1. Overview

Container environments tend to utilize many third party services across multiple cloud providers. To improve accessibility and reusability, Prisma Cloud manages all credentials in a central encrypted store. Credentials are used when setting up the following integrations:

  • Scanning (container registries, serverless functions, etc).

  • Alerting in third party services (email, Slack, ServiceNow, etc).

  • Deploying and managing Defender DaemonSets from the Console UI.

  • Injecting secrets from secret stores into containers at runtime.

credentials store arch

The credential store can be found under Manage > Authentication > Credentials Store. Credentials cannot be deleted if they are currently in use. To see all the places where a credentials is being used, click on an entry in the credentials store table, and review the Usages list.

If a credential is being used by an integration, and you edit its parameters (e.g. username, password, etc), the new values are automatically propagated to the right places in the product. You don’t need to delete and set up the integration again to refresh the credential’s values.

credentials store usage

2. Prisma Cloud Onboarded accounts

When you start with a fresh Prisma Cloud tenant, you can use the guided onboarding flow to automatically create service accounts and roles in your cloud provider accounts so that Prisma Cloud can be quickly integrated with your cloud providers.

The guided onboarding flow creates service accounts and roles for the following Compute-specific integrations. For all other integrations, manually create the required service accounts or roles according to the feature-wise permissions doc.

Feature AWS Azure GCP

Cloud discovery

Yes

No

No

Cloud compliance

Yes

N/A1

N/A1

Serverless Radar

Yes

N/A1

N/A1

Registry Scanning

Yes

No

No

Serverless scanning

Yes

No

No

Serverless auto-protect

Yes

N/A1

N/A1

VM image scanning

Yes

N/A1

N/A1

Kubernetes auditing

No2

No2

No

Alerting — AWS SecurityHub

Alerting — GCP SecurityCenter

Alerting — Google Cloud Pub/Sub

Secret stores — Azure Key Vault

Secret stores — AWS Secret Manager

Secret stores — AWS System Manager Parameter Store

1N/A means the feature isn’t supported in the product for this cloud provider. For this reason, no service account or role needs to be created.

2Kubernetes auditing is supported for all self-managed clusters, regardless of the cloud provider. For managed clusters, GKE is supported.

2.1. Prisma Cloud AWS accounts

Compute feature specific minimalistic permissions are added by default to all CloudFormation Templates for AWS accounts onboarded to Prisma Cloud. These permissions are defined by the following two roles.

You can remove these roles from the CFTs if you do not wish to use onboarded cloud accounts for Compute capabilities.

PrismaCloud-ReadOnly-Policy-Compute

  • ecr:BatchCheckLayerAvailability

  • ecr:BatchGetImage

  • ecr:DescribeImageScanFindings

  • ecr:GetAuthorizationToken

  • ecr:GetDownloadUrlForLayer

  • ecr:GetLifecyclePolicyPreview

  • ecr:ListImages

  • kms:Decrypt

  • lambda:GetFunction

PrismaCloud-Remediation-Policy-Compute

  • ec2:AuthorizeSecurityGroupEgress

  • ec2:AuthorizeSecurityGroupIngress

  • ec2:CreateSecurityGroup

  • ec2:CreateTags

  • lambda:GetLayerVersion

  • lambda:PublishLayerVersion

  • lambda:UpdateFunctionConfiguration

  • ssm:CreateAssociation

Some additional permissions required for Compute features like AMI scanning are missing from these templates in order to keep minimalist privileges. You can find full list of feature wise AWS permissions here: http://cdn.twistlock.com/docs/downloads/Compute-Feature-Wise-Permissions.pdf and add them manually.

2.1.1. Cloud Account Permission Status

CFTs will be updated with Compute permissions on platform level on tentatively Oct 7th for all accounts but the status check on those permissions for Compute will NOT be done by default. Currently cloud account status checks do not take Compute permissions into account. They will remain green even if Compute permissions are missing in order to accomodate for the CSPM users who do not use Compute functionalities and thus change in account status could cause confusions.

2.2. Prisma Cloud Azure accounts

No additional permissions are added for Compute by default to the onboarding templates. You can add the following permissions for Serverless and Cloud Discovery scans.

"Microsoft.Web/sites/publishxml/action",
"Microsoft.Web/sites/Read",
"Microsoft.Web/sites/config/Read",
"Microsoft.Web/sites/functions/read",
"Microsoft.Web/sites/config/list/action",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerRegistry/registries/metadata/read",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerInstance/containerGroups/read

2.3. Prisma Cloud GCP accounts

No additional permissions are added for Compute to the onboarding templates. You can find full list of GCP permissions below and add them manually.

For projects:

"storage.objects.get",
"storage.objects.list",
"pubsub.topics.publish",
"iam.serviceAccounts.get",
"iam.serviceAccounts.getAccessToken",
"iam.serviceAccounts.getOpenIdToken",
"iam.serviceAccounts.implicitDelegation",
"iam.serviceAccounts.list",
"iam.serviceAccounts.signBlob",
"iam.serviceAccounts.signJwt"

For ORG:

"resourcemanager.projects.get",
"resourcemanager.projects.list"

3. Using onboarded accounts

The service accounts and roles required for integrating Prisma Cloud with your cloud provider can be automatically created in your cloud account for you. Initiate the onboarding process from Settings > Cloud Accounts.

credentials store prisma cloud oboarding

After onboarding an account, you can use the service accounts and roles, collectively called credentials, when configuring Compute. Before using a credential, however, you must first "surface" the credential in Compute.

Surfaced credentials are read-only in the Compute tab. Update them at the source in Settings > Cloud Accounts.

Similarly, deleting surfaced credentials in the Compute tab’s credentials store only removes them from the table. Delete them at the source in Settings > Cloud Accounts.

  1. After logging into Prisma Cloud, go to to the Compute > Defend > Authentication tab.

  2. Click Add Credential.

  3. In Type, select Prisma Cloud.

  4. Select all credentials you want to use.