GCP Onboarding - Details
When you connect your GCP account to Panoptica – whether you're onboarding a project, a folder, or an organization, and whether you're using gcloud commands, or Terraform – you will be defining the following roles and permissions.
Panoptica backend
Panoptica creates a unique GCP service account in our backend for every customer that connects a GCP account to Panoptica. This service account is used to scan your resources, according to the preferences and permissions you define at onboarding.
The service account is typically named as follows:
<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com
for example: t58b8b27b-secaudit@gcp-panopticaconnec-nprd-12679.iam.gserviceaccount.com
Project discovery
When you onboard a folder or an organization, Panoptica regularly scans the hierarchy of that folder/organization in order to discover new projects that you may create in the future, and include them in the scans. This also ensures that all projects under that folder or organization will have the same configuration regarding CVE and malware scanning.
Deployment commands - Project
When you deploy Panoptica to a GCP Project, the procedure grants access to the Panoptica service account by assigning two roles: Role Viewer and Security Reviewer. You can configure this manually, via the GCP console, or by running the following two gcloud commands:
- This command will add the Role Viewer permissions to Panoptica's service account on your project:
gcloud projects add-iam-policy-binding <customer-project-id> --member="serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com" --role="roles/viewer"
- This command will add the Security Reviewer permissions to Panoptica's service account on your project
gcloud projects add-iam-policy-binding <customer-project-id> --member="serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com" --role="roles/iam.securityReviewer"
These two permissions are essential for enabling Panoptica's CSPM scans. They provide read-only access to the resources in the project you are onboarding.
Deployment commands - Folder, Organization
The gcloud commands for onboarding a folder and an organization are nearly identical. The only differences are in the scope of the permissions granted.
Step 1: Collectors - CSPM permissions
These two commands enable the Panoptica service account to scan the projects in your folder or organization for CSPM risks. They assign two read-only roles: Role Viewer and Security Reviewer.
-
If you are onboarding a GCP folder, the script will look like this:
gcloud resource-manager folders add-iam-policy-binding <folder-ID> --member="serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com" --role="roles/viewer" gcloud resource-manager folders add-iam-policy-binding <folder-ID> --member="serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com" --role="roles/iam.securityReviewer"
-
If you are onboarding a GCP organization, the script will look like this:
gcloud organizations add-iam-policy-binding <Organization-ID> --member="serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com" --role="roles/viewer" gcloud organizations add-iam-policy-binding <Organization-ID> --member="serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com" --role="roles/iam.securityReviewer"
Step 2: Add permissions to describe folder's hierarchy
This command enables Panoptica to monitor the structure of your folder or organization, in order to discover new projects that were not in existence at onboarding. This way Panoptica will be able to scan future projects in the onboarded folder or organization, in addition to the current ones. The command grants the Panoptica service account Browser permissions.
-
If you are onboarding a GCP folder, the script will look like this:
gcloud resource-manager folders add-iam-policy-binding <folder-ID> --member="serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com" --role="roles/browser"
-
If you are onboarding a GCP organization, the script will look like this:
gcloud organizations add-iam-policy-binding <Organization-ID> --member="serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com" --role="roles/browser"
Step 3: Create CVE scan resources
These commands create a dedicated project to host the CVE scans, as well as a service account to perform the scans.
We encourage you to run these commands even if you are not enabling CVE scanning initially. Setting up this infrastructure will make it easier to enable CVE and malware scanning in the future.
The project ID of the scanner will take the form of panoptica-ws-<short-tenant-id>-<Four last characters of your folder ID>
-
If you are onboarding a GCP folder, the script to create the scanner project will look like this:
gcloud projects create <scanner project id> --folder <folder-ID> --name "panoptica-ws-project"
-
If you are onboarding a GCP organization, the script to create the scanner project will look like this:
gcloud projects create <scanner project id> --organization <Organization-ID> --name "panoptica-ws-project"
Note that the default name for the project is "panoptica-ws-project". You can partially edit this name, if you wish, but the name must contain the substring “panoptica-ws” in order to allow Panoptica to execute the scans.
The next command creates a dedicated service account to perform the CVE scans. This account requires extended permissions, which will be used exclusively by the spot instances Panoptica launches to perform the scans. The service account will be able to operate exclusively on the scanning project defined in the previous command (panoptica-ws-project).
-
The command is identical whether you're onboarding a folder or an organization.
gcloud iam service-accounts create panoptica-ws-sa-<short-tenant-id>-<Four-last-characters-of-your-folder-ID> --display-name "panoptica-workloads-scanner-sa" --description="panoptica-ws-sa" --project=panoptica-ws-<short-tenant-id>-<Four-last-characters-of-your-folder-ID>
Step 4: Add Compute permissions for agentless CVE scan
These commands add compute.admin and iam.serviceAccountUser permissions to the service account you created previously to perform the CVE scans. They only need to be executed if you are enabling CVE and Malware Scanning.
-
The commands are identical whether you're onboarding a folder or an organization
gcloud projects add-iam-policy-binding <your scanner project id> --member="serviceAccount:[panoptica-ws-sa-tb4927dea-1234@panoptica-ws-tb4927dea-1234.iam.gserviceaccount.com](mailto:panoptica-ws-sa-tb4927dea-1234@panoptica-ws-tb4927dea-1234.iam.gserviceaccount.com)" --role="roles/compute.admin" gcloud projects add-iam-policy-binding <your scanner project id> --member="serviceAccount:[panoptica-ws-sa-tb4927dea-1234@panoptica-ws-tb4927dea-1234.iam.gserviceaccount.com](mailto:panoptica-ws-sa-tb4927dea-1234@panoptica-ws-tb4927dea-1234.iam.gserviceaccount.com)" --role="roles/iam.serviceAccountUser"
These commands will add compute.admin and iam.serviceAccountUser permissions to Panoptica’s service account, to facilitate deployment of the CVE scan infrastructure in the project you created for scanning.
-
These commands also apply to both folder and organization onboarding
gcloud projects add-iam-policy-binding <your scanner project id> --member="serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com" --role="roles/compute.admin" gcloud projects add-iam-policy-binding <your scanner project id> --member="serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com" --role="roles/iam.serviceAccountUser"
Onboarding via Terraform - Organization
When onboarding an organization, you have the option of using Terraform to define the resources required in your GCP account. Using Terraform will create the same exact resources as using gcloud commands in the GCP cloud shell, as described above.
The descriptions below break down the main.tf file block by block. When you download main.tf from the Panoptica console, the variables which appear below in brackets <> are replaced by values generated from the information you provide in the onboarding screen.
-
This block defines a variable that is used to determine if Terraform should create extra resources related to the CVE and malware scan. The default value is
false
, so if you chose to enable CVE scans in the Panoptica console UI, make sure to run the Terraform file withtrue
value for this variable.variable "cve_scan_enabled" { type = bool default = false }
-
This block adds the
roles/browser
permission to Panoptica’s service account, for discovery of the folder/organization structure. This enables Panoptica to monitor your folder or organization for new projects, so they can be included in future scans.resource "google_organization_iam_binding" "browser-binding" { org_id = <your org id> role = "roles/browser" members = [ "serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some random digits>.iam.gserviceaccount.com", ] }
-
This block adds the
roles/viewer
permission to Panoptica’s service account, to enable the CSPM scans.resource "google_organization_iam_binding" "viewer-binding" { org_id = <your org id> role = "roles/viewer" members = [ "serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some random digits>.iam.gserviceaccount.com", ] }
-
This block adds the roles/iam.securityReviewer permission to Panoptica’s service account, to enable the CSPM scans.
resource "google_organization_iam_binding" "security-reviewer-binding" { org_id = <your org id> role = "roles/iam.securityReviewer" members = [ "serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some random digits>.iam.gserviceaccount.com", ] }
-
If you have enabled CVE and malware scanning, this block creates the scanner project to host the CVE scans.
resource "google_project" "panoptica-ws-project" { count = var.cve_scan_enabled == true ? 1 : 0 name = <your scanner project name> project_id = <your scanner project id> org_id = <your org id> }
-
If you have enabled CVE and malware scanning, this block creates a service account that is used by the spot VMs Panoptica will launch in the scanner project, in order to perform the CVE scans.
resource "google_service_account" "panoptica_ws_sa" { count = var.cve_scan_enabled == true ? 1 : 0 account_id = "panoptica-ws-sa-<short-tenant-id>-<last four digits of your organization id>" display_name = "panoptica-ws-sa" project = google_project.panoptica-ws-project[0].project_id }
-
If you have enabled CVE and malware scanning, this block adds the roles/compute.admin permission to the service account created previously to perform the CVE scans, and to Panoptica's service account. This is necessary to facilitate deployment/removal of the CVE scan infrastructure in the scanner project. Note that the scope of this permission is limited to the scanner project created in #6.
resource "google_project_iam_binding" "compute-admin-ws-binding" { count = var.cve_scan_enabled == true ? 1 : 0 project = google_project.panoptica-ws-project[0].project_id role = "roles/compute.admin" members = [ "serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some random digits>.iam.gserviceaccount.com", "serviceAccount:panoptica-ws-sa-<short-tenant-id>-<last four digits of your organization id>@panoptica-ws-<short-tenant-id>-<last four digits of your organization id>.iam.gserviceaccount.com" ] }
-
If you have enabled CVE and malware scanning, this block adds the roles/iam.serviceAccountUser permission to the service account created previously to perform the CVE scans, and to Panoptica's service account. This is necessary to facilitate deployment/removal of the CVE scan infrastructure in the scanner project. Note that the scope of this permission is limited to the scanner project created in #6.
resource "google_project_iam_binding" "service-account-user-ws-binding" { count = var.cve_scan_enabled == true ? 1 : 0 project = google_project.panoptica-ws-project[0].project_id role = "roles/iam.serviceAccountUser" members = [ "serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some random digits>.iam.gserviceaccount.com", "serviceAccount:panoptica-ws-sa-<short-tenant-id>-<last four digits of your organization id>@panoptica-ws-<short-tenant-id>-<last four digits of your organization id>.iam.gserviceaccount.com" ] }
Exclusions
Any GCP auto-generated project that starts with “sys-” is excluded by default, and will not be scanned.
The Panoptica CVE scanner project is excluded from the CSPM scans.
Updated 9 months ago