Configure VM image scanning

Prisma Cloud supports scanning VM images on AWS, Azure and GCP. Prisma Cloud can scan Linux Amazon Machine Images (AMIs) on AWS. On Azure, Prisma Cloud supports Managed, Gallery and Marketplace images. On GCP, Prisma Cloud supports Public and Custom images (including Premium images).

AWS

The following AMIs aren’t supported:
  • Images that don’t use cloud-init for bootstrapping, such as Red Hat Enterprise Linux CoreOS (CoreOS for OpenShift). RHCOS uses Ignition.
  • Images that use paravirtualization.
  • Images that only support old TLS protocols (less than TLS 1.1) for utilities such as curl. For example, Ubuntu 12.10.

Azure

Three image types supported:
  • Marketplace images (publicly available images).
  • Managed (custom) images.
  • Shared image galleries.
The following images aren’t supported:
  • Azure paid images.
  • Encrypted images.

GCP

Three image types supported:
  • Public images (including Premium images).
  • Custom images.
The following images aren’t supported:
  • Encrypted images.

Prerequisites

AWS

  • The service account Prisma Cloud uses to scan AMIs must have at least the following policy:
    { "Version": "2012-10-17", "Statement": [ { "Sid": "PrismaCloudComputeAMIScanning", "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:DeleteSecurityGroup", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeSecurityGroups", "ec2:RevokeSecurityGroupEgress", "ec2:RunInstances", "ec2:TerminateInstances" ], "Resource": "*" } ] }
  • A default VPC is required, and access from the default VPC to Console via the port used for Defender to Console communication must be allowed to enable Defenders on VMs created by Console to send scan results back.

Azure

  • The service account Prisma Cloud uses to scan Azure images must have at least the following policy:
    Microsoft.Compute/locations/publishers/artifacttypes/offers/skus/versions/read Microsoft.Compute/images/read Microsoft.Compute/galleries/read Microsoft.Compute/galleries/images/read Microsoft.Compute/galleries/images/versions/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/subscriptions/resourceGroups/write Microsoft.Resources/subscriptions/resourceGroups/delete Microsoft.Network/networkSecurityGroups/read Microsoft.Network/networkSecurityGroups/write Microsoft.Network/networkSecurityGroups/join/action Microsoft.Network/networkSecurityGroups/delete Microsoft.Network/networkInterfaces/read Microsoft.Network/networkInterfaces/write Microsoft.Network/networkInterfaces/join/action Microsoft.Network/networkInterfaces/delete Microsoft.Compute/disks/write Microsoft.Compute/disks/delete Microsoft.Network/virtualNetworks/subnets/read Microsoft.Network/virtualNetworks/subnets/join/action Microsoft.Compute/virtualMachines/read Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/start/action Microsoft.Compute/virtualMachines/delete

GCP

  • The service account Prisma Cloud uses to scan GCP VM images must have at least the following policy:
    compute.disks.create compute.images.get compute.images.list compute.images.useReadOnly compute.instances.create compute.instances.delete compute.instances.get compute.instances.list compute.instances.setMetadata compute.instances.setTags compute.networks.get compute.networks.updatePolicy compute.networks.use compute.networks.useExternalIp compute.subnetworks.use compute.subnetworks.useExternalIp

Deployment

VM image scanning is handled by the Console. Prisma Cloud’s Console scans a VM image by creating a VM instance which is running the VM image to be scanned. When you configure Prisma Cloud to scan VM images, you can define the number of scanners to use. Defining more than one scanner means that the Console will create a number of VM instances to scan multiple VM images simultaneously. For scanning large numbers of VM images, increase the number of scanners to improve throughput and reduce scan time.
If you remove a VM image, or it becomes unavailable, Prisma Cloud maintains the scan results for 30 days. After 30 days, the scan results are purged.

VM images scan settings

  1. Open Console.
  2. Go to
    Defend > Vulnerabilities/Compliance > Hosts > VM Images
    .
  3. Click
    Add Scope
    .
    Each scope has the following parameters.
    Field
    Description
    Provider
    Specify the cloud provider. The current supported providers are AWS, Azure and GCP.
    Credential
    Specify the credential required to access the VM images. If the credential has already been created in the Prisma Cloud credential store, select it. If not, click
    Add New
    .
    Project ID (only GCP)
    If unspecified, the project ID where the service account was created is used.
    Image type (only Azure)
    Specify the relevant image type. Prisma Cloud supports three image types: Managed, Gallery and Marketplace.
    Scope
    Specify the the VM images to scan. To scan all images, use the
    All
    collection.
    When the image field in the reference collection contains a string and a wildcard (e.g. Amazo*), only private AMIs are scanned. When using explicit image names, AWS Marketplace and community AMIs are scanned as well.
    Only the AMI names are permitted in the image field of the collection. AMI IDs are not supported.
    Use the label field in the referenced collection to restrain the scan by AWS tag. Use the key-value pattern 'key:value'.
    All supported resource fileds support pattern matching.
    Excluded VM images
    Specify VM images to exclude from the scan. This field supports pattern matching.
    Region
    Specify the region to scan.
    Console address
    Specify the Console URL for the scanner VM instance to use.
    API communication port
    If your Console listens on a port other than the default port, specify the port number.
    By default, Console listens on port 8083.
    Zone (only GCP)
    Specify the Zone where scan instances will be deployed.
    Number of scanners
    Number of VM images to concurrently scan. Increase the number of scanners to increase throughput and reduce scan time.
    Cap
    Specify the maximum number of VM images to scan, sorted according to the 'Creation Date'. The most recently created VM images are scanned first, followed by the image next most recently created image, and so on.
    In the case of Azure Marketplace and Managed images, the images are scanned according to their resource ID, in descending lexicographic order (i.e., ID3, then ID2, then ID1).
    To scan all VM images, set CAP to 0.
    VPC Name (only GCP)
    If you want a custom VPC for the scanner VM instance, specify the VPC name.
    VPC ID (only AWS)
    If you want a custom VPC for the scanner VM instance, specify the VPC id to use (e.g., vpc-xxxxx).
    Subnet Name (only GCP)
    If you want a custom subnet for the scanner VM instance, specify the subnet name.
    Subnet ID (only AWS)
    If you want a custom subnet for the scanner VM instance, specify the subnet id to use (e.g., subnet-xxxxx).
    Subnet Resource ID (only Azure)
    Specify the Resource ID of the subnet where scan instances should be deployed.
    Instance Type
    The default size is m4.large, if you want a custom instance size for the scanner VM instance, specify the desired instance type. Recommend not to choose nano types, as they can increase the scan time.

VM images rules

To define which VM images to scan, create a new VM images scan rule.
  1. Open Console.
  2. Go to
    Defend > Vulnerabilities/Compliance > Hosts > VM Images
    .
  3. Click
    Add Rule
    .
  4. Fill out your policy.
  5. Click
    Save
    .

Additional scan settings

Additional scan settings can be found under
Manage > System > Scan
, where you can set the VM images scan interval.

General Notes

  • VM image scanning results older than 30 days are automatically deleted.
  • On upgrade, VM image scanning results are deleted.
  • When a scan is cancelled, it might take a few minutes for the scan to stop completely.

Recommended For You