1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Administrator’s Guide (Compute)
    5. Agentless Scanning
    6. Onboard Accounts for Agentless Scanning
    7. Onboard AWS Accounts for Agentless Scanning

    Onboard AWS Accounts for Agentless Scanning

    Prisma Cloud gives you the flexibility to choose between agentless security and agent-based security using Defenders. Agentless scanning lets you inspect the risks and vulnerabilities of a cloud workload or container image without installing an agent or affecting the execution of your workload. Prisma Cloud supports agentless scanning for vulnerabilities and compliance on AWS hosts, containers, and clusters. To learn more about how agentless scanning works, see the How Agentless Scanning Works?[How Agentless Scanning Works?]
    To onboard your AWS account for agentless scanning, you need to complete the following tasks.

    Onboard your AWS account to Prisma Cloud

    1. Log in to your Prisma Cloud administrative console.
    2. Go to
      Settings > Cloud Accounts > Add Cloud Account
      .
    3. Select AWS as the cloud provider.
    4. Provide the following information in the
      Get Started
       page.
      1. Select
        Account
         as the
        Onboard type
        .
      2. Enter an account name to identify the account in Prisma Cloud.
      3. Enter the
        AWS account ID
         for the account you want to onboard.
      4. Click
        Next
        .
    5. Select the
      Security Capabilities
       you need. The
      Agentless Scanning
       and
      Serverless Function Scanning
       are enabled by default.
    6. Click
      Next
      .
    7. Click
      Download IAM Role CFT
      .
    8. Create the AWS stack.
      1. Go to the AWS CloudFormation console for your account.
      2. Go to
        Select Services > CloudFormation > Stacks
        .
      3. Click on
        Create Stack
         and select the
        With new resources
         option.
      4. Click
        Upload a template file
        .
      5. Upload the
        IAM Role CFT
         file obtained from Prisma Cloud.
      6. Click
        Next
        .
      7. Enter a name for the Stack.
      8. Check the box labeled
        I acknowledge that AWS CloudFormation might create IAM resources with custom names
        .
      9. Click
        Create stack
        .
    9. Once the CREATE_COMPLETE status is displayed, go to the
      Ouputs
       tab and copy the value of
      PrismaCloudRoleARN
      .
    10. Paste the
      ARN for the IAM role
       into the Prisma Cloud console.
    11. Click
      Next
      .
    12. Select the account group in Prisma Cloud to associate with your AWS account in the
      Assign Account Groups
       page.
    13. Click
      Next
      .
    14. Review the status of each of the services and fix any issues.
    15. Click
      Save
      .

    Configure Agentless Scanning

    1. Log in to the Prisma Cloud administrative console.
    2. Select
      Compute > Manage > Cloud Accounts
      .
    3. Click the edit button of your cloud account.
    4. Go to the
      Agentless Scanning
       section.
    5. Expand the
      Advanced settings
       and provide the following information.
      1. Enable Permissions check to verify that the permissions are correct before running a scan.
      2. Scanning type
        : For AWS accounts, you can decide between two scanning modes.
        1. Same Account
          : Scan hosts of your AWS account using that same account.
        2. Hub Account
          : Scan hosts of your AWS account using a different account. Select another onboarded account to scan the account you are onboarding from the list.
      3. Enter a
        Proxy
         value if traffic leaving your AWS tenant uses a proxy.
      4. Under
        Scan scope
         you can choose
        All regions
         to scan in all AWS regions. If you choose Custom regions, enter the AWS region in which you want Prisma Cloud to scan.
      5. Enter tags under
        Exclude VMs by tags
         to further limit the scope of the scan.
      6. Choose whether or not to
        Scan non running hosts
        .
      7. Choose whether or not to enable
        Auto-scale scanning
        . If you disable auto-scale, specify number of scanners Prisma Cloud should employ.
      8. Enter an optional
        Security group
        . If the default VPC isn’t available in all the regions of your AWS account, follow AWS instructions for creating a custom security group enabling an egress connection to Prisma Cloud on port 443 in the Amazon VPC Console.
    6. Click Next.
    7. Leave the
      Discovery features
       unchanged.
    8. Click
      Save
       to return to
      Compute > Manage > Cloud accounts
      .

    Start an Agentless Scan

    Agentless scans start immediately after onboarding the cloud account. By default, agentless scans are performed every 24 hours, but you can change the interval on the
    Manage > System > Scan
     page under
    Scheduling > Agentless
    .
    To manually start a scan, complete the following steps.
    1. Go to
      Compute > Manage > Cloud accounts
      .
    2. Click the scan icon on the top right corner of the accounts table.
    3. Click
      Start Agentless scan
      .
    4. Click the scan icon in the top right corner of the console to view the scan status.
    5. View the results.
      1. Go to
        Compute > Monitor > Vulnerabilities > Hosts
         or
        Compute > Monitor > Vulnerabilities > Images
        .
      2. Click on the
        Filter hosts
         text bar.
      3. Select the
        Scanned by
         filter.
      4. Select the
        Agentless
         filter.