
projects/PROJECT_ID	storage.buckets.list
projects/PROJECT_ID	storage.buckets.setIamPolicy
projects/PROJECT_ID	storage.objects.delete

Next Steps

1. (Optional) Explore the operational permissions used during an Agentless Workload Scanning integration in Google Cloud.
2. Ensure that you have met all Integration Requirements.
3. Proceed with the Agentless Workload Scanning integration:
   • Project
   • Organization