Agentless Scanning Modes

There are two ways you can set up agentless scanning with Prisma Cloud.
  • Same Account
    : Scan all hosts of a cloud account within the same cloud account. This mode spins up temporary scanning instances in the account.
  • Dedicated Account
    Scan all hosts of a cloud account, called target account, from another dedicated cloud account, called hub account. This mode spins up temporary scanning instances in the hub rather than in the target(s).
Agentless scanning isn’t supported for hosts running Windows. Agentless scanning doesn’t support Azure hosts with an unmanaged operating system disk. Azure hosts with unmanaged operating system disks are skipped during the scan.

Scan Within the Same Cloud Account

  1. Onboard cloud accounts with specific permissions required for agentless scanning.
  2. Prisma Cloud lists instances in each account and creates snapshots for each instance.
  3. Prisma Cloud starts spot instances, called scanners, within the same account, attaches snapshots, and performs the analysis.
  4. Scanners send results to the Prisma Cloud Console.
  5. Scanners and snapshots created by Prisma Cloud are deleted.
  6. Process repeats for periodic scans.

Scan Within a Dedicated Cloud Account

  1. Onboard cloud accounts with permissions for the hub account which perform the scan, and target accounts that are scanned by the hub account.
  2. Prisma Cloud only spins up scanners in the dedicated hub account and attaches snapshots of instances from other accounts to the scanners in the hub account.
  3. Scanners send results to the Prisma Cloud Console
  4. Scanners then get deleted along with the snapshots that Prisma Cloud creates.
  5. Process repeats for periodic scans.

AWS

When you click the
Download
button, multiple permission templates are downloaded as JSON files. These templates support the various permissions required by each of the cloud accounts for each of the scanning modes.

Same Account Mode

To scan accounts using this mode, download and apply the permission template that ends in _target_user_permissions.json to the AWS cloud account.

Dedicated Account Mode

You first configure and select a cloud account to serve as the hub account. You apply permissions templates from the hub account in Prisma Cloud to the hub account in AWS, and apply permissions templates from both the hub account and the target account in Prisma Cloud to the target account in AWS.

Hub Account

To use an account as a hub account, first add it to Cloud Accounts, downloading and applying the permission template that ends in _hub_user_permissions.json to that hub account in AWS.

Target Account

Download and apply the permission template that ends in _hub_target_user_permissions.json to that target account in AWS..

Azure

Download and apply the permission template to the Azure cloud account: there is no option for Hub Account Mode in Aure. Note that Prisma Cloud creates a dedicated PCC resource group to allow for easier cost calculations.

GCP

When you click the
Download
button, multiple permission templates are downloaded as JINJA files. These templates support the various permissions required by each of the cloud accounts for each of the scanning modes.

Same Account Mode

To scan accounts using this mode, download and apply the permission template that ends in _target_user_permissions.yaml.jinja to the GCP project.

Dedicated Account Mode

You first configure and select an cloud account to serve as the hub account. You apply permissions templates from the hub account in Prisma Cloud to the hub project in GCP, and apply permissions templates from both the hub account and the target account in Prisma Cloud to the target project in GCP.

Hub Account/Project

To use an account as a hub account, first add it to Cloud Accounts, downloading and applying the permission template that ends in _hub_user_permissions.yaml.jinja to that hub project in GCP.
To also allow that hub account to scan its own hosts, also apply the permission template that ends in _target_user_permissions.yaml.jinja to that hub project in GCP. Otherwise, disable Agentless scanning for that hub account in Cloud Accounts.

Target Account/Project

Download and apply the permission templates that end in _hub_target_user_permissions.yaml.jinja and _hub_target_access_permissions.yaml.jinja to the target project in GCP.

Recommended For You