GCP Onboarding - Details

When you connect your GCP account to Panoptica – whether you're onboarding a project, a folder, or an organization, and whether you're using gcloud commands, or Terraform – you will be defining the following roles and permissions.

Panoptica backend

Panoptica creates a unique GCP service account in our backend for every customer that connects a GCP account to Panoptica. This service account is used to scan your resources, according to the preferences and permissions you define at onboarding.

The service account is typically named as follows:

<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com
for example: t58b8b27b-secaudit@gcp-panopticaconnec-nprd-12679.iam.gserviceaccount.com

Project discovery

When you onboard a folder or an organization, Panoptica regularly scans the hierarchy of that folder/organization in order to discover new projects that you may create in the future, and include them in the scans. This also ensures that all projects under that folder or organization will have the same configuration regarding CVE and malware scanning.

Deployment commands - Project

When you deploy Panoptica to a GCP Project, the procedure grants access to the Panoptica service account by assigning two roles: Role Viewer and Security Reviewer. You can configure this manually, via the GCP console, or by running the following two gcloud commands:

This command will add the Role Viewer permissions to Panoptica's service account on your project:

gcloud projects add-iam-policy-binding <customer-project-id> --member="serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com" --role="roles/viewer"

This command will add the Security Reviewer permissions to Panoptica's service account on your project

gcloud projects add-iam-policy-binding <customer-project-id> --member="serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com" --role="roles/iam.securityReviewer"

These two permissions are essential for enabling Panoptica's CSPM scans. They provide read-only access to the resources in the project you are onboarding.

Deployment commands - Folder, Organization

The gcloud commands for onboarding a folder and an organization are nearly identical. The only differences are in the scope of the permissions granted.

Step 1: Collectors - CSPM permissions

These two commands enable the Panoptica service account to scan the projects in your folder or organization for CSPM risks. They assign two read-only roles: Role Viewer and Security Reviewer.

If you are onboarding a GCP folder, the script will look like this:

gcloud resource-manager folders add-iam-policy-binding <folder-ID> --member="serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com" --role="roles/viewer"  
gcloud resource-manager folders add-iam-policy-binding <folder-ID> --member="serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com" --role="roles/iam.securityReviewer"

If you are onboarding a GCP organization, the script will look like this:

gcloud organizations add-iam-policy-binding <Organization-ID> --member="serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com" --role="roles/viewer"
gcloud organizations add-iam-policy-binding <Organization-ID> --member="serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com" --role="roles/iam.securityReviewer"

Step 2: Add permissions to describe folder's hierarchy

This command enables Panoptica to monitor the structure of your folder or organization, in order to discover new projects that were not in existence at onboarding. This way Panoptica will be able to scan future projects in the onboarded folder or organization, in addition to the current ones. The command grants the Panoptica service account Browser permissions.

If you are onboarding a GCP folder, the script will look like this:

gcloud resource-manager folders add-iam-policy-binding <folder-ID> --member="serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com" --role="roles/browser"

If you are onboarding a GCP organization, the script will look like this:

gcloud organizations add-iam-policy-binding <Organization-ID> --member="serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com" --role="roles/browser"

Step 3: Create CVE scan resources

These commands create a dedicated project to host the CVE scans, as well as a service account to perform the scans.

We encourage you to run these commands even if you are not enabling CVE scanning initially. Setting up this infrastructure will make it easier to enable CVE and malware scanning in the future.

The project ID of the scanner will take the form of panoptica-ws-<short-tenant-id>-<Four last characters of your folder ID>

If you are onboarding a GCP folder, the script to create the scanner project will look like this:

gcloud projects create <scanner project id> --folder <folder-ID> --name "panoptica-ws-project"

If you are onboarding a GCP organization, the script to create the scanner project will look like this:

gcloud projects create <scanner project id> --organization <Organization-ID> --name "panoptica-ws-project"

Note that the default name for the project is "panoptica-ws-project". You can partially edit this name, if you wish, but the name must contain the substring “panoptica-ws” in order to allow Panoptica to execute the scans.

The next command creates a dedicated service account to perform the CVE scans. This account requires extended permissions, which will be used exclusively by the spot instances Panoptica launches to perform the scans. The service account will be able to operate exclusively on the scanning project defined in the previous command (panoptica-ws-project).

The command is identical whether you're onboarding a folder or an organization.

gcloud iam service-accounts create panoptica-ws-sa-<short-tenant-id>-<Four-last-characters-of-your-folder-ID> --display-name "panoptica-workloads-scanner-sa" --description="panoptica-ws-sa" --project=panoptica-ws-<short-tenant-id>-<Four-last-characters-of-your-folder-ID>

Step 4: Add Compute permissions for agentless CVE scan

These commands add compute.admin and iam.serviceAccountUser permissions to the service account you created previously to perform the CVE scans. They only need to be executed if you are enabling CVE and Malware Scanning.

The commands are identical whether you're onboarding a folder or an organization

gcloud projects add-iam-policy-binding <your scanner project id> --member="serviceAccount:[panoptica-ws-sa-tb4927dea-1234@panoptica-ws-tb4927dea-1234.iam.gserviceaccount.com](mailto:panoptica-ws-sa-tb4927dea-1234@panoptica-ws-tb4927dea-1234.iam.gserviceaccount.com)" --role="roles/compute.admin"  
gcloud projects add-iam-policy-binding <your scanner project id> --member="serviceAccount:[panoptica-ws-sa-tb4927dea-1234@panoptica-ws-tb4927dea-1234.iam.gserviceaccount.com](mailto:panoptica-ws-sa-tb4927dea-1234@panoptica-ws-tb4927dea-1234.iam.gserviceaccount.com)" --role="roles/iam.serviceAccountUser"

These commands will add compute.admin and iam.serviceAccountUser permissions to Panoptica’s service account, to facilitate deployment of the CVE scan infrastructure in the project you created for scanning.

These commands also apply to both folder and organization onboarding

gcloud projects add-iam-policy-binding <your scanner project id> --member="serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com" --role="roles/compute.admin"  
gcloud projects add-iam-policy-binding <your scanner project id> --member="serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some-random-digits>.iam.gserviceaccount.com" --role="roles/iam.serviceAccountUser"

Onboarding via Terraform - Organization

When onboarding an organization, you have the option of using Terraform to define the resources required in your GCP account. Using Terraform will create the same exact resources as using gcloud commands in the GCP cloud shell, as described above.

The descriptions below break down the main.tf file block by block. When you download main.tf from the Panoptica console, the variables which appear below in brackets <> are replaced by values generated from the information you provide in the onboarding screen.

This block defines a variable that is used to determine if Terraform should create extra resources related to the CVE and malware scan. The default value is false, so if you chose to enable CVE scans in the Panoptica console UI, make sure to run the Terraform file with true value for this variable.
```
variable "cve_scan_enabled" {
  type          = bool
  default       = false
}
```

This block adds the roles/browser permission to Panoptica’s service account, for discovery of the folder/organization structure. This enables Panoptica to monitor your folder or organization for new projects, so they can be included in future scans.

resource "google_organization_iam_binding" "browser-binding" {
  org_id        = <your org id>
  role          = "roles/browser"
  members       = [
    "serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some random digits>.iam.gserviceaccount.com",
  ]
}

This block adds the roles/viewer permission to Panoptica’s service account, to enable the CSPM scans.

resource "google_organization_iam_binding" "viewer-binding" {
  org_id        = <your org id>
  role          = "roles/viewer"
  members       = [
    "serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some random digits>.iam.gserviceaccount.com",
  ]
}

This block adds the roles/iam.securityReviewer permission to Panoptica’s service account, to enable the CSPM scans.

resource "google_organization_iam_binding" "security-reviewer-binding" {
org_id        = <your org id>
role          = "roles/iam.securityReviewer"
members       = [
 "serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some random digits>.iam.gserviceaccount.com",
]
}

If you have enabled CVE and malware scanning, this block creates the scanner project to host the CVE scans.

resource "google_project" "panoptica-ws-project" {
    count         = var.cve_scan_enabled == true ? 1 : 0
    name          = <your scanner project name>
    project_id    = <your scanner project id>
    org_id        = <your org id>
}

If you have enabled CVE and malware scanning, this block creates a service account that is used by the spot VMs Panoptica will launch in the scanner project, in order to perform the CVE scans.

resource "google_service_account" "panoptica_ws_sa" {
    count         = var.cve_scan_enabled == true ? 1 : 0
    account_id    = "panoptica-ws-sa-<short-tenant-id>-<last four digits of your organization id>"
    display_name  = "panoptica-ws-sa"
    project       = google_project.panoptica-ws-project[0].project_id
}

If you have enabled CVE and malware scanning, this block adds the roles/compute.admin permission to the service account created previously to perform the CVE scans, and to Panoptica's service account. This is necessary to facilitate deployment/removal of the CVE scan infrastructure in the scanner project. Note that the scope of this permission is limited to the scanner project created in #6.

resource "google_project_iam_binding" "compute-admin-ws-binding" {
   count         = var.cve_scan_enabled == true ? 1 : 0
   project       = google_project.panoptica-ws-project[0].project_id
   role          = "roles/compute.admin"
   members       = [
      "serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some random digits>.iam.gserviceaccount.com",
      "serviceAccount:panoptica-ws-sa-<short-tenant-id>-<last four digits of your organization id>@panoptica-ws-<short-tenant-id>-<last four digits of your organization id>.iam.gserviceaccount.com"
   ]
}

If you have enabled CVE and malware scanning, this block adds the roles/iam.serviceAccountUser permission to the service account created previously to perform the CVE scans, and to Panoptica's service account. This is necessary to facilitate deployment/removal of the CVE scan infrastructure in the scanner project. Note that the scope of this permission is limited to the scanner project created in #6.

resource "google_project_iam_binding" "service-account-user-ws-binding" {
   count         = var.cve_scan_enabled == true ? 1 : 0
   project       = google_project.panoptica-ws-project[0].project_id
   role          = "roles/iam.serviceAccountUser"
   members       = [
     "serviceAccount:<short-tenant-id>-secaudit@gcp-panopticaconnec-nprd-<some random digits>.iam.gserviceaccount.com",
     "serviceAccount:panoptica-ws-sa-<short-tenant-id>-<last four digits of your organization id>@panoptica-ws-<short-tenant-id>-<last four digits of your organization id>.iam.gserviceaccount.com"
   ]
}

📘
Exclusions
Any GCP auto-generated project that starts with “sys-” is excluded by default, and will not be scanned.
The Panoptica CVE scanner project is excluded from the CSPM scans.

Panoptica backend

Project discovery

Deployment commands - Project

Deployment commands - Folder, Organization

Step 1: Collectors - CSPM permissions

Step 2: Add permissions to describe folder's hierarchy

Step 3: Create CVE scan resources

Step 4: Add Compute permissions for agentless CVE scan

Onboarding via Terraform - Organization

📘Exclusions

📘
Exclusions