Skip to main content

Google Cloud - Agentless Workload Scanning Prerequisites

Summary of Access and Resource Requirements

Agentless Workload Scanning on Google Cloud is performed by a combination of Cloud Run jobs and Compute Engine instances.

A Cloud Run job is invoked every hour by the Cloud Scheduler. The job checks if scanning needs to be performed and will clean up any lingering resources. If scanning needs to be performed, the job performs the following tasks:

  • Enumerates the monitored projects (or the entire organization) and finds Compute Engine instances.
  • Finds the associated disks for the Compute Engine instances and clones them in the scanning project where the Cloud Run job is hosted.
  • Launches Compute Engine instances to mount the cloned disks in the filesystem and then performs scanning.

A VPC subnetwork is needed for each scanning zone in the Google Cloud project where the scanning resources are hosted. By default, the Compute Engine instances that perform scanning use the default VPC network and an external IP address to communicate with the Lacework platform. If you want to avoid using Compute Engine instances with external IP addresses, specify a custom VPC network/subnetwork for your integration (see Custom VPC Network/Subnetwork for Google Cloud Terraform Integrations for an example). Agentless Workload Scanning also requires an egress rule on port 443 for telemetry logging.

Lacework recommends creating a separate project for hosting Lacework scanning resources.

Integration Requirements

  • Sufficient Google Cloud IAM Permissions - See Required Permissions for Deployment to create your own custom IAM roles to ensure least-privilege access during deployment.
    • The IAM/user used to run Terraform must have sufficient privileges to create IAM roles on every Google Cloud project or organization you intend to integrate with Lacework.
  • gcloud CLI - The Terraform Provider for gcloud leverages the configuration from the gcloud CLI, and it is recommended the gcloud CLI is installed and configured for the project being setup to deploy scanning resources.
  • Lacework Administrator - You must have a Lacework account with administrator privileges.
  • Lacework CLI - Lacework leverages the configuration from the Lacework CLI. It is recommended the Lacework CLI is installed and configured.
  • Terraform - ~> 1.4.

Module Dependencies

Lacework Terraform modules for Google Cloud Agentless Workload Scanning have the following dependencies that will be installed when running terraform init:

Last updated on