1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Vulnerability management
    6. Configure VM image scanning
    End-of-Life (EoL)

    Configure VM image scanning

    Prisma Cloud can scan Linux Amazon Machine Images (AMIs).
    The following AMIs aren’t supported:
    • Images that don’t use cloud-init for bootstrapping, such as Red Hat Enterprise Linux CoreOS (CoreOS for OpenShift). RHCOS uses Ignition.
    • Images that use paravirtualization.
    • Images that only support old TLS protocols (less than TLS 1.1) for utilities such as curl. For example, Ubuntu 12.10.

    Prerequisites

    • The service account Prisma Cloud uses to scan AMIs must have at least the following policy:
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PrismaCloudComputeAMIScanning",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeSecurityGroups",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RunInstances",
                "ec2:TerminateInstances"
            ],
            "Resource": "*"
        }
    ]
}
    • A default VPC is required, and access from the default VPC to Console via the port used for Defender to Console communication must be allowed to enable Defenders on VMs created by Console to send scan results back.

    Deployment

    VM image scanning is handled by the Console. Prisma Cloud’s Console scans a VM image by creating a VM instance which is running the VM image to be scanned. When you configure Prisma Cloud to scan VM images, you can define the number of scanners to use. Defining more than one scanner means that the Console will create a number of VM instances to scan multiple VM images simultaneously. For scanning large numbers of VM images, increase the number of scanners to improve throughput and reduce scan time.
    If you remove a VM image, or it becomes unavailable, Prisma Cloud maintains the scan results for 30 days. After 30 days, the scan results are purged.

    VM images scan settings

    1. Open Console.
    2. Go to
      Defend > Vulnerabilities/Compliance > Hosts > VM Images
      .
    3. Click
      Add Scope
      .
      Each scope has the following parameters.
      Field
      Description
      Version
      Specify the type of VM images to scan. The current supported VM images version is Amazon Machine Image (AMI).
      Console address
      Specify the Console URL for the scanner VM instance to use.
      API communication port
      If your Console listens on a port other than the default port, specify the port number.
      By default, Console listens on port 8083.
      Region
      Specify the AWS region to scan.
      Scope
      Specify the the VM images to scan. To scan all images, use the
      All
       collection.
      When the image field in the reference collection contains a string and a wildcard (e.g. Amazo*), only private AMIs are scanned. When using explicit image names, AWS Marketplace and community AMIs are scanned as well.
      Only the AMI names are permitted in the image field of the collection. AMI IDs are not supported.
      Use the label field in the referenced collection to restrain the scan by AWS tag. Use the key-value pattern 'key:value'.
      All supported resource fileds support pattern matching.
      Excluded VM images
      Specify VM images to exclude from the scan. This field supports pattern matching.
      Credentials
      Specify the credentials required to access the VM images. If the credentials have already been created in the Prisma Cloud credential store, select it. If not, click
      Add New
      .
      Number of scanners
      Number of AMIs to concurrently scan. Increase the number of scanners to increase throughput and reduce scan time.
      Cap
      Specify the maximum number of VM images to scan, sorted according to the 'Creation Date'. The most recently created VM images are scanned first, followed by the image next most recently created image, and so on. To scan all VM images, set CAP to 0.
      VPC ID
      If you want a custom VPC for the scanner VM instance, specify the VPC id to use (e.g., vpc-xxxxx).
      Subnet ID
      If you want a custom subnet for the scanner VM instance, specify the subnet id to use (e.g., subnet-xxxxx).
      Instance Type
      The default size is m4.large, if you want a custom instance size for the scanner VM instance, specify the desired instance type. Recommend not to choose nano types, as they can increase the scan time.

    VM images rules

    To define which VM images to scan, create a new VM images scan rule.
    1. Open Console.
    2. Go to
      Defend > Vulnerabilities/Compliance > Hosts > VM Images
      .
    3. Click
      Add Rule
      .
    4. Fill out your policy.
    5. Click
      Save
      .

    Additional scan settings

    Additional scan settings can be found under
    Manage > System > Scan
    , where you can set the VM images scan interval.