Learn how to integrate Prisma™ Cloud with AWS Inspector.
Prisma™ Cloud ingests vulnerability data and
security best practices deviations from AWS Inspector to
provide organizations with additional context about risks in the
cloud. You
can identify suspicious traffic to sensitive workloads, such as
databases with known vulnerabilities.
Enable AWS Inspector on your EC2 instances. To
set up AWS Inspector, see Amazon documentation.
Enable read-access permissions to AWS Inspector on the
IAM Role policy.
The Prisma Cloud IAM Role policy that you use to onboard
your AWS setup needs these permissions:
inspector:Describe*
inspector:List*
If you used the CFT templates to
onboard your AWS account, the Prisma Cloud IAM Role policy already has
the permissions required for AWS Inspector.
After the Prisma Cloud service begins ingesting AWS Inspector data,
you can use the following RQL queries for visibility into the host
vulnerability information collected from AWS Inspector.
Config
queries:
config where hostfinding.type = 'AWS Inspector Runtime Behavior Analysis'
config where hostfinding.type = 'AWS Inspector Security Best Practices'
AWS
Inspector Runtime Behavior Analysis
—Fetches all resources
which are in violation of one or more rules reported by the AWS
Runtime Behavior Analysis package.
AWS Inspector Security
Best Practices
—Fetches all resources which are in violation
of one or more rules reported by the AWS Inspector security best
practices package.
Network queries:
network where dest.resource IN ( resource where hostfinding.type = 'AWS Inspector Runtime Behavior Analysis' )
network where dest.resource IN ( resource where hostfinding.type = 'AWS Inspector Security Best Practices' )