Agentless Workload Scanning for Google Cloud - IAM Permissions Used during Operation
Overview
This article contains the permissions used during an Agentless Workload Scanning operation in Google Cloud.
Understand the operational roles, permissions, and service accounts that ensure a secure scanning process.
note
This article is informational, and does not contain any required actions as part of the Agentless Workload Scanning integration.
Project Integration
Roles and Permissions
You can use the following link to view/download all these roles and permissions in JSON format:
The tabs below lists all roles and permissions.
- Orchestrate Role for Cloud Run jobs
- Snapshot Role for monitored projects
- Scanner Instance Role
Role Name
projects/<GCP_PROJECT>/roles/lacework_awls_orchestrate_<UNIQUE_ID>
IAM Permissions
[
"compute.disks.create",
"compute.disks.delete",
"compute.disks.list",
"compute.disks.setLabels",
"compute.disks.use",
"compute.instances.create",
"compute.instances.delete",
"compute.instances.list",
"compute.instances.setIamPolicy",
"compute.instances.setMetadata",
"compute.instances.setServiceAccount",
"compute.machineTypes.get",
"compute.snapshots.create",
"compute.snapshots.delete",
"compute.snapshots.list",
"compute.snapshots.setLabels",
"compute.snapshots.useReadOnly",
"compute.subnetworks.use",
"compute.subnetworks.useExternalIp",
"compute.zoneOperations.get",
"storage.objects.create",
"storage.objects.delete",
"storage.objects.get",
"storage.objects.list"
]
Role Name
projects/<GCP_PROJECT>/roles/lacework_awls_snapshot_<UNIQUE_ID>
IAM Permissions
[
"compute.disks.get",
"compute.disks.useReadOnly",
"compute.instances.get",
"compute.instances.list",
"compute.machineTypes.get",
"compute.zones.list"
]
Role Name
projects/<GCP_PROJECT>/roles/lacework_awls_scanner_<UNIQUE_ID>
IAM Permissions
[
"compute.disks.create",
"compute.disks.get",
"compute.instances.create",
"compute.instances.delete",
"compute.snapshots.delete",
"compute.snapshots.list",
"compute.snapshots.setLabels",
"compute.snapshots.useReadOnly"
]
Service Accounts
You can use the following link to view/download all these service accounts in JSON format:
The tabs below lists all service accounts used for this type of integration.
- Orchestrate Service Account
- Snapshot Service Account
- Scanner Instance Service Account
Service Account Name
projects/<GCP_PROJECT>/serviceAccounts/lacework-awls-orchestrate-<UNIQUE_ID>@<GCP_PROJECT>.iam.gserviceaccount.com
Membership
[
"projects/<GCP_PROJECT>/roles/lacework_awls_orchestrate_<UNIQUE_ID>",
"roles/run.invoker",
"projects/<GCP_PROJECT>/roles/lacework_awls_snapshot_<UNIQUE_ID>",
"roles/iam.serviceAccountUser"
]
Service Account Name
projects/<GCP_PROJECT>/serviceAccounts/lacework-awls-sa-<UNIQUE_ID>@<GCP_PROJECT>.iam.gserviceaccount.com
Membership
[
"roles/run.invoker",
"roles/storage.objectViewer"
]
Service Account Name
projects/<GCP_PROJECT>/serviceAccounts/lacework-awls-scanner-<UNIQUE_ID>@<GCP_PROJECT>.iam.gserviceaccount.com
Membership
[
"projects/<GCP_PROJECT>/roles/lacework_awls_scanner_<UNIQUE_ID>"
]
Organization Integration
Roles and Permissions
You can use the following link to view/download all these roles and permissions in JSON format:
The tabs below lists all roles and permissions.
- Orchestrate Role for Cloud Run jobs
- Snapshot Role for monitored organization
- Scanner Instance Role
Role Name
projects/<GCP_PROJECT>/roles/lacework_awls_orchestrate_<UNIQUE_ID>
IAM Permissions
[
"compute.disks.create",
"compute.disks.delete",
"compute.disks.list",
"compute.disks.setLabels",
"compute.disks.use",
"compute.instances.create",
"compute.instances.delete",
"compute.instances.list",
"compute.instances.setIamPolicy",
"compute.instances.setMetadata",
"compute.instances.setServiceAccount",
"compute.machineTypes.get",
"compute.snapshots.create",
"compute.snapshots.delete",
"compute.snapshots.list",
"compute.snapshots.setLabels",
"compute.snapshots.useReadOnly",
"compute.subnetworks.use",
"compute.subnetworks.useExternalIp",
"compute.zoneOperations.get",
"storage.objects.create",
"storage.objects.delete",
"storage.objects.get",
"storage.objects.list"
]
Role Name
organizations/<GCP_ORG_ACCOUNT>/roles/lacework_awls_snapshot_<UNIQUE_ID>
IAM Permissions
[
"compute.disks.get",
"compute.disks.useReadOnly",
"compute.instances.get",
"compute.instances.list",
"compute.machineTypes.get",
"compute.projects.get",
"compute.zones.list",
"iam.roles.get",
"resourcemanager.folders.list",
"resourcemanager.projects.list"
]
Role Name
projects/<GCP_PROJECT>/roles/lacework_awls_scanner_<UNIQUE_ID>
IAM Permissions
[
"compute.disks.create",
"compute.disks.get",
"compute.instances.create",
"compute.instances.delete",
"compute.snapshots.delete",
"compute.snapshots.list",
"compute.snapshots.setLabels",
"compute.snapshots.useReadOnly"
]
Service Accounts
You can use the following link to view/download all these service accounts in JSON format:
The tabs below lists all service accounts used for this type of integration.
- Orchestrate Service Account
- Snapshot Service Account
- Scanner Instance Service Account
Service Account Name
projects/<GCP_PROJECT>/serviceAccounts/lacework-awls-orchestrate-<UNIQUE_ID>@<GCP_PROJECT>.iam.gserviceaccount.com
Membership
[
"projects/<GCP_PROJECT>/roles/lacework_awls_orchestrate_<UNIQUE_ID>",
"roles/run.invoker",
"roles/iam.serviceAccountUser",
"organizations/<GCP_ORG_ACCOUNT>/roles/lacework_awls_snapshot_<UNIQUE_ID>"
]
Service Account Name
projects/<GCP_PROJECT>/serviceAccounts/lacework-awls-sa-<UNIQUE_ID>@<GCP_PROJECT>.iam.gserviceaccount.com
Membership
[
"roles/run.invoker",
"roles/storage.objectViewer"
]
Service Account Name
projects/<GCP_PROJECT>/serviceAccounts/lacework-awls-scanner-<UNIQUE_ID>@<GCP_PROJECT>.iam.gserviceaccount.com
Membership
[
"projects/<GCP_PROJECT>/roles/lacework_awls_scanner_<UNIQUE_ID>"
]
Next Steps
- Ensure that you have met all Integration Requirements.
- Proceed with the Agentless Workload Scanning integration: