Scan GCP Instances Using Snapshots

cnspec can assess the security of a GCP instance without affecting your production workload. It creates a snapshot of the instance, scans that snapshot, and then cleans it up automatically.

To run a snapshot scan, you need a VM instance with adequate permissions to create and attach snapshots.

Prerequisites

Create a custom role and service account

In the Google Cloud console, create a new role named cnspec-snapshot-scanner with the permissions listed below. To learn how, read Grant an IAM role by using the Google Cloud console in the GCP documentation.

Show required permissions.

compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.instances.attachDisk
compute.instances.detachDisk
compute.instances.get
compute.snapshots.create
compute.snapshots.get
compute.snapshots.list
compute.snapshots.useReadOnly
compute.zoneOperations.get

Then create a new service account and assign it these roles:

cnspec-snapshot-scanner
Service Account User

Create a VM for scanning

In the Google Cloud console, create a new VM instance using the service account you created above. To learn how, read Create a VM that uses a user-managed service account in the GCP documentation.

You can create a VM instance template to make it easier to spin up VM instances for snapshot scanning. To learn how, read Create instance templates in the GCP documentation.

Scan an instance using a snapshot

Connect to the VM instance you created above and run:

cnspec scan gcp instance INSTANCE-NAME --project-id PROJECT-ID --zone INSTANCE-ZONE

Example:

cnspec scan gcp instance lunalectric-rover --project-id rover-123 --zone us-central1-a

Scan an existing snapshot

You can also scan a specific, existing snapshot to assess the instance's state at a particular point in time.

cnspec scan gcp snapshot SNAPSHOT-NAME --project-id PROJECT-ID