Use Mandiant Attack Surface Management with VPC Service Controls

This document describes how to add ingress rules to allow Mandiant Attack Surface Management within VPC Service Controls perimeters. To restrict services in projects that you want Mandiant Attack Surface Management to monitor if your organization uses VPC Service Controls, perform this task. For more information about Mandiant Attack Surface Management, see Mandiant Attack Surface Management overview.

Required roles

To get the permissions that you need to use Mandiant Attack Surface Management within VPC Service Controls perimeters. , ask your administrator to grant you the Access Context Manager Editor (roles/accesscontextmanager.policyEditor) IAM role on your organization. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Create the ingress rules

To allow Mandiant Attack Surface Management in Security Command Center within VPC Service Controls perimeters, add the required ingress rules in those perimeters. Perform these steps for each perimeter that you want Mandiant Attack Surface Management to monitor.

For more information, see Updating ingress and egress policies for a service perimeter.

Console

  1. In the Google Cloud console go to the VPC Service Controls page.

    Go to VPC Service Controls

  2. Select your organization or project.

  3. In the drop-down list, select the access policy that contains the service perimeter that you want to grant access to.

    The service perimeters associated with the access policy appear in the list.

  4. Click the name of the service perimeter that you want to update.

    To find the service perimeter you need to modify, you can check your logs for entries that show RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER violations. In those entries, check the servicePerimeterName field: 

    accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER_NAME
  5. Click Edit.
  6. Click Ingress policy.
  7. Click Add an ingress rule.

  8. In the From section, set the following details:

    1. For Identities > Identity, select Select identities & groups.
    2. Click Add identities.

    3. Enter the email address of the Attack Surface Management Service Agent service agent. The service agent's address has the following format: 

      service-org-ORGANIZATION_ID@gcp-sa-asm-hpsa.iam.gserviceaccount.com

      Replace ORGANIZATION_ID with your organization ID.

    4. Select the service agent or press ENTER, and then click Add identities.
    5. For Sources, select All sources.

  9. In the To section, set the following details:

    1. For Resources > Projects, select All projects.
    2. For Operations or IAM roles, select Select operations.

    3. Click Add operations, and then add the following operations:

      • Add the cloudasset.googleapis.com service.
        1. Click All methods.
        2. Click Add all methods.
      • Add the cloudresourcemanager.googleapis.com service.
        1. Click All methods.
        2. Click Add all methods.
      • Add the dns.googleapis.com service.
        1. Click All methods.
        2. Click Add all methods.
  10. Click Save.

gcloud

  1. If a quota project isn't already set, then set it. Choose a project that has the Access Context Manager API enabled. 

    gcloud config set billing/quota_project QUOTA_PROJECT_ID

    Replace QUOTA_PROJECT_ID with the ID of the project that you want to use for billing and quota.

  2. Create a file named ingress-rule.yaml with the following contents:

    - ingressFrom:
    identities:
    - serviceAccount:service-org-ORGANIZATION_ID@gcp-sa-asm-hpsa.iam.gserviceaccount.com
    sources:
    - accessLevel: '*'
  ingressTo:
    operations:
    - serviceName: cloudasset.googleapis.com
      methodSelectors:
      - method: '*'
    - serviceName: cloudresourcemanager.googleapis.com
      methodSelectors:
      - method: '*'
    - serviceName: dns.googleapis.com
      methodSelectors:
      - method: '*'
    resources:
    - '*'

    Replace ORGANIZATION_ID with your organization ID.

  3. Add the ingress rule to the perimeter:

    gcloud access-context-manager perimeters update PERIMETER_NAME \
    --set-ingress-policies=ingress-rule.yaml

    Replace the following:

    • PERIMETER_NAME: the name of the perimeter. For example, accessPolicies/1234567890/servicePerimeters/example_perimeter.

      To find the service perimeter you need to modify, you can check your logs for entries that show RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER violations. In those entries, check the servicePerimeterName field: 

      accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER_NAME

See Ingress and egress rules for more information.

What's next