Configure VM image scanning
Table of Contents
Prisma Cloud Enterprise Edition
Expand all | Collapse all
-
- Getting started
- System Requirements
- Cluster Context
-
- Defender Types
- Manage your Defenders
- Redeploy Defenders
- Uninstall Defenders
-
- Deploy Orchestrator Defenders on Amazon ECS
- Automatically Install Container Defender in a Cluster
- Deploy Prisma Cloud Defender from the GCP Marketplace
- Deploy Defenders as DaemonSets
- VMware Tanzu Application Service (TAS) Defender
- Deploy Defender on Google Kubernetes Engine (GKE)
- Google Kubernetes Engine (GKE) Autopilot
- Deploy Defender on OpenShift v4
- Deploy Defender with Declarative Object Management
-
- Agentless Scanning Modes
-
- Onboard AWS Accounts for Agentless Scanning
- Configure Agentless Scanning for AWS
- Onboard Azure Accounts for Agentless Scanning
- Configure Agentless Scanning for Azure
- Onboard GCP Accounts for Agentless Scanning
- Configure Agentless Scanning for GCP
- Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning
- Configure Agentless Scanning for Oracle Cloud Infrastructure (OCI)
- Agentless Scanning Results
-
- Rule ordering and pattern matching
- Backup and Restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with Certificates
- Customize terminal output
- Collections
- Tags
- WildFire Settings
- Log Scrubbing
- Permissions by feature
-
- Prisma Cloud Vulnerability Feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- CVE Viewer
-
- Configure Registry Scans
- Scan Images in Alibaba Cloud Container Registry
- Scan Images in Amazon Elastic Container Registry (ECR)
- Scan images in Azure Container Registry (ACR)
- Scan Images in Docker Registry v2 (including Docker Hub)
- Scan Images in GitLab Container Registry
- Scan images in Google Artifact Registry
- Scan Images in Google Container Registry (GCR)
- Scan Images in Harbor Registry
- Scan Images in IBM Cloud Container Registry
- Scan Images in JFrog Artifactory Docker Registry
- Scan Images in Sonatype Nexus Registry
- Scan images in OpenShift integrated Docker registry
- Scan Images in CoreOS Quay Registry
- Trigger Registry Scans with Webhooks
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless Functions Scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot Vulnerability Detection
-
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Malware Scanning
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
-
- Alert Mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
- API
Configure VM image scanning
Prisma Cloud supports scanning VM images on AWS, Azure, and GCP.
On AWS, Prisma Cloud can scan Linux Amazon Machine Images (AMIs).
On Azure, Prisma Cloud supports Managed, Gallery, and Marketplace images.
On GCP, Prisma Cloud supports Public and Custom images (including Premium images).
VM image scanning is handled by the Console and does not require Defenders. The Prisma Cloud Console scans a VM image by launching or creating a VM instance that is running the VM image that you want to scan.
When you set up Prisma Cloud to scan VM images, you can choose how many scanners to use. For scanning a large number of VM images, increase the number of scanners to scan multiple VM images simultaneously for improved throughput and reduced scan time.
The VM instances created for scanning VM Images come with default tags:
Key - Name,
Value - prismacloud-scan-*
AWS
The following AMIs aren’t supported:
- ARM64 AMI VM images; only x86 AMI VM Images are supported
- Images that don’t use cloud-init for bootstrapping, such as Red Hat Enterprise Linux CoreOS (CoreOS for OpenShift). RHCOS uses Ignition.
- Images that use paravirtualization.
- Images that only support old TLS protocols (less than TLS 1.1) for utilities such as curl. For example, Ubuntu 12.10.
Prerequisites
- Access from the VPC to the Prisma Cloud Compute Console.
- The service account Prisma Cloud uses to scan AMIs must have at least the following policy:{ "Version": "2012-10-17", "Statement": [ { "Sid": "PrismaCloudComputeAMIScanning", "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:DeleteSecurityGroup", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeSecurityGroups", "ec2:RevokeSecurityGroupEgress", "ec2:RunInstances", "ec2:TerminateInstances" ], "Resource": "*" } ] }
- Prisma Cloud requires the permissions listed above for VM image scanning. To restrict permissions for creating and deleting resources, you can use conditional clauses in AWS IAM policy for the security groups and instances that have the prefix "prismacloud-scan".
- It is strongly recommended to make sure the images scanned have DeleteOnTermination attribute enabled.
Azure
Prisma Cloud supports the following image types:
- Marketplace images (publicly available images)
- Managed (custom) images
- Shared image galleries
- Encrypted images
- Azure Linux images
Prisma Cloud doesn’t support the following image types:
- Azure paid images
Prerequisites
- The service account Prisma Cloud uses to scan Azure images must have at least the following policy:Microsoft.Compute/locations/publishers/artifacttypes/offers/skus/versions/read Microsoft.Compute/images/read Microsoft.Compute/galleries/read Microsoft.Compute/galleries/images/read Microsoft.Compute/galleries/images/versions/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/subscriptions/resourceGroups/write Microsoft.Resources/subscriptions/resourceGroups/delete Microsoft.Network/networkSecurityGroups/read Microsoft.Network/networkSecurityGroups/write Microsoft.Network/networkSecurityGroups/join/action Microsoft.Network/networkSecurityGroups/delete Microsoft.Network/networkInterfaces/read Microsoft.Network/networkInterfaces/write Microsoft.Network/networkInterfaces/join/action Microsoft.Network/networkInterfaces/delete Microsoft.Compute/disks/write Microsoft.Compute/disks/delete Microsoft.Network/virtualNetworks/subnets/read Microsoft.Network/virtualNetworks/subnets/join/action Microsoft.Compute/virtualMachines/read Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/start/action Microsoft.Compute/virtualMachines/delete Microsoft.KeyVault/vaults/keys/read Microsoft.KeyVault/vaults/keys/wrap/action Microsoft.KeyVault/vaults/keys/unwrap/actionTo scan encrypted images, use the Azure Key Vault Crypto Service Encryption User built-in role.If you have managed and gallery images limited to specific regions, Prisma Cloud skips the scan when the region defined in the scope doesn’t match the region defined for the image.
GCP
Prisma Cloud supports the following image types:
- Public images (including Premium images)
- Custom images
- Encrypted images
Prerequisites
You can only scan encrypted images that use a customer-managed encryption key (CMEK). Customer-supplied encryption keys (CSEK) are not supported.
- The service account Prisma Cloud uses to scan GCP VM images must have at least the following policy:compute.disks.create compute.images.get compute.images.list compute.images.useReadOnly compute.instances.create compute.instances.delete compute.instances.get compute.instances.list compute.instances.setMetadata compute.instances.setTags compute.networks.updatePolicy compute.networks.use compute.networks.useExternalIp compute.subnetworks.use compute.subnetworks.useExternalIpVerify that the Compute Engine Service Agent service account in the target image project has the Cloud KMS CryptoKey Decrypter role or equivalent.If you use a shared VPC, verify that the service account in the target image project has the compute.subnetworks.use permission in the project containing the subnetwork. For a shared VPC, the project containing the shared VPC is the host project.This built-in service account ends with compute-system.iam.gserviceaccount.com. The service agent has these permissions by default since it used these permissions to encrypt the images.
VM Image Scans
If you remove a VM image, or it becomes unavailable, Prisma Cloud maintains the scan results for 30 days.
After 30 days, the scan results are automatically deleted.
When a scan is canceled, it might take a few minutes for the scan to stop completely.
On Console upgrade, VM image scanning results from the previous Console version are deleted.
- Open Console.
- Go toDefend > Vulnerabilities/Compliance > Hosts > VM Images.
- SelectAdd Scope.Define the scan settings.FieldDescriptionProviderSpecify the cloud provider. The supported providers are AWS, Azure, and GCP.CredentialSpecify the credential required to access the VM images and launch the VM instance on the Cloud Service Provider.As a best practice, onboard the cloud account on Prisma Cloud and select the credential associated with that cloud service provider from the drop-down. Ensure that either the Agentless Workload Scanning or the Agent-Based Workload Protection capability is enabled for the service account or role to have adequate permissions for VM Image scanning. To scan VM Images, Prisma Cloud requires permissions to create a VM instance, along with the networking components to communicate the scan results back to the Console.If you choose to add the credentials on Compute> Manage > Cloud Account:
- For AWS you can use Access Keys for authentication: IAM role is not supported.
- For Azure, you can use the Service Key or Certificate.
- For GCP, you can use the Service Account credentials.
Project ID (GCP only)Specify the project ID where the service account was created.Image type (Azure only)Specify the relevant image type. Prisma Cloud supports three image types: Managed, Gallery, and Marketplace.ImagesSpecify the VM images to scan. Leave * to scan all images.ON AWS: When the image field contains a string and a wildcard (e.g. Amazo*), only private AMIs are scanned. When using explicit image names, AWS Marketplace, and community AMIs are scanned as well. Only the AMI names are permitted in the image field. AMI IDs are not supported.Use the label field in the referenced collection to restrict the scan for the specified label on the VM Image. Use the key-value pattern 'key:value'.All supported resource fields support pattern matching.Excluded VM imagesSpecify VM images to exclude from the scan. This field supports pattern matching.Region (AWS and Azure)Specify the region to scan.Console addressSpecify the Console URL for the scanner VM instance to use.Zone (GCP only)Specify the Zone where scan instances will be deployed.Number of scannersSpecify the number of VM images to concurrently scan. Increase the number of scanners to increase throughput and reduce scan time.CapChoose the maximum number of VM images you want to scan, and they will be sorted based on their 'Creation Date.' Scanning begins with the most recently created VM images and proceeds in descending order of creation date.In the case of Azure Marketplace and Managed images, the images are scanned according to their resource ID, in descending lexicographic order (i.e., ID3, then ID2, then ID1).To scan all VM images, set value to 0.VPC ID and Subnet ID (AWS only)If you want a custom VPC for the scanner VM instance, specify the VPC id to use (e.g., vpc-xxxxx). If you want a custom subnet for the scanner VM instance, specify the subnet id to use (e.g., subnet-xxxxx).VPC ID and subnet ID are mapped 1:1. You can only scope one VPC and subnet for a rule.Subnet (GCP only)If you want a custom subnet for the scanner VM instance, specify the subnet name.Subnet Resource ID (Azure only)Specify the Resource ID of the subnet where scan instances should be deployed.Instance TypeFor AWS, the default is m4.large. For Azure, the default is standard_D2s_v4. For GCP, the default is e2-standard-2.Enable Secure boot (GCP only)Enable the option to verify the digital signature with secure boot for the temporary VM instance created for VM image scanning.
Add Rule for Scanning VM Images
To define which VM images to scan, create a new VM images scan rule.
- Open Console.
- Go toDefend > Vulnerabilities/Compliance > Hosts > VM Images.
- SelectAdd Rule.
- Specify the thresholds for vulnerabilities or compliance.
- SelectSave.
Additional scan settings
Additional scan settings can be found under
Manage > System > Scan
, where you can set the VM images scan interval.