Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
After you connect your Google Cloud Platform (GCP) project to Microsoft Defender for Cloud, Defender for Cloud uses agentless machine scanning to identify vulnerabilities in your virtual machines (VMs). Defender for Cloud then provides security recommendations and alerts, along with guidance for remediation.
If no agentless scan results appear within 24 hours after you connect your GCP project, it’s possible that the GCP organizational policy Compute Storage resource use restrictions (Compute Engine disks, images, and snapshots) is preventing Defender for Cloud from accessing the necessary resources.
This article explains how to identify and resolve this issue so Defender for Cloud can successfully scan your VMs.
Prerequisites
You must have a GCP project onboarded to Microsoft Defender for Cloud.
Access to a GCP project.
Contributor level permission for the relevant Azure subscription.
Manage your organizations policies
By configuring your organization policies, you can control the resources that Defender for Cloud can access in your GCP project.
Sign in to your GCP project.
Navigate to your organization > relevant GCP project.
Navigate to IAM & Admin > Organization Policies
Search for the
Compute Storage resource use restrictions (Compute Engine disks, images, and snapshots)policy.Select Manage policy.
Change the policy type to Allow.
In the allowlist, add
under:organizations/517615557103.Select Save.
Defender for Cloud triggers agentless disk scanning with API calls. You'll know that everything works after the next API call, which takes up to 24 hours to occur, when results for agentless scanning are generated.