1. Overview

Prisma Cloud can scan Linux Amazon Machine Images (AMIs).

The following AMIs aren’t supported:

  • Images that don’t use cloud-init for bootstrapping, such as Red Hat Enterprise Linux CoreOS (CoreOS for OpenShift). RHCOS uses Ignition.

  • Images that use paravirtualization.

  • Images that only support old TLS protocols (less than TLS 1.1) for utilities such as curl. For example, Ubuntu 12.10.

  • Encrypted images.

You can scope access to Prisma Cloud by cloud account ID. Prisma Cloud automatically puts cloud account resources (e.g., containers, clusters, serverless functions, etc) into collections so that when users log in, they can see data for just the resources in the cloud account. Currently, VM scan results aren’t added to per-cloud account collections. Only Prisma Cloud roles with read-write access (System Admins) can view VM image scan reports. Primsa Cloud roles with read-only access can’t view VM image scan reports. This issue will be resolved in an upcoming release.

2. Prerequisites

  • The service account Prisma Cloud uses to scan AMIs must have at least the following policy:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeSecurityGroups",
                    "ec2:CreateSecurityGroup",
                    "ec2:RevokeSecurityGroupEgress",
                    "ec2:AuthorizeSecurityGroupIngress",
                    "ec2:AuthorizeSecurityGroupEgress",
                    "ec2:DeleteSecurityGroup",
                    "ec2:DescribeImages",
                    "ec2:DescribeInstances",
                    "ec2:RunInstances",
                    "ec2:CreateTags",
                    "ec2:TerminateInstances"
                ],
                "Resource": "*"
            }
        ]
    }
  • Access from the default VPC to Console via the port used for Defender to Console communication (default 8084) must be allowed to enable Defenders on VMs created by Console to send scan results back.

3. Deployment

VM image scanning is handled by the Console. Prisma Cloud’s Console scans a VM image by creating a VM instance which is running the VM image to be scanned. When you configure Prisma Cloud to scan VM images, you can define the number of scanners to use. Defining more than one scanner means that the Console will create a number of VM instances to scan multiple VM images simultaneously. For scanning large numbers of VM images, increase the number of scanners to improve throughput and reduce scan time.

If you remove a VM image, or it becomes unavailable, Prisma Cloud maintains the scan results for 30 days. After 30 days, the scan results are purged.

4. VM images scan settings

  1. Open Console.

  2. Go to Defend > Vulnerabilities/Compliance > Hosts > VM Images.

  3. Click Add Scope.

    Each scope has the following parameters.

    Field Description

    Version

    Specify the type of VM images to scan. The current supported VM images version is Amazon Machine Image (AMI).

    Console Address

    Specify the Console URL for the scanner VM instance to use.

    Region

    Specify the AWS region to scan.

    VM images

    Specify the names of the VM images to scan. This field supports pattern matching. To scan all VM images, simply enter wildcard (*).

    When this field contains a wildcard (e.g. Amazo*), only private AMIs are scanned. When using explicit image names, AWS Marketplace and community AMIs are scanned as well.
    Only the AMI names are permitted here. AMI IDs are not supported in this field.

    Tags

    Specify the AWS tags to scan. Use the key-value pattern 'key:value'. This field supports pattern matching. To scan VM images with all AWS tags, simply enter wildcard (*).

    Excluded VM images

    Specify VM images to exclude from the scan. This field supports pattern matching.

    Credentials

    Specify the credentials required to access the VM images. If the credentials have already been created in the Prisma Cloud credential store, select it. If not, click Add New.

    Number of scanners

    Number of AMIs to concurrently scan. Increase the number of scanners to increase throughput and reduce scan time.

    Cap

    Specify the maximum number of VM images to scan, sorted according to the 'Creation Date'. The most recently created VM images are scanned first, followed by the image next most recently created image, and so on. To scan all VM images, set CAP to 0.

5. VM images rules

To define which VM images to scan, create a new VM images scan rule.

  1. Open Console.

  2. Go to Defend > Vulnerabilities/Compliance > Hosts > VM Images.

  3. Click Add Rule.

  4. Fill out your policy.

  5. Click Save.

6. Additional scan settings

Additional scan settings can be found under Manage > System > Scan, where you can set the VM images scan interval.