Focus

Prisma Cloud Compute Edition Administrator’s Guide

Onboard Accounts for Agentless Scanning

Table of Contents

Onboard Accounts for Agentless Scanning

Agentless scanning provides visibility into vulnerabilities and compliance risks on cloud workloads by scanning the root volumes of snapshots. The agentless scanning architecture lets you inspect a host and the container images in that host without having to install an agent or affecting its execution.

To learn more about the architecture and scan results, see How agentless scanning works?

Prerequisites

To configure agentless scanning you must ensure the following requirements are met.

Ensure you have permissions to create service keys and security groups in your cloud account.

Ensure you have permissions to apply agentless permission templates to your cloud account.

Ensure you can connect to the Prisma Cloud Console over HTTPS from your cloud account. Ideally, your configuration denies all incoming traffic and allows the tcp/8083` egress port for Prisma Cloud Compute Edition. Review the egress port configuration needed to enable access to the Prisma Cloud console

Unless you are using a proxy to connect to the Prisma Cloud Console, you must enable auto-assign public IPs on the subnet or security group you use to connect your cloud account to the Prisma Cloud Console.

To understand what permissions will be needed for agentless scanning, refer to our full permission list. The downloaded templates from Console add conditions around these permissions to ensure least privileged roles in your accounts. To learn more about the credentials you can use, go to our credentials store page.

Complete the steps in the following pages to configure agentless scanning for accounts from the supported cloud providers.

Amazon Web Services

Microsoft Azure

Google Cloud Platform

Oracle Cloud Infrastructure

You can change default values after onboarding them in Manage > Cloud accounts
.

Click the Edit
icon to change a specific account or select multiple accounts and complete the following steps to change the configuration of multiple accounts at once.

Only change the configuration of multiple accounts from the same cloud provider and of the same authentication subtype. If you select accounts from different providers, you can’t change agentless configuration fields.

Bulk Actions

Prisma Cloud supports performing agentless configuration at scale. Different cloud providers and authentication subtypes require different configuration fields, which also limits your ability to change accounts in bulk. The Prisma Cloud Console displays all the configuration fields that can be changed across all the selected accounts, and hides those that differ to prevent accidental misconfiguration.

The following procedure shows the steps needed to configure agentless scanning for multiple accounts at the same time.

Go to Compute > Manage > Cloud accounts

Select multiple accounts.

Only select accounts from the same cloud provider and of the same authentication subtype. If you select accounts from different providers, you can’t change agentless configuration fields.

Click the Bulk actions
dropdown.

Select the Agentless configuration
button.

Change the configuration values for the selected accounts.

Select Save
to save the configuration for the selected accounts.

Cloud Account Manager Role

Use the Cloud Account Manager
user role to grant full read and write access to all cloud account settings. This role can manage credentials, and change Agentless Scanning
and Cloud Discovery
configuration.

Start an Agentless Scan

Agentless scans start immediately after onboarding the cloud account. By default, agentless scans are performed every 24 hours, but you can change the interval on the Manage > System > Scan
page under Scheduling > Agentless
.