允許 Google Cloud 的安全漏洞評估功能存取 VPC Service Controls 範圍
透過集合功能整理內容
你可以依據偏好儲存及分類內容。
本文說明如何新增輸入和輸出規則,允許 Google Cloud 的弱點評估功能掃描 VPC Service Controls 範圍內的 VM。如果貴機構使用 VPC Service Controls 限制專案中的服務,且您希望 Vulnerability Assessment for Google Cloud 掃描這些專案,請執行這項工作。如要進一步瞭解 Google Cloud的 Vulnerability Assessment,請參閱「為 Google Cloud啟用及使用 Google Cloud 的 Vulnerability Assessment」。
事前準備
Make sure that you have the following role or roles on the organization:
Access Context Manager Editor
(roles/accesscontextmanager.policyEditor).
In the Principal column, find all rows that identify you or a group that
you're included in. To learn which groups you're included in, contact your
administrator.
For all rows that specify or include you, check the Role column to see whether
the list of roles includes the required roles.
在「New principals」(新增主體) 欄位中,輸入您的使用者 ID。
這通常是 Google 帳戶的電子郵件地址。
在「Select a role」(選取角色) 清單中,選取角色。
如要授予其他角色,請按一下 add「新增其他角色」,然後新增每個其他角色。
按一下 [Save]。
建立輸出和輸入規則
如要允許 Vulnerability Assessment for Google Cloud 掃描 VPC Service Controls 範圍內的 VM,請在這些範圍中新增必要的輸出和輸入規則。針對要讓 Vulnerability Assessment 掃描的每個周邊,執行下列步驟。 Google Cloud
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes how to add ingress and egress rules to allow\nVulnerability Assessment for Google Cloud to scan VMs in your VPC Service Controls perimeters. Perform this task\nif your organization uses VPC Service Controls to restrict services in projects that\nyou want Vulnerability Assessment for Google Cloud to scan. For more information about\nVulnerability Assessment for Google Cloud, see\n[Enable and use Vulnerability Assessment for Google Cloud for Google Cloud](/security-command-center/docs/vulnerability-assessment-google-cloud).\n\nBefore you begin\n\n\nMake sure that you have the following role or roles on the organization:\n\nAccess Context Manager Editor\n(`roles/accesscontextmanager.policyEditor`).\n\nCheck for the roles\n\n1.\n In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=organizationId)\n2. Select the organization.\n3.\n In the **Principal** column, find all rows that identify you or a group that\n you're included in. To learn which groups you're included in, contact your\n administrator.\n\n4. For all rows that specify or include you, check the **Role** column to see whether the list of roles includes the required roles.\n\nGrant the roles\n\n1.\n In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=organizationId)\n2. Select the organization.\n3. Click person_add **Grant access**.\n4.\n In the **New principals** field, enter your user identifier.\n\n This is typically the email address for a Google Account.\n\n5. In the **Select a role** list, select a role.\n6. To grant additional roles, click add **Add\n another role** and add each additional role.\n7. Click **Save**.\n\nCreate the egress and ingress rules\n\nTo allow Vulnerability Assessment for Google Cloud to scan the VMs in VPC Service Controls perimeters, add the\nrequired egress and ingress rules in those perimeters. Perform these steps for\neach perimeter that you want Vulnerability Assessment for Google Cloud to scan.\n\nFor more information, see\n[Updating ingress and egress policies for a service perimeter](/vpc-service-controls/docs/configuring-ingress-egress-policies#console)\nin the VPC Service Controls documentation.\n\n\nConsole\n\n1. In the Google Cloud console go to the **VPC Service Controls** page.\n\n\n [Go to VPC Service Controls](https://console.cloud.google.com/security/service-perimeter)\n2. Select your organization or project.\n3. If you selected an organization, click **Select an access policy** and then select the access policy associated with the perimeter that you want to update.\n4. Click the name of the perimeter that you want to update.\n\n\n To find the service perimeter you need to modify, you can check your logs for entries\n that show `RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER` violations. In those\n entries, check the `servicePerimeterName` field: \n\n ```\n accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER_NAME\n ```\n5. Click edit **Edit perimeter**.\n6. Click **Egress policy**.\n7. Click **Add an egress rule**.\n8. In the **FROM** section, set the following details:\n\n 1. For **Identity** , select **Select identities \\& groups**.\n 2. Click **Add identities**\n 3.\n Enter the email address of the\n\n [Security Center service agent](/security-command-center/docs/access-control-org#service-agent).\n\n\n The service agent's address has the\n following format:\n\n ```\n service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com\n ```\n\n Replace \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e with your organization ID.\n 4. Select the service agent or press \u003ckbd\u003eENTER\u003c/kbd\u003e, and then click **Add identities**.\n9. In the **TO** section, set the following details:\n\n 1. For **Project** , select **All projects**.\n 2. For **Operations or IAM roles** , select **Select operations**.\n 3. Click **Add operations**, and then add the following operations:\n\n - Add the **compute.googleapis.com** service.\n 1. Click **Select methods**.\n 2. Select the\n\n **DisksService.Insert** method.\n\n 3. Click **Add selected methods**.\n10. Click **Ingress policy**.\n11. Click **Add an ingress rule**.\n12. In the **FROM** section, set the following details:\n\n 1. For **Identity** , select **Select identities \\& groups**.\n 2. Click **Add identities**\n 3.\n Enter the email address of the\n\n [Security Center service agent](/security-command-center/docs/access-control-org#service-agent).\n\n\n The service agent's address has the\n following format:\n\n ```\n service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com\n ```\n\n Replace \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e with your organization ID.\n 4. Select the service agent or press \u003ckbd\u003eENTER\u003c/kbd\u003e, and then click **Add identities**.\n 5. For **Sources** , select **All sources**\n13. In the **TO** section, set the following details:\n\n 1. For **Project** , select **All projects**.\n 2. For **Operations or IAM roles** , select **Select operations**.\n 3. Click **Add operations**, and then add the following operations:\n\n - Add the **compute.googleapis.com** service.\n 1. Click **Select methods**.\n 2. Select the\n\n following methods:\n\n - **DisksService.Insert**\n - **InstancesService.AggregatedList**\n - **InstancesService.List**\n 3. Click **Add selected methods**.\n14. Click **Save**.\n\ngcloud\n\n1.\n If a quota project isn't already set, then set it. Choose a project that has the\n Access Context Manager API enabled.\n\n ```bash\n gcloud config set billing/quota_project QUOTA_PROJECT_ID\n ```\n\n\n Replace \u003cvar translate=\"no\"\u003eQUOTA_PROJECT_ID\u003c/var\u003e with the ID of the project that you\n want to use for billing and quota.\n2. Create a file named `egress-rule.yaml` with the following contents:\n\n ```yaml\n - egressFrom:\n identities:\n - serviceAccount:service-org-\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e@security-center-api.iam.gserviceaccount.com\n egressTo:\n operations:\n - serviceName: compute.googleapis.com\n methodSelectors:\n - method: DisksService.Insert\n resources:\n - '*'\n ```\n\n Replace \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e with your organization ID.\n3. Create a file named `ingress-rule.yaml` with the following contents:\n\n ```yaml\n - ingressFrom:\n identities:\n - serviceAccount:service-org-\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e@security-center-api.iam.gserviceaccount.com\n sources:\n - accessLevel: '*'\n ingressTo:\n operations:\n - serviceName: compute.googleapis.com\n methodSelectors:\n - method: DisksService.Insert\n - method: InstancesService.AggregatedList\n - method: InstancesService.List\n resources:\n - '*'\n ```\n\n Replace \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e with your organization ID.\n4. Add the egress rule to the perimeter:\n\n ```bash\n gcloud access-context-manager perimeters update PERIMETER_NAME \\\n --set-egress-policies=egress-rule.yaml\n ```\n\n Replace the following:\n -\n \u003cvar translate=\"no\"\u003ePERIMETER_NAME\u003c/var\u003e: the name of the perimeter. For example,\n `accessPolicies/1234567890/servicePerimeters/example_perimeter`.\n\n\n To find the service perimeter you need to modify, you can check your logs for\n entries that show `RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER` violations.\n In those entries, check the `servicePerimeterName` field: \n\n ```\n accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER_NAME\n ```\n5. Add the ingress rule to the perimeter:\n\n ```bash\n gcloud access-context-manager perimeters update PERIMETER_NAME \\\n --set-ingress-policies=ingress-rule.yaml\n ```\n\n Replace the following:\n -\n \u003cvar translate=\"no\"\u003ePERIMETER_NAME\u003c/var\u003e: the name of the perimeter. For example,\n `accessPolicies/1234567890/servicePerimeters/example_perimeter`.\n\n\n To find the service perimeter you need to modify, you can check your logs for\n entries that show `RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER` violations.\n In those entries, check the `servicePerimeterName` field: \n\n ```\n accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER_NAME\n ```\n\n\nSee\n[Ingress and egress rules](/vpc-service-controls/docs/ingress-egress-rules) for\nmore information."]]
