CloudGoogle Cloud

Scan Google Cloud Instances Using Snapshots

Scan Google Cloud Compute Engine instances by snapshotting their disks, with no impact to your production workload.

cnspec can assess the security of a Google Cloud Compute Engine instance without affecting your production workload. It snapshots the instance's disk, scans the snapshot from a dedicated scanner VM, and cleans up automatically.

To run a snapshot scan, you need a VM instance with adequate permissions to create and attach snapshots.

Prerequisites

Create a custom role and service account

In the Google Cloud console, create a role named cnspec-snapshot-scanner with the permissions listed below. To learn how, read Create and manage custom roles in the Google Cloud documentation.

Show required permissions
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.delete
  • compute.disks.get
  • compute.disks.setLabels
  • compute.disks.use
  • compute.disks.useReadOnly
  • compute.instances.attachDisk
  • compute.instances.detachDisk
  • compute.instances.get
  • compute.snapshots.create
  • compute.snapshots.get
  • compute.snapshots.list
  • compute.snapshots.useReadOnly
  • compute.zoneOperations.get

Then create a service account and assign it these roles:

  • cnspec-snapshot-scanner
  • Service Account User

Create a VM for scanning

In the Google Cloud console, create a VM instance using the service account you created above. To learn how, read Create a VM that uses a user-managed service account in the Google Cloud documentation.

Then install cnspec on the VM. This is the scanner VM that attaches and scans the snapshots.

Create a VM instance template to make it easier to spin up scanner VMs. To learn how, read Create instance templates in the Google Cloud documentation.

Scan an instance using a snapshot

Connect to the scanner VM you created above and run:

cnspec scan gcp instance INSTANCE-NAME --project-id PROJECT-ID --zone INSTANCE-ZONE

For example:

cnspec scan gcp instance lunalectric-rover --project-id rover-123 --zone us-central1-a

Scan an existing snapshot

You can also scan a specific, existing snapshot to assess the instance's state at a particular point in time:

cnspec scan gcp snapshot SNAPSHOT-NAME --project-id PROJECT-ID

For example:

cnspec scan gcp snapshot suse12 --project-id rover-123

To learn how to read the scan report, including scores and remediation guidance, see Understand cnspec Results.

Next steps

Secure a Project

Scan a Google Cloud project against security and compliance best practices with cnspec.

Cross-Project Snapshot Scanning

Configure cnspec to scan Google Cloud Compute Engine snapshots that reside in a different project than your scanner VM.

On this page

PrerequisitesCreate a custom role and service accountCreate a VM for scanningScan an instance using a snapshotScan an existing snapshotNext steps