Add a Resource List on Prisma Cloud
Use tags to identify resources deployed in your cloud environments.
A Resource List is a way to identify resources that are assigned with a specific tag or label. Resource lists can include tags or types of workloads.
Identify Cloud Resources by Tags
A resource list for tags can reference tags that have been assigned to the resource as a part of a template deployment workflow or added manually. After you create the list to identify resources based on assigned tags, to use this list for scanning IaC templates using the Prisma Cloud plugins, you need to attach the resource list to a Prisma Cloud role and to an alert rule for build-time checks.
- Select .
- .
- Enter aResource List Name.You can optionally enter a description.
- Specify theKeyandValueto identify the tag.You can add up to 20 key-value pairs in a resource list. When you specify multiple tags in a resource list, the IaC template must include at least one tag defined in the resource list to be scanned against the policies in the alert rule. The tag needs to be in formattag_key:tag_value.
- Savethe list.
- Attach the resource list to a Prisma Cloud role.When you Create Prisma Cloud Roles, users who are associated with the selected role can review the scan results.
Create a Resource List for Compute Resources
The Compute Access Group resource list on Prisma Cloud enables you to:
- Restrict access to the data that is visible on theComputetab to your read-only roles.You can define the scope for the types of workloads or resources, such as hosts, containers, images, serverless functions that are accessible to a role and assign that role to a Prisma Cloud read-only role. For a user to view data, they must be assigned to an account group or an on-prem provider. The workloads you include in the list match criteria are within scope and accessible to the user who is assigned to the role.On Compute, this resource list is referred to as an assigned collection and is a way to enable granular access to a specified set of resources instead of granting access to all resources within an account.
- TargetComputeworkloads—hosts and container images—for which you want to trigger alerts using an alert rule with workload protection policies.
- Select .
- .
- Enter aResource List Name.You can optionally enter a description.
- Specify the filters to define the scope of what is accessible within each type of resource.By default, each field is populated with a wildcard to match all objects of a specific type, such as containers, images, hosts. The Individual fields are combined using AND logic. You can customize how a field is evaluated with string matching. When you use a wildcard in a resource name, it evaluates the resource name according to the position of the wildcard—If the string starts with a wildcard, it is evaluated as string-starts-with; If the string terminates with a wildcard, it is evaluated as string-ends-with; If a string is starts and terminates with a wildcard, it is evaluated as string-contains.As an example, to match host names that start with production and image names that use the latest version of Ubuntu, and disregard the container name or label, you must enter the valueproduction*forHostsand*/ubuntu:latestforImagesto match image names /library/ubuntu:latest or docker.io/library/ubuntu:latest. For more examples, refer to pattern matching.
- Savethe list.
- View this resource list onCompute.The resource list is automatically added to the list of Collections. Select and find the resource list by name. Although the Resource List for Compute Access Group is included in the list of collections, you cannot edit it on theComputetab or use it when you add or edit rules for enforcing security checks on your resources.
- Attach the resource list.You can now attach the Compute Access Group Resource list to a Prisma Cloud role or to an alert rule.
- When you Create Prisma Cloud Roles and attach the resource list to the role, verify that the role is assigned at least one account group or is enabled for access to data fromOn-prem/ Other cloud providers.
- Assign the role to a user so that they can review data onComputefor the scope you defined in the resource list.
Create a Resource List for Azure Resource Groups
Create resource lists for Azure Resource Groups and assign it to roles to restrict access. Then, filter these in the Alerts, Compliance, and Asset inventory dashboards.
The Azure Resource Group resource list enables you to specify roles on Prisma Cloud who can view the data associated with it. This enables you to restrict access to the data and also provides you greater visibility by allowing you to zoom in on that data using filters. You can filter Azure Resource Groups to generate compliance standard reports which shows only the data within them, or you can apply filters in the Asset inventory dashboard to pick and choose one-or-more Azure Resource Groups data that you want to observe. You can also filter based on Azure Resource Groups on the Alerts Overview, Alerts Reports, and Investigate pages.
Contact Prisma Cloud customer support to enable Azure Resource Group resource lists on your Prisma Cloud tenant.
- Select .Only System Admins can create Resource Groups.
- .
- Enter the resource list details.
- Name—Enter the name of your resource list.
- —Enter the purpose of your resource list.Description
- Azure Resource Group(s)—Click the dialog box and select the Azure Resource Groups that you want to add to the resource list.
- ClickSubmit.
- (Optional)Attach the resource list to a Prisma Cloud role.When you assign an Azure Resource Group Resource List to a role, that role will have access to azure resource groups in the resource list for the Compliance and Asset inventory dashboards. If no resource list is assigned to a role that you switch to, then no resource list data will display in the corresponding dashboards.This is currently only applicable to Azure resources. If you have access to AWS, GCP, and Azure resources, the resource list filtering will only apply to the Azure resources, however you will still have access to the AWS and GCP data.
- Filter the resource list to view data on the Compliance and Asset Inventory dashboards.
- Apply a filter on the Compliance dashboard.
- Select and click the plus icon (
) to view and add filter menu items. - SelectAzure Resource Groupto view the resource list data associated with your role.
- Apply a filter on the Asset inventory dashboard.
- Select and click the plus icon to view and add filter menu items.
- SelectAzure Resource Groupto view the resource list data associated with your role.
The Azure resources you see on the Asset Inventory page belong to the resource lists that are attached to your role. If you have access to accounts belonging to other cloud types, such as AWS or GCP, those resources are not filtered and you will see all the data associated with those cloud types.
- Apply a filter on theInvestigatepage.
- SelectInvestigate.
- Enter your config query in the search bar:
The resource group is not auto-suggested because the list of resource groups can be very long. You have to manually enter the resource group.config from cloud.resource where azure.resource.group = - You can also filter based multiple resource groups:config from cloud.resource where azure.resource.group IN (’resource-group1’) AND (’resource-group2’)
