1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Administrator’s Guide (Compute)
    5. Vulnerability management
    6. Configure VM image scanning

    Configure VM image scanning

    Prisma Cloud supports scanning VM images on AWS, Azure, and GCP.
    On AWS, Prisma Cloud can scan Linux Amazon Machine Images (AMIs). On Azure, Prisma Cloud supports Managed, Gallery, and Marketplace images. On GCP, Prisma Cloud supports Public and Custom images (including Premium images).

    AWS

    The following AMIs aren’t supported:
    • Images that don’t use cloud-init for bootstrapping, such as Red Hat Enterprise Linux CoreOS (CoreOS for OpenShift). RHCOS uses Ignition.
    • Images that use paravirtualization.
    • Images that only support old TLS protocols (less than TLS 1.1) for utilities such as curl. For example, Ubuntu 12.10.

    Prerequisites

    • Access from the VPC to the Prisma Cloud Compute Console.
      For the VMs to send scan results back to the Console, the default port used for communication is 8084. If you use a different port for enabling Defender to Console communication, make sure that the port is allowed access. Note that this port is used for communication although Defenders are not used for VM image scanning.
    • The service account Prisma Cloud uses to scan AMIs must have at least the following policy:
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PrismaCloudComputeAMIScanning",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeSecurityGroups",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RunInstances",
                "ec2:TerminateInstances"
            ],
            "Resource": "*"
        }
    ]
}
      • Prisma Cloud requires the permissions listed above for VM image scanning. To restrict permissions for creating and deleting resources, you can use conditional clauses in AWS IAM policy for the security groups and instances that have the prefix "twistlock-scan".
      • It is strongly recommended to make sure the images scanned have DeleteOnTermination attribute enabled.

    Azure

    Prisma Cloud supports the following image types:
    • Marketplace images (publicly available images)
    • Managed (custom) images
    • Shared image galleries
    • Encrypted images
    • Azure Linux
    Prisma Cloud doesn’t support the following image types:
    • Azure paid images

    Prerequisites

    • The service account Prisma Cloud uses to scan Azure images must have at least the following policy:
      Microsoft.Compute/locations/publishers/artifacttypes/offers/skus/versions/read
Microsoft.Compute/images/read
Microsoft.Compute/galleries/read
Microsoft.Compute/galleries/images/read
Microsoft.Compute/galleries/images/versions/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/subscriptions/resourceGroups/write
Microsoft.Resources/subscriptions/resourceGroups/delete
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/networkSecurityGroups/write
Microsoft.Network/networkSecurityGroups/join/action
Microsoft.Network/networkSecurityGroups/delete
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkInterfaces/write
Microsoft.Network/networkInterfaces/join/action
Microsoft.Network/networkInterfaces/delete
Microsoft.Compute/disks/write
Microsoft.Compute/disks/delete
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/write
Microsoft.Compute/virtualMachines/start/action
Microsoft.Compute/virtualMachines/delete
Microsoft.KeyVault/vaults/keys/read
Microsoft.KeyVault/vaults/keys/wrap/action
Microsoft.KeyVault/vaults/keys/unwrap/action
    Use Azure’s Key Vault Crypto Service Encryption User built-in role to scan encrypted images.
    If you have managed and gallery images limited to specific regions, Prisma Cloud skips the scan when the region defined in the scope doesn’t match the region defined for the image.

    GCP

    Prisma Cloud supports the following image types:
    • Public images (including Premium images)
    • Custom images
    • Encrypted images

    Prerequisites

    You can only scan encrypted images that use a customer-managed encryption key (CMEK). Customer-supplied encryption keys (CSEK) are not supported.
    • The service account Prisma Cloud uses to scan GCP VM images must have at least the following policy:
      compute.disks.create
compute.images.get
compute.images.list
compute.images.useReadOnly
compute.instances.create
compute.instances.delete
compute.instances.get
compute.instances.list
compute.instances.setMetadata
compute.instances.setTags
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.subnetworks.use
compute.subnetworks.useExternalIp
    • Verify that the Compute Engine Service Agent service account in the target image project has the Cloud KMS CryptoKey Decrypter role or equivalent.
    • If you use a shared VPC, verify that the service account in the target image project has the compute.subnetworks.use permission in the project containing the subnetwork. For a shared VPC, the project containing the shared VPC is the host project.
      This built-in service account ends with compute-system.iam.gserviceaccount.com. The service agent has these permissions by default since it used these permissions to encrypt the images.

    Deployment

    VM image scanning is handled by the Console and it does not require Defenders. The Prisma Cloud Console scans a VM image by creating a VM instance that is running the VM image to be scanned.
    The VM instances created for scanning VM Images come with default tags: Key - Name, Value - prismacloud-scan-*
    When you configure Prisma Cloud to scan VM images, you can define the number of scanners to use. Defining more than one scanner means that the Console will create several VM instances to scan multiple VM images simultaneously. For scanning large numbers of VM images, increase the number of scanners to improve throughput and reduce scan time.
    If you remove a VM image, or it becomes unavailable, Prisma Cloud maintains the scan results for 30 days. After 30 days, the scan results are purged.
    The VM scan results scanned by older Console versions are deleted.

    VM images scan settings

    1. Open Console.
    2. Go to
      Defend > Vulnerabilities/Compliance > Hosts > VM Images
      .
    3. Select
      Add Scope
      .
      Each scope has the following parameters:
      Field
      Description
      Provider
      Specify the cloud provider. The currently supported providers are AWS, Azure, and GCP.
      Credential
      Specify the credential required to access the VM images. If the credential has already been created in the Prisma Cloud credential store, select it. If not, select
      Add New
      .