Mondoo
Docs
CloudGoogle Cloud

Scan Google Cloud Instances Using Snapshots

Scan Google Cloud Compute Engine instances by snapshotting their disks — no impact to your production workload.

cnspec can assess the security of a Google Cloud Compute Engine instance without affecting your production workload. It snapshots the instance's disk, scans the snapshot from a dedicated scanner VM, and cleans up automatically.

To run a snapshot scan, you need a VM instance with adequate permissions to create and attach snapshots.

Prerequisites

Create a custom role and service account

In the Google Cloud console, create a role named cnspec-snapshot-scanner with the permissions listed below. To learn how, read Create and manage custom roles in the Google Cloud documentation.

Show required permissions
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.delete
  • compute.disks.get
  • compute.disks.setLabels
  • compute.disks.use
  • compute.disks.useReadOnly
  • compute.instances.attachDisk
  • compute.instances.detachDisk
  • compute.instances.get
  • compute.snapshots.create
  • compute.snapshots.get
  • compute.snapshots.list
  • compute.snapshots.useReadOnly
  • compute.zoneOperations.get

Then create a service account and assign it these roles:

  • cnspec-snapshot-scanner
  • Service Account User

Create a VM for scanning

In the Google Cloud console, create a VM instance using the service account you created above. To learn how, read Create a VM that uses a user-managed service account in the Google Cloud documentation.

Create a VM instance template to make it easier to spin up scanner VMs. To learn how, read Create instance templates in the Google Cloud documentation.

Scan an instance using a snapshot

Connect to the scanner VM you created above and run:

cnspec scan gcp instance INSTANCE-NAME --project-id PROJECT-ID --zone INSTANCE-ZONE

For example:

cnspec scan gcp instance lunalectric-rover --project-id rover-123 --zone us-central1-a

Scan an existing snapshot

You can also scan a specific, existing snapshot to assess the instance's state at a particular point in time:

cnspec scan gcp snapshot SNAPSHOT-NAME --project-id PROJECT-ID

For example:

cnspec scan gcp snapshot suse12 --project-id rover-123

Next step

Snapshots in a different project? Read Cross-Project Snapshot Scanning.

For build-time scanning, learn how to Build Secure VM Images with Packer.

Secure a Project

Scan a Google Cloud project against security and compliance best practices with cnspec.

Cross-Project Snapshot Scanning

Configure cnspec to scan Google Cloud Compute Engine snapshots that reside in a different project than your scanner VM.

On this page

PrerequisitesCreate a custom role and service accountCreate a VM for scanningScan an instance using a snapshotScan an existing snapshotNext step