Add a Resource List on Prisma Cloud
Use tags to identify resources deployed in your cloud
environments.
A Resource List is a way to identify resources
that are assigned with a specific tag or label. Resource lists can
include tags or types of workloads.
Identify Cloud Resources by Tags
A resource list for tags can reference tags
that have been assigned to the resource as a part of a template
deployment workflow or added manually. After you create the list
to identify resources based on assigned tags, to use this list for
scanning IaC templates using the Prisma Cloud plugins, you need
to attach the resource list to a Prisma Cloud role and to an alert
rule for build-time checks.
- Select .
- .
- Enter aResource List Name.You can optionally enter a description.
- Specify theKeyandValueto identify the tag.You can add up to 20 key-value pairs in a resource list. When you specify multiple tags in a resource list, the IaC template must include at least one tag defined in the resource list to be scanned against the policies in the alert rule.
- Savethe list.
- Attach the resource list to a Prisma Cloud role.When you Create Prisma Cloud Roles, users who are associated with the selected role can review the scan results..
Create a Resource List for Compute Resources
The Compute Access Group resource list on
Prisma Cloud enables you to restrict access to the data that is
visible on the
Compute
tab to your read-only
roles. You can define the scope for the types of workloads or resources,
such as hosts, containers, images, serverless functions that are
accessible to a role and assign that role to a Prisma Cloud read-only
role. For a user to view data, they must be assigned to an account
group or an on-prem provider. The workloads you include in the list
match criteria are within scope and accessible to the user who is
assigned to the role. On Compute, this resource list is referred
to as an assigned collection and is a way to enable granular access
to a specified set of resources instead of granting access to all resources
within an account.
- Select .
- .
- Enter aResource List Name.You can optionally enter a description.
- Specify the filters to define the scope of what is accessible within each type of resource.By default, each field is populated with a wildcard to match all objects of a specific type, such as containers, images, hosts. The Individual fields are combined using AND logic. You can customize how a field is evaluated with string matching. When you use a wildcard in a resource name, it evaluates the resource name according to the position of the wildcard—If the string starts with a wildcard, it is evaluated as string-starts-with; If the string terminates with a wildcard, it is evaluated as string-ends-with; If a string is starts and terminates with a wildcard, it is evaluated as string-contains.As an example, to match host names that start with production and image names that use the latest version of Ubuntu, and disregard the container name or label, you must enter the valueproduction*forHostsand*/ubuntu:latestforImagesto match image names /library/ubuntu:latest or docker.io/library/ubuntu:latest. For more examples, refer to pattern matching.
- Savethe list.
- View this resource list onCompute.The resource list is automatically added to the list of Collections. Select and find the resource list by name. Although the Resource List for Compute Access Group is included in the list of collections, you cannot edit it on theComputetab or use it when you add or edit rules for enforcing security checks on your resources.
- Attach the resource list to a Prisma Cloud role.
- When you Create Prisma Cloud Roles, verify that the role is assigned at least one account group or is enabled for access to data fromOn-prem/ Other cloud providers.
- Assign the role to a user so that they can review data onComputefor the scope you defined in the resource list.
Create a Resource List for Azure Resource Groups
Create resource lists for Azure Resource Groups and assign
it to roles to restrict access. Then, filter these in the Alerts,
Compliance, and Asset inventory dashboards.
The Azure Resource Group resource list enables
you to specify roles on Prisma Cloud who can view the data associated
with it. This enables you to restrict access to the data and also
provides you greater visibility by allowing you to zoom in on that
data using filters. You can filter Azure Resource Groups to generate
compliance standard reports which shows only the data within them,
or you can apply filters in the Asset inventory dashboard to pick
and choose one-or-more Azure Resource Groups data that you want to
observe. You can also filter based on Azure Resource Groups on the
Alerts Overview, Alerts Reports, and Investigate pages.
Contact Prisma Cloud
customer support to enable Azure Resource Group resource lists on
your Prisma Cloud tenant.
- Select .Only System Admins can create Resource Groups.
- .
- Enter the resource list details.
- Name—Enter the name of your resource list.
- —Enter the purpose of your resource list.Description
- Azure Resource Group(s)—Click the dialog box and select the Azure Resource Groups that you want to add to the resource list.
- ClickSubmit.
- (Optional)Attach the resource list to a Prisma Cloud role.When you assign an Azure Resource Group Resource List to a role, that role will have access to azure resource groups in the resource list for the Compliance and Asset inventory dashboards. If no resource list is assigned to a role that you switch to, then no resource list data will display in the corresponding dashboards.This is currently only applicable to Azure resources. If you have access to AWS, GCP, and Azure resources, the resource list filtering will only apply to the Azure resources, however you will still have access to the AWS and GCP data.
- Filter the resource list to view data on the Compliance and Asset Inventory dashboards.
- Apply a filter on the Compliance dashboard.
- Select and click the plus icon (
) to view and add
filter menu items. - SelectAzure Resource Groupto view the resource list data associated with your role.
- Apply a filter on the Asset inventory dashboard.
- Select and click the plus icon to view and add filter menu items.
- SelectAzure Resource Groupto view the resource list data associated with your role.
The Azure resources you see on the Asset Inventory page belong to the resource lists that are attached to your role. If you have access to accounts belonging to other cloud types, such as AWS or GCP, those resources are not filtered and you will see all the data associated with those cloud types. - Apply a filter on theInvestigatepage.
- SelectInvestigate.
- Enter your config query in the search bar:config from cloud.resource where azure.resource.group =The resource group is not auto-suggested because the list of resource groups can be very long. You have to manually enter the resource group.
- You can also filter based multiple resource groups:config from cloud.resource where azure.resource.group IN (’resource-group1’) AND (’resource-group2’)
