Allow VM Threat Detection to access VPC Service Controls perimeters

This document describes how to add ingress and egress rules to allow Virtual Machine Threat Detection to scan VMs in your VPC Service Controls perimeters. Perform this task if your organization uses VPC Service Controls to restrict services in projects that you want VM Threat Detection to scan. For more information about VM Threat Detection, see VM Threat Detection overview.

Before you begin

Make sure that you have the following role or roles on the organization: Access Context Manager Editor (roles/accesscontextmanager.policyEditor).

Check for the roles

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM
  2. Select the organization.

  3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

  4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

Grant the roles

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM
  2. Select the organization.
  3. Click Grant access.

  4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

  5. In the Select a role list, select a role.
  6. To grant additional roles, click Add another role and add each additional role.
  7. Click Save.

Create the egress and ingress rules

To allow VM Threat Detection to scan the VMs in VPC Service Controls perimeters, add the required egress and ingress rules in those perimeters. Perform these steps for each perimeter that you want VM Threat Detection to scan.

For more information, see Updating ingress and egress policies for a service perimeter in the VPC Service Controls documentation.

Console

  1. In the Google Cloud console go to the VPC Service Controls page.

    Go to VPC Service Controls

  2. Select your organization or project.

  3. If you selected an organization, click Select an access policy and select the access policy associated with the perimeter that you want to update.

  4. Click the title of the perimeter that you want to update.

  5. Click Edit perimeter.

  6. Click Egress Policy.

  7. Click Add rule.

  8. In the FROM attributes of the API client section, set the fields as follows:

    1. For Identity, select Select Identities & Groups.
    2. For Add User/Service Account, enter the name of the Security Center service agent. The service agent's name has the following format:
    service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com

    Replace ORGANIZATION_ID with your organization ID.

  9. In the TO attributes of GCP services/resources section, set the fields as follows:

    1. For Project, select All projects.
    2. For Services, select Selected services and then select the Compute Engine API service.
    3. For Methods, select Selected method and then select the DisksService.Insert method.

  10. Click Ingress Policy.

  11. Click Add rule.

  12. In the FROM attributes of the API client section, set the fields as follows:

    1. For Identity, select Select Identities & Groups.
    2. For Add User/Service Account, enter the name of the Security Center service agent again.
    3. For Source, select All sources.

  13. In the TO attributes of GCP services/resources section, set the fields as follows:

    1. For Project, select All projects.
    2. For Services, select Selected services and then select the Compute Engine API service.

    3. For Methods, select Selected method and then select the following methods:

      • DisksService.Insert
      • InstancesService.AggregatedList
      • InstancesService.List

  14. Click Save.

gcloud

  1. If a quota project isn't already set, then set it. Choose a project that has the Access Context Manager API enabled.

    gcloud config set billing/quota_project QUOTA_PROJECT_ID

    Replace QUOTA_PROJECT_ID with the ID of the project that you want to use for billing and quota.

  2. Create a file named egress-rule.yaml with the following contents:

    - egressFrom:
    identities:
    - serviceAccount:service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com
  egressTo:
    operations:
    - methodSelectors:
      - method: DisksService.Insert
      serviceName: compute.googleapis.com
    resources:
    - '*'

    Replace ORGANIZATION_ID with your organization ID.

  3. Create a file named ingress-rule.yaml with the following contents:

    - ingressFrom:
    identities:
    - serviceAccount:service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com
    sources:
    - accessLevel: '*'
  ingressTo:
    operations:
    - methodSelectors:
      - method: DisksService.Insert
      - method: InstancesService.AggregatedList
      - method: InstancesService.List
      serviceName: compute.googleapis.com
    resources:
    - '*'

  4. Add the egress rule to the perimeter:

    gcloud access-context-manager perimeters update PERIMETER_NAME --set-egress-policies=EGRESS_RULE_FILENAME

    Replace the following:

    • PERIMETER_NAME: the name of the perimeter—for example, accessPolicies/1234567890/servicePerimeters/example_perimeter
    • EGRESS_RULE_FILENAME: the name of the file that contains the egress rule

  5. Add the ingress rule to the perimeter:

    gcloud access-context-manager perimeters update PERIMETER_NAME --set-ingress-policies=INGRESS_RULE_FILENAME

    Replace the following:

    • PERIMETER_NAME: the name of the perimeter—for example, accessPolicies/1234567890/servicePerimeters/example_perimeter
    • INGRESS_RULE_FILENAME: the name of the file that contains the ingress rule

What's next