Onboard AWS Accounts for Agentless Scanning
Prisma Cloud gives you the flexibility to choose between agentless security and agent-based security using Defenders. Agentless scanning lets you inspect the risks and vulnerabilities of a cloud workload or container image without installing an agent or affecting the execution of your workload. Prisma Cloud supports agentless scanning for vulnerabilities and compliance on AWS hosts, containers, and clusters. To learn more about how agentless scanning works, see the How Agentless Scanning Works?[How Agentless Scanning Works?]
To onboard your AWS account for agentless scanning, you need to complete the following tasks.
Onboard your AWS account to Prisma Cloud
- Log in to your Prisma Cloud administrative console.
- Go toSettings > Cloud Accounts > Add Cloud Account.
- Select AWS as the cloud provider.
- Provide the following information in theGet Startedpage.
- SelectAccountas theOnboard type.
- Enter an account name to identify the account in Prisma Cloud.
- Enter theAWS account IDfor the account you want to onboard.
- Select theSecurity Capabilitiesyou need. TheAgentless ScanningandServerless Function Scanningare enabled by default.
- ClickDownload IAM Role CFT.
- Create the AWS stack.
- Go to the AWS CloudFormation console for your account.
- Go toSelect Services > CloudFormation > Stacks.
- Click onCreate Stackand select theWith new resourcesoption.
- ClickUpload a template file.
- Upload theIAM Role CFTfile obtained from Prisma Cloud.
- Enter a name for the Stack.
- Check the box labeledI acknowledge that AWS CloudFormation might create IAM resources with custom names.
- ClickCreate stack.
- Once the CREATE_COMPLETE status is displayed, go to theOuputstab and copy the value ofPrismaCloudRoleARN.
- Paste theARN for the IAM roleinto the Prisma Cloud console.
- Select the account group in Prisma Cloud to associate with your AWS account in theAssign Account Groupspage.
- Review the status of each of the services and fix any issues.
Configure Agentless Scanning
- Log in to the Prisma Cloud administrative console.
- SelectCompute > Manage > Cloud Accounts.
- Click the edit button of your cloud account.
- Go to theAgentless Scanningsection.
- Expand theAdvanced settingsand provide the following information.
- Enable Permissions check to verify that the permissions are correct before running a scan.
- Scanning type: For AWS accounts, you can decide between two scanning modes.
- Same Account: Scan hosts of your AWS account using that same account.
- Hub Account: Scan hosts of your AWS account using a different account. Select another onboarded account to scan the account you are onboarding from the list.
- Enter aProxyvalue if traffic leaving your AWS tenant uses a proxy.
- UnderScan scopeyou can chooseAll regionsto scan in all AWS regions. If you choose Custom regions, enter the AWS region in which you want Prisma Cloud to scan.
- Enter tags underExclude VMs by tagsto further limit the scope of the scan.
- Choose whether or not toScan non running hosts.
- Choose whether or not to enableAuto-scale scanning. If you disable auto-scale, specify number of scanners Prisma Cloud should employ.
- Enter an optionalSecurity group. If the default VPC isn’t available in all the regions of your AWS account, follow AWS instructions for creating a custom security group enabling an egress connection to Prisma Cloud on port 443 in the Amazon VPC Console.
- Click Next.
- Leave theDiscovery featuresunchanged.
- ClickSaveto return toCompute > Manage > Cloud accounts.
Start an Agentless Scan
Agentless scans start immediately after onboarding the cloud account. By default, agentless scans are performed every 24 hours, but you can change the interval on the
Manage > System > Scanpage under
Scheduling > Agentless.
To manually start a scan, complete the following steps.
- Go toCompute > Manage > Cloud accounts.
- Click the scan icon on the top right corner of the accounts table.
- ClickStart Agentless scan.
- Click the scan icon in the top right corner of the console to view the scan status.
- View the results.
- Go toCompute > Monitor > Vulnerabilities > HostsorCompute > Monitor > Vulnerabilities > Images.
- Click on theFilter hoststext bar.
- Select theScanned byfilter.
- Select theAgentlessfilter.