1. Overview

Host auto-defend lets you automatically deploy Host Defenders to AWS EC2 instances in your account.

Host auto-defend is supported on AWS only.

2. Scan process

After setting up auto-defend for hosts, Prisma Cloud discovers and protects unsecured hosts as follows:

  1. Discover - Prisma Cloud uses cloud provider APIs to get a list of all VM instances.

  2. Identify - Prisma Cloud identifies unprotected instances.

  3. Verify - Ensure unprotected resources meet auto-defend prerequisites.

  4. Install - Primsa Cloud installs Host Defender on unprotected instances using cloud provider APIs.

3. Minimum requirements

Auto-defend has the following minimum requirements.

3.1. AWS Systems Manager

Prisma Cloud uses AWS Systems Manager (formerly known as SSM) to deploy Defenders to instances. This means that:

  • The SSM Agent must be installed on every instance.

  • AWS Systems Manager must have permission to perform actions on each instance.

To view all SSM managed instances, go to the AWS console here.

3.1.1. SSM Agent

Prisma Cloud uses the SSM Agent to deploy Host Defender on an instance. The SSM Agent is installed by default on the following distros.

  • Amazon Linux

  • Amazon Linux 2

  • Amazon Linux 2 ECS-Optimized AMIs

  • Ubuntu Server 16.04, 18.04, and 20.04

The SSM Agent is supported on the following distributions, but it must be installed manually:

  • CentOS

  • Debian Server

  • Oracle Linux

  • Red Hat Enterprise Linux

  • SUSE Linux Enterprise Server

3.1.2. IAM instance profile for Systems Manager

By default, AWS Systems Manager doesn’t have permission to perform actions on your instances. You must grant it access with an IAM instance profile.

If you’ve used System Manager’s Quick Setup feature, assign the AmazonSSMRoleForInstancesQuickSetup role to your instances.

3.2. Instance types

Host auto-defend is supported on Linux hosts only. Hosts must have either wget or curl installed.

Auto-defend is supported for stand-alone hosts only, not hosts that are part of clusters. For hosts that are part of clusters, use one of the cluster-native install options (e.g., DaemonSets on Kubernetes).

When configuring the scope of hosts that should be auto-defended, ensure that the scope doesn’t include any hosts that are part of a cluster or that run containers. Auto-defend doesn’t currently check if a host is part of cluster. If you mistakenly include nodes that are part of a cluster in an auto-defend rule, and the cluster is not already protected, the auto-defend rule will deploy Host Defenders to the cluster nodes.

4. Required permissions

Prisma Cloud needs a service account with the following permissions to automatically protect EC2 instances in your AWS account. Add the following policy to an IAM user or role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ssm:SendCommand",
                "ssm:DescribeInstanceInformation",
                "ssm:ListCommandInvocations",
                "ssm:CancelCommand"
            ],
            "Resource": "*"
        }
    ]
}

5. Add a host auto-protect rule

Host auto-defend rules let you specify which hosts you want to protect. You can define a specific account by referencing the relevant credential or collection. Each auto-defend rule is evaluated separately.

  1. Open Compute Console, and go to Manage > Defenders > Deploy > Host auto-defend.

  2. Click on Add rule.

  3. In the dialog, enter the following settings:

    1. Enter a rule name.

    2. In Provider - only AWS is supported.

    3. In Console, specify a DNS name or IP address that the installed Defender can use to connect back to Console after it’s installed.

    4. (Optional) In Scope, target the rule to specific hosts.

      Create a new collection. Supported attributes are hosts, images, labels, account IDs.

      The following example shows a collection that is based on hosts labels, in this case a label of host_demo with the value centos.

      auto defend collection example
    5. Specify the scanning scope.

    6. Select or create credentials so Prisma Cloud can access your account. The service account must have the minimum permissions specified here.

    7. Click Add.

      The new rule appears in the table of rules.

  4. Click Apply.

    A scan starts. By default, host auto-protect rules are evaluated every 24 hours. Click the Apply button to force a new scan.

    The following screenshot shows that the auto-defend-testgroup discovered two EC2 instances and deployed two Defenders (2/2).

    auto defend host rule