Use Mandiant Attack Surface Management with VPC Service Controls

Enterpriseservice tier (not available ifdata residency controls are enabled)

This document describes how to add ingress rules to allowMandiant Attack Surface Management within VPC Service Controls perimeters. To restrict services inprojects that you want Mandiant Attack Surface Management to monitor if your organizationuses VPC Service Controls, perform this task. For more information aboutMandiant Attack Surface Management, seeMandiant Attack Surface Management overview.

Required roles

To get the permissions that you need to use Mandiant Attack Surface Management within VPC Service Controls perimeters. , ask your administrator to grant you theAccess Context Manager Editor (roles/accesscontextmanager.policyEditor) IAM role on your organization. For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Create the ingress rules

To allow Mandiant Attack Surface Management in Security Command Center withinVPC Service Controls perimeters, add the required ingress rules in thoseperimeters. Perform these steps for each perimeter that you want Mandiant Attack Surface Managementto monitor.

For more information, seeUpdating ingress and egress policies for a service perimeter.

Console

  1. In the Google Cloud console, go to theVPC Service Controls page.

    Go to VPC Service Controls

  2. Select your organization or project.

  3. In the drop-down list, select the access policy that contains the service perimeter that you want to grant access to.

    The service perimeters associated with the access policy appear in the list.

  4. Click the name of the service perimeter that you want to update.

    To find the service perimeter you need to modify, you can check your logs for entries that showRESOURCES_NOT_IN_SAME_SERVICE_PERIMETER violations. In those entries, check theservicePerimeterName field:

    accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER_NAME
  5. ClickEdit.
  6. ClickIngress policy.
  7. ClickAdd an ingress rule.

  8. In theFrom section, set the following details:

    1. ForIdentities > Identity, selectSelect identities & groups.
    2. ClickAdd identities.

    3. Enter the email address that identifies the Attack Surface Management Service Agent. This address has the following format:

      service-org-ORGANIZATION_ID@gcp-sa-asm-hpsa.iam.gserviceaccount.com

      ReplaceORGANIZATION_ID with your organization ID.

    4. Select the service agent or pressENTER, and then clickAdd identities.
    5. ForSources, selectAll sources.

  9. In theTo section, set the following details:

    1. ForResources > Projects, selectAll projects.
    2. ForOperations or IAM roles, selectSelect operations.

    3. ClickAdd operations, and then add the following operations:

      • Add thecloudasset.googleapis.com service.
        1. ClickAll methods.
        2. ClickAdd all methods.
      • Add thecloudresourcemanager.googleapis.com service.
        1. ClickAll methods.
        2. ClickAdd all methods.
      • Add thedns.googleapis.com service.
        1. ClickAll methods.
        2. ClickAdd all methods.
  10. ClickSave.

gcloud

  1. If a quota project isn't already set, then set it. Choose a project that has the Access Context Manager API enabled.

    gcloudconfigsetbilling/quota_projectQUOTA_PROJECT_ID

    ReplaceQUOTA_PROJECT_ID with the ID of the project that you want to use for billing and quota.

  2. Create a file namedingress-rule.yaml with the following contents:

    -ingressFrom:identities:-serviceAccount:service-org-ORGANIZATION_ID@gcp-sa-asm-hpsa.iam.gserviceaccount.comsources:-accessLevel:'*'ingressTo:operations:-serviceName:cloudasset.googleapis.commethodSelectors:-method:'*'-serviceName:cloudresourcemanager.googleapis.commethodSelectors:-method:'*'-serviceName:dns.googleapis.commethodSelectors:-method:'*'resources:-'*'

    ReplaceORGANIZATION_ID with your organization ID.

  3. Add the ingress rule to the perimeter:

    gcloudaccess-context-managerperimetersupdatePERIMETER_NAME\--set-ingress-policies=ingress-rule.yaml

    Replace the following:

    • PERIMETER_NAME: the name of the perimeter. For example,accessPolicies/1234567890/servicePerimeters/example_perimeter.

      To find the service perimeter you need to modify, you can check your logs for entries that showRESOURCES_NOT_IN_SAME_SERVICE_PERIMETER violations. In those entries, check theservicePerimeterName field:

      accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER_NAME

SeeIngress and egress rules for more information.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-20 UTC.