1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Compliance
    6. Cloud discovery
    End-of-Life (EoL)

    Cloud discovery

    It’s difficult to ensure that all your apps running on all the different types of cloud services are being properly secured. If you’re using multiple cloud platforms, you might have many separate accounts per platform. You could easily have hundreds of combinations of providers, accounts, and regions where cloud native services are being deployed.
    Cloud Platforms discovery helps you find all cloud-native services being used in AWS, Azure, and Google Cloud, across all regions, and across all accounts. Cloud Provider discovery continuously monitors these accounts, detects when new services are added, and reports which services are unprotected. It can help mitigate your exposure to rogue deployments, abandoned environments, and sprawl.
    Cloud Platforms discovery offers coverage for the following services.
    Registries:
    • AWS
    • Azure
    • Google Cloud
    Serverless functions:
    • AWS
    • Azure
    • Google Cloud
    1
    Managed platforms:
    • AWS ECS
    • AWS EKS
    • Azure Kubernetes Service (AKS)
    • Azure Container Instances (ACI)
    • Google Kubernetes Engine (GKE)
    1
    One-click protection is currently not yet available for these services. One-click protection lets you deploy Prisma Cloud to protect a resource directly from the scan results page.

    Configuring cloud platforms discovery

    Set up Prisma Cloud to scan your cloud platform accounts for cloud-native resources and services. Then configure Prisma Cloud to protect them with a single click.
    Prerequisites:
    • For AWS, you’ve got a service account with following minimum permissions policy:
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "lambda:ListFunctions",
                "ecr:DescribeRepositories",
                "eks:DescribeCluster",
                "ecs:ListContainerInstances",
                "eks:ListClusters",
                "ecs:DescribeClusters",
                "ecs:ListClusters"
            ],
            "Resource": "*"
        }
    ]
}
    1. Open Console.
    2. Go to
      Defend > Compliance > Cloud Platforms
      .
    3. Select the accounts to scan with the
      Discovery
       checkbox. If there are no accounts in the table, add one in the credentials store.
    4. Click
      Save
      .
    5. Review the scan report.
      1. Go to
        Monitor > Compliance > Cloud Discovery
         to see the scan report in tabular format.
      2. Go to
        Radar
         and select
        Cloud
         to see the scan report in a visual format.
      3. Click
        Protect
         for the entities you want Prisma Cloud to scan for vulnerabilities.
        When you click
        Protect
        , a new scan rule is proposed. Select the appropriate credential, tweak the scan rule as desired, then click
        Add
        .
      4. Scan reports can viewed under
        Monitor > Vulnerabilities > {Registry|Functions}
        .

    Configuring cloud compliance scans

    Prisma Cloud can assess your AWS account against the CIS Amazon Web Services Foundations v1.2.0 benchmark. This benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services. It has four sections:
    • Identity and Access Management
    • Logging
    • Monitoring
    • Networking
    As with all scanning in Prisma Cloud, there are two flows:
    • Periodic scanning, which is configurable in
      Manage > System > Scan
      , and set to a default of once every 24 hours.
    • Manual scanning, which lets you force a scan immediately by pressing the
      Scan
       button in
      Monitor > Compliance > Cloud Compliance
      .
    Prerequisites:
    • You have a service account with the following minimum permissions policy.
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies",
                "iam:GenerateCredentialReport",
                "iam:GetPolicyVersion",
                "iam:GetAccountPasswordPolicy",
                "s3:GetBucketLogging",
                "iam:ListEntitiesForPolicy",
                "logs:DescribeMetricFilters",
                "sns:ListSubscriptions",
                "cloudtrail:GetEventSelectors",
                "s3:GetBucketAcl",
                "config:DescribeConfigurationRecorderStatus",
                "s3:GetBucketPolicy",
                "iam:ListVirtualMFADevices",
                "cloudtrail:DescribeTrails",
                "kms:ListKeys",
                "config:DescribeConfigurationRecorders",
                "s3:ListAllMyBuckets",
                "kms:ListAliases",
                "cloudwatch:DescribeAlarms",
                "iam:ListUsers",
                "iam:GetCredentialReport",
                "s3:GetBucketLocation",
                "iam:GetAccountSummary"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "sns:ListSubscriptionsByTopic",
                "kms:GetKeyRotationStatus",
                "cloudtrail:GetTrailStatus",
                "iam:ListAttachedUserPolicies",
                "iam:ListUserPolicies"
            ],
            "Resource": [
                "arn:aws:iam::*:user/*",
                "arn:aws:cloudtrail:*:*:trail/*",
                "arn:aws:kms:*:*:key/*",
                "arn:aws:sns:*:*:*"
            ]
        }
    ]
}
    1. Open Console.
    2. Go to
      Defend > Compliance > Cloud Platforms
      .
    3. Select the accounts to scan with the
      Compliance
       checkbox. If there are no accounts in the table, add one in the credentials store. Compliance checks are only available for AWS.
    4. Choose the compliance checks to enable. By default, all critical and high checks are set to alert.
    5. Click
      Save
      .
    6. Go to
      Monitor > Compliance > Cloud Compliance
       to review the scan reports in tabular format.
      Alternatively, go to
      Radar
      , select
      Cloud
      , and click through the markers to explore the corresponding account’s compliance results.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo