Onboard AWS Accounts for Agentless Scanning

Prisma Cloud gives you the flexibility to choose between agentless security and agent-based security using Defenders. Agentless scanning lets you inspect the risks and vulnerabilities of a cloud workload or container image without installing an agent or affecting the execution of your workload. Prisma Cloud supports agentless scanning for vulnerabilities and compliance on AWS hosts, containers, and clusters. To learn more about how agentless scanning works, see the How Agentless Scanning Works?[How Agentless Scanning Works?]
To onboard your AWS account for agentless scanning, you need to complete the following tasks.

Onboard your AWS account to Prisma Cloud

  1. Log in to your Prisma Cloud administrative console.
  2. Go to
    Settings > Cloud Accounts > Add Cloud Account
  3. Select AWS as the cloud provider.
  4. Provide the following information in the
    Get Started
    1. Select
      as the
      Onboard type
    2. Enter an account name to identify the account in Prisma Cloud.
    3. Enter the
      AWS account ID
      for the account you want to onboard.
    4. Click
  5. Select the
    Security Capabilities
    you need. The
    Agentless Scanning
    Serverless Function Scanning
    are enabled by default.
  6. Click
  7. Click
    Download IAM Role CFT
  8. Create the AWS stack.
    1. Go to the AWS CloudFormation console for your account.
    2. Go to
      Select Services > CloudFormation > Stacks
    3. Click on
      Create Stack
      and select the
      With new resources
    4. Click
      Upload a template file
    5. Upload the
      IAM Role CFT
      file obtained from Prisma Cloud.
    6. Click
    7. Enter a name for the Stack.
    8. Check the box labeled
      I acknowledge that AWS CloudFormation might create IAM resources with custom names
    9. Click
      Create stack
  9. Once the CREATE_COMPLETE status is displayed, go to the
    tab and copy the value of
  10. Paste the
    ARN for the IAM role
    into the Prisma Cloud console.
  11. Click
  12. Select the account group in Prisma Cloud to associate with your AWS account in the
    Assign Account Groups
  13. Click
  14. Review the status of each of the services and fix any issues.
  15. Click

Configure Agentless Scanning

  1. Log in to the Prisma Cloud administrative console.
  2. Select
    Compute > Manage > Cloud Accounts
  3. Click the edit button of your cloud account.
  4. Go to the
    Agentless Scanning
  5. Expand the
    Advanced settings
    and provide the following information.
    1. Enable Permissions check to verify that the permissions are correct before running a scan.
    2. Scanning type
      : For AWS accounts, you can decide between two scanning modes.
      1. Same Account
        : Scan hosts of your AWS account using that same account.
      2. Hub Account
        : Scan hosts of your AWS account using a different account. Select another onboarded account to scan the account you are onboarding from the list.
    3. Enter a
      value if traffic leaving your AWS tenant uses a proxy.
    4. Under
      Scan scope
      you can choose
      All regions
      to scan in all AWS regions. If you choose Custom regions, enter the AWS region in which you want Prisma Cloud to scan.
    5. Enter tags under
      Exclude VMs by tags
      to further limit the scope of the scan.
    6. Choose whether or not to
      Scan non running hosts
    7. Choose whether or not to enable
      Auto-scale scanning
      . If you disable auto-scale, specify number of scanners Prisma Cloud should employ.
    8. Enter an optional
      Security group
      . If the default VPC isn’t available in all the regions of your AWS account, follow AWS instructions for creating a custom security group enabling an egress connection to Prisma Cloud on port 443 in the Amazon VPC Console.
  6. Click Next.
  7. Leave the
    Discovery features
  8. Click
    to return to
    Compute > Manage > Cloud accounts

Start an Agentless Scan

Agentless scans start immediately after onboarding the cloud account. By default, agentless scans are performed every 24 hours, but you can change the interval on the
Manage > System > Scan
page under
Scheduling > Agentless
To manually start a scan, complete the following steps.
  1. Go to
    Compute > Manage > Cloud accounts
  2. Click the scan icon on the top right corner of the accounts table.
  3. Click
    Start Agentless scan
  4. Click the scan icon in the top right corner of the console to view the scan status.
  5. View the results.
    1. Go to
      Compute > Monitor > Vulnerabilities > Hosts
      Compute > Monitor > Vulnerabilities > Images
    2. Click on the
      Filter hosts
      text bar.
    3. Select the
      Scanned by
    4. Select the