Cloud discovery
It’s difficult to ensure that all your apps running on all the different types of cloud services are being properly secured.
If you’re using multiple cloud platforms, you might have many separate accounts per platform.
You could easily have hundreds of combinations of providers, accounts, and regions where cloud native services are being deployed.
Cloud Platforms discovery helps you find all cloud-native services being used in AWS, Azure, and Google Cloud, across all regions, and across all accounts.
Cloud Provider discovery continuously monitors these accounts, detects when new services are added, and reports which services are unprotected.
It can help mitigate your exposure to rogue deployments, abandoned environments, and sprawl.
Cloud Platforms discovery offers coverage for the following services.
Registries:
- AWS
- Azure
- Google Cloud
Serverless functions:
- AWS
- Azure
- Google Cloud
1
Managed platforms:
- AWS ECS
- AWS EKS
- Azure Kubernetes Service (AKS)
- Azure Container Instances (ACI)
- Google Kubernetes Engine (GKE)
Virtual machines:
- AWS EC2 instances
- Azure VMs1
- Google Cloud Platform (GCP) Compute Engine VM instances1
1
Auto-defend is currently not yet available for these services.
Auto-defend utilizes rule-based policies to automatically deploy Prisma Cloud to protect resources in your environment.Minimum permissions
Prisma Cloud needs one set of minimum permissions to discover and itemize all the resources in your account.
After finding those resources, Prisma Cloud typically needs an additional set of permissions to protect them (e.g. retrieve those resources and inspect them for vulnerabilities and compliance issues.
For example, the service account for cloud discovery uses the ecr:DescribeRepositories permission to list all ECR repositories in your AWS accounts.
If you find a repository that’s not being scanned, and you want to configure Prisma Cloud to scan it, Prisma Cloud needs another service account with deeper permissions that lets it auth with the ECR service and download images from the repository (e.g., ecr:GetAuthorizationToken, ecr:BatchGetImage, etc).
The permissions required for cloud discovery to scan your accounts are documented here.
Permissions required to enable protection (e.g. scanning a repo) are documented in each protection feature’s respective article.
AWS
For AWS, Prisma Cloud requires a service account with following minimum permissions policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PrismaCloudComputeCloudDiscovery", "Effect": "Allow", "Action": [ "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeRegions", "ec2:DescribeTags", "ecr:DescribeRepositories", "ecs:DescribeClusters", "ecs:ListClusters", "ecs:ListContainerInstances", "eks:DescribeCluster", "eks:ListClusters", "lambda:GetFunction", "lambda:ListFunctions" ], "Resource": "*" } ] }
Azure
For Azure, Prisma Cloud requires a role with the following minimum permissions:
{ "permissions": [ { "actions": [ "Microsoft.ContainerRegistry/registries/read", "Microsoft.ContainerRegistry/registries/metadata/read", "Microsoft.ContainerService/managedClusters/read", "Microsoft.Web/sites/Read", "Microsoft.ContainerInstance/containerGroups/read", "Microsoft.Compute/virtualMachines/read" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] }
Google Cloud
For GCP, Prisma Cloud requires a service account with the viewer role.
The basic role roles/viewer, however, is very broad with thousands of permissions across all Google Cloud services.
For production environments, use a more tightly scoped service account with the following predefined roles:
Predefined roles:
- Storage Object Viewer (roles/storage.objectViewer)
- Kubernetes Engine Cluster Viewer (roles/container.clusterViewer)
- Cloud Functions Viewer (roles/cloudfunctions.viewer)
Also, create custom role with the following permissions, and attach it to your serivce account.
Configuring cloud platforms discovery
Set up Prisma Cloud to scan your cloud platform accounts for cloud-native resources and services.
Then configure Prisma Cloud to protect them with a single click.
Prerequisites:
You created service accounts for your cloud providers that provide the minimum required permissions, as described here.- Open Console.
- Go toDefend > Compliance > Cloud Platforms.
- Select the accounts to scan with theDiscoverycheckbox. If there are no accounts in the table, add one in the credentials store.
- ClickSave.
- Review the scan report.
- Go toMonitor > Compliance > Cloud Discoveryto see the scan report in tabular format.
- Go toRadarand selectCloudto see the scan report in a visual format.
- ClickProtectfor the entities you want Prisma Cloud to scan for vulnerabilities.When you clickProtect, a new scan rule is proposed. Select the appropriate credential, tweak the scan rule as desired, then clickAdd.
- Scan reports can viewed underMonitor > Vulnerabilities > {Registry|Functions}.
Configuring cloud compliance scans
Prisma Cloud can assess your AWS account against the CIS Amazon Web Services Foundations v1.2.0 benchmark.
This benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services.
It has four sections:
- Identity and Access Management
- Logging
- Monitoring
- Networking
As with all scanning in Prisma Cloud, there are two flows:
- Periodic scanning, which is configurable inManage > System > Scan, and set to a default of once every 24 hours.
- Manual scanning, which lets you force a scan immediately by pressing theScanbutton inMonitor > Compliance > Cloud Compliance.
Prerequisites:
- You have a service account with the following minimum permissions policy.{ "Version": "2012-10-17", "Statement": [ { "Sid": "PrismaCloudComputeCloudCompliance0", "Effect": "Allow", "Action": [ "cloudtrail:DescribeTrails", "cloudtrail:GetEventSelectors", "cloudwatch:DescribeAlarms", "config:DescribeConfigurationRecorders", "config:DescribeConfigurationRecorderStatus", "iam:GenerateCredentialReport", "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary" "iam:GetCredentialReport", "iam:GetPolicyVersion", "iam:ListEntitiesForPolicy", "iam:ListPolicies", "iam:ListUsers", "iam:ListVirtualMFADevices", "kms:ListAliases", "kms:ListKeys", "logs:DescribeMetricFilters", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketPolicy", "s3:ListAllMyBuckets", "sns:ListSubscriptions", ], "Resource": "*" }, { "Sid": "PrismaCloudComputeCloudCompliance1", "Effect": "Allow", "Action": [ "cloudtrail:GetTrailStatus", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies" "kms:GetKeyRotationStatus", "sns:ListSubscriptionsByTopic", ], "Resource": [ "arn:aws:cloudtrail:*:*:trail/*", "arn:aws:iam::*:user/*", "arn:aws:kms:*:*:key/*", "arn:aws:sns:*:*:*" ] } ] }
- Open Console.
- Go toDefend > Compliance > Cloud Platforms.
- Select the accounts to scan with theCompliancecheckbox. If there are no accounts in the table, add one in the credentials store. Compliance checks are only available for AWS.
- Choose the compliance checks to enable. By default, all critical and high checks are set to alert.
- ClickSave.
- Go toMonitor > Compliance > Cloud Complianceto review the scan reports in tabular format.Alternatively, go toRadar, selectCloud, and click through the markers to explore the corresponding account’s compliance results.