Onboard Accounts for Agentless Scanning
Agentless scanning provides visibility into vulnerabilities and compliance risks on cloud workloads by scanning the root volumes of snapshots. The agentless scanning architecture lets you inspect a host and the container images in that host without having to install an agent or affecting its execution.
To learn more about the architecture and scan results, see How agentless scanning works?
To configure agentless scanning for your cloud accounts, you must onboard the accounts to Prisma Cloud.
Ensure you can connect to the Prisma Cloud Console over HTTPS from your cloud account. Ideally, your security group denies all incoming traffic and allows one egress port. Review the egress port configuration needed to enable access to the Prisma Cloud console.
Complete the steps in the following pages to configure agentless scanning for accounts from the supported cloud providers.
When you enable the account on Prisma Cloud, it shows up in
Compute > Manage > Cloud accountsafter up to 24 hours.
You can change the configuration after onboarding your cloud accounts in
Compute > Manage > Cloud accounts.
Editicon to change a specific account or select multiple accounts.
When you disable an account in Prisma Cloud, the account remains available under
Compute > Manage > Cloud accountsfor up to 24 hours. After that time, the disabled account is removed from
Compute > Manage > Cloud accounts. Until the account is removed, errors occur when you run discovery, agentless, or serverless scans. Any updates to the disabled account are ignored.
The disabled account is marked as deleted in
Compute > Manage > Cloud accountswith a garbage bin icon next to it, and you can delete it safely. If you had deleted the account in
Compute > Manage > Cloud accountsbut then disabled it, the account will show up again in
Compute > Manage > Cloud accountswith a garbage bin icon next to it, and you can delete it safely.
Prisma Cloud supports performing agentless configuration at scale. Different cloud providers and authentication subtypes require different configuration fields, which also limits your ability to change accounts in bulk. The Prisma Cloud Console displays all the configuration fields that can be changed across all the selected accounts, and hides those that differ to prevent accidental misconfiguration.
Only change the configuration of multiple accounts from the same cloud provider and of the same authentication subtype. If you select accounts from different providers, you can’t change agentless configuration fields.
The following procedure shows the steps needed to configure agentless scanning for multiple accounts at the same time.
- Go toCompute > Manage > Cloud accounts
- Select multiple accounts.Only select accounts from the same cloud provider and of the same authentication subtype. If you select accounts from different providers, you can’t change agentless configuration fields.
- Click theBulk actionsdropdown.
- Select theAgentless configurationbutton.
- Change the configuration values for the selected accounts.
- SelectSaveto save the configuration for the selected accounts.
Start an Agentless Scan
Agentless scans start immediately after onboarding the cloud account. By default, agentless scans are performed every 24 hours, but you can change the interval on the
Manage > System > Scanpage under
Scheduling > Agentless.
To manually start a scan, complete the following steps.
- Go toCompute > Manage > Cloud accounts.
- Click the scan icon on the top right corner of the accounts table.
- ClickStart Agentless scan.
- Click the scan icon in the top right corner of the console to view the scan status.
- View the results.
- Go toCompute > Monitor > Vulnerabilities > HostsorCompute > Monitor > Vulnerabilities > Images.
- Click on theFilter hoststext bar.
- Select theScanned byfilter.
- Select theAgentlessfilter.