Learn how to grant authorization to Cortex XDR to scan within your GCP service perimeter.
Notice
Requires a Cortex XDR license that has the Cloud Posture Security or Cloud Runtime Security add-on.
A service perimeter can provide an additional layer of security for your GCP projects. It serves as a fortified boundary around your Google Cloud resources. While resources inside the perimeter can communicate freely, the perimeter is designed to prevent unauthorized communication to Google Cloud services beyond its confines.
To enable Cortex XDR to scan assets and resources within your GCP perimeter, you must authorize Cortex XDR's identities to access the perimeter from within GCP. If you have a perimeter set up in your GCP project and you have not authorized Cortex XDR's identities to scan the perimeter, you will receive the following error:
Request is prohibited by organization's policy. vpcServiceControlsUniqueIdentifier: {{<GCP-perimeter-ID>}}Note
Each GCP cloud instance is assigned a scope within GCP. If the scope, whether it be organization, folder, or project, includes any projects with a service perimeter, this procedure must be performed for that cloud instance to authorize Cortex XDR to scan the resources in the perimeter.
In your Cortex XDR tenant, select → .
Hover over the Google Cloud Platform (GCP) row and select View Details.
In the Cloud Instances page, identify the GCP instance with the perimeter, right-click it and select Details.
In the details pane, click the more options icon and select Authorization Details.
The authorization values that you need to add as approved identities in GCP are listed in the Authorization Details dialog box.
Log into Google Cloud Platform Console.
Navigate to VPC Service Controls.
In the list of perimeters, select the perimeter to which you want to grant access to Cortex XDR.
In the Service perimeter details screen, click Edit.
In the Edit service perimeter screen, select Ingress policy.
In the Ingress rules pane, click Add an ingress rule.
Enter a Title for the ingress rule.
In the From section, under Identities, select Select identities & groups.
Click Add identities. In the Add identities pane, under Search identities, paste Cortex discovery role from Cortex XDR's Authorization Details dialog box. If there are more authorized values, paste each of them under Search identities. Click Add identities.
In the To section, under Resources, select Select projects.
Click Add projects. In the Add projects pane, select the relevant projects.
Under Operations or IAM roles, select All operations.
Click Next to add an egress rule.
In the Egress rules pane, click Add an egress rule.
Enter a Title for the egress rule.
In the From section, under Identities, select Select identities & groups.
Click Add identities. In the Add identities pane, under Search identities, paste Cortex discovery role from Cortex XDR's Authorization Details dialog box. If there are more authorized values, paste each of them under Search identities. Click Add identities.
In the To section, under Resources, select Select projects.
Click Add projects. In the Add projects pane, select the relevant projects.
Click Save. Confirm the changes and click Confirm.
The Cortex XDR authorization values have been added as approved identities in GCP.