Use the Prisma Cloud Extension for AWS DevOps

Summary of Prisma Cloud extension for AWS DevOps
With a Prisma Cloud Enterprise Edition license, you can integrate compliance and vulnerability checks into your AWS continuous integration/continuous deployment (CI/CD) and build environments. This extension enables you to scan Infrastructure-as-Code (IaC) templates like AWS CFT, Terraform templates, and Kubernetes deployment files against Prisma Cloud security policies. It also enables you to use Prisma Cloud Compute to scan container images for vulnerabilities.
The sections below show how to integrate the Prisma Cloud extension with your AWS CodePipeline pipelines and AWS CodeBuild projects.

Review Prerequisites for the Prisma Cloud Extension for AWS CodePipeline

  • A valid Prisma Cloud Enterprise Edition license.
  • Prisma Cloud API URL
    The URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed. The tenant provisioned for you is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io. Replace app in the URL with api and enter it here. Refer to the Prisma Cloud REST API Reference, which is accessible from the Help Center within the Prisma Cloud web interface for more details.
  • Prisma Cloud Access Key
    The access key enables programmatic access to Prisma Cloud. If you do not have a key, you must Create and Manage Access Keys.
  • Prisma Cloud Secret Key
    The secret key was generated when you created the access key, and you should have saved it for later use. You cannot view it on the Prisma Cloud administrative console.
  • (
    For container image scanning
    ) Prisma Cloud Compute URL
    The base URL for your Prisma Cloud Compute console. Log in to the Prisma Cloud administrative Console and select
    Compute
    System
    Downloads
    Path to Console.
  • (
    For container image scanning
    ) Prisma Cloud Compute User Credential
    Enter the Prisma Cloud username and password with the CI User role.
  • A valid Prisma Cloud Configuration file in your repository root at .prismaCloud/config.yml.
  • A valid AWS CodePipeline service role to give AWS CodePipeline access to other resources in your account.
  • A multiple-stage pipeline in AWS CodePipeline, where at the source stage the execution collects your template repository and makes it available as input artifacts for subsequent stages.
    If your customization uses any AWS commands, then you must install and configure the AWS command line interface.

Set Up IaC Scanning with AWS CodePipeline

You have two options to scan your IaC templates against Prisma Cloud security policies. The recommended approach is to use AWS CodeBuild to scan IaC templates, and the alternative is to use an AWS Lambda function with Python scripts.
You have two options for scanning your IaC templates against Prisma Cloud security policies: AWS CodePipeline which is recommended, or Lambda function which is
optional.
The Lambda function is compatible with versions one and two of the script, but the limitation is that the repository can’t exceed 5MB; if it does then the IaC scan will be blocked.

Use AWS CodePipeline to Scan IaC Templates

  1. Add a CodeBuild Action to AWS CodePipeline Stage.
    1. Create or edit AWS CodePipeline to add a new stage provider of AWS CodeBuild.
      In the home screen of AWS CodePipeline, select
      Edit
      Edit stage
      Add action
      .
      In the
      Edit action
      popup window, Enter your
      Action name
      and select
      Action provider
      AWS CodeBuild.
    2. Add IaC scan parameters as environment variables.
      Add the following IaC scan variables in the environment variables section:
      Environment Variable
      Value
      prisma_cloud_api_url
      Your Prisma Cloud API URL (e.g.
      https://api.prismacloud.io
      ). The exact URL depends on the Prisma Cloud region and cluster of your tenant.
      prisma_cloud_asset_name
      A unique name to identify the scan results, for templates within this repository, on Prisma Cloud.
      prisma_cloud_access_key
      Your Prisma Cloud access key for API access.
      prisma_cloud_secret_key
      The secret key that corresponds to your Prisma Cloud access key.
      Optional
      prisma_cloud_tags
      Prisma Cloud tags enable visibility on the Prisma Cloud administrator console and are also used for build type alert rule scan policies matching. Provide the value for this environment variable as a comma-separated list of tags that you define. An example is:
      project:x
      ,
      owner:y
      Optional
      prisma_cloud_repo_dir
      Directory path where you store your IaC templates. The default value is
      “.”
      . The mixing of templates is not allowed, therefore each IaC scan must have a single template type.
      Optional
      prisma_cloud_failure_criteria
      Threshold that should trigger a pipeline failure.
      Set the High : x, Medium : y, Low : z, Operator: O, where, x,y,z is the number of issues of each severity, and the operator is OR, AND.
      For example:
      • To fail the pipeline only when high severity issue is detected, High:1,Medium:1000,Low:1000,Operator:or
      • To never fail the pipeline, High:1000,Medium:1000,Low:1000,Operator: and
      You may choose your own source type other than plain-text.
    3. Create or Choose CodeBuild Project with IaC Scanner Docker Image.
      • Specify the Prisma Cloud IaC scanner docker image
        —Click
        Create project
        in the
        Edit action
        page. In the CodeBuild project
        Environment
        setting, select
        Custom image
        , under
        Environment type
        select
        Linux
        , and under
        Image registry
        select
        Other registry
        . Enter the Prisma Cloud IaC scanner docker image:
        public.ecr.aws/b0j3w2u9/pcs-sl-scanner
      • Define the CodeBuild Specification (Buildspec)
        —The
        buildspec
        is a YAML file that contains the settings and commands that CodeBuild uses to execute a build.
        An example buildspec to run
        pcs_iac_repo_scan
        :
        version: 0.2 phases: build: commands: - pcs_iac_repo_scan reports: iac-reports: files: - report/iac_scan/results.xml file-format: JUNITXML
        Code copied to clipboard
        Unable to copy due to lack of browser support.
      • View Scan Result in CodeBuild Reports
        —If reports is defined in the buildspec, then the scan results can be viewed in the Reports tab, otherwise no report will generate. Click on the report link to view detailed violations from the scan result.
    The same information appears on the Prisma Cloud
    DevOps Inventory
    page which you can access by selecting
    Inventory
    DevOPs
    .

Use an AWS Lambda Function with Python Scripting

You can configure an AWS Lambda function and add it to your pipeline to check your IaC templates against Prisma Cloud security policies.
  1. Create an AWS Lambda Function from the Deployment Package.
    Use the AWS command line interface (CLI) or console to create a Lambda function that scans the IaC templates against Prisma Cloud’s comprehensive set of security policies.
    • Choose a runtime environment of Python 3.6 or 3.7
    • Set the
      execution role
      for Lambda so that it has:
      • Write permission for AWS Code Pipeline
        • codepipeline:PutJobSuccessResult
        • codepipeline:PutJobFailureResult
    • List, Read, and Write permissions for
      AWS CloudWatch Logs
    • Read permission for your S3 bucket if i t is your data source
    • Use the lambda function with Prisma Cloud Python AWS Lambda deployment package
    • Set the Lambda function handler to
      PrismaCloudIaCScan.lambda_handler
    An example for AWS console.
  2. Configure Lambda Function with Required Environment Variables.
    Provide the environment variables in your AWS CLI to create or set the Lambda in your AWS console.
  3. Adjust the Lambda timeout.
    In the basic setting, change the default Lambda timeout from 3 seconds to 15 seconds.
  4. Add the Lambda Function Action to Your CodePipeline stage.
    The following table identifies the fields that have values specific to Prisma Cloud. The value for the
    User parameters
    is in JSON format and specifies the conditions under which the pipeline job status will fail. In the table, the job will fail if the extension finds one high-severity violation, two medium-severity violations, or five low-severity violations.
    Field
    Value
    Action provider
    AWS Lambda
    Function name
    The function name you used when you created the Lambda function (e.g.
    PrismaCloudIaCScan
    )
    User parameters
    Example:
    {"FailureCriteria": {"High":1,"Medium":2,"Low":5,"Operator":"or"}}
    Valid values for
    “Operator”
    are
    “or”
    and
    “and”
    An example of the
    Edit action
    entries is below:
  5. View the scan result after pipeline execution.
    To manually start a pipeline through the AWS console, select
    Release change
    on the pipeline details page. Select the link to execution details to view the latest CloudWatch logs.

Set up Container Image Scanning with AWS CodeBuild

You can scan container images and serverless functions when you enable twistcli, add a vulnerability scan rule where you define the criteria to fail the build, and set up a task to scan the image or function in the pipeline.
  1. Select
    Compute
    Defender
    Vulnerabilities
    Images
    CI
    .
  2. Add rule and enter a rule name.
  3. Specify the
    Alert
    and
    Failure
    thresholds.
    You can set the vulnerability scan to fail on critical, high, medium, or low severity. The failure threshold must be greater than the alert threshold.
  4. Specify the
    Grace period
    .
    The grace period is the number of days for which you want. For more information about these settings, see the Prisma Cloud Compute Guide.
  5. Add a CodeBuild Action to AWS CodePipeline Stage.
    Create or edit your AWS CodePipeline to add a new stage action with the provider of
    AWS CodeBuild
    .
  6. Configure the buildspec file.
    Get the complete image scan Shell script. You will then have two options for using it: you can copy the script into your buildspec commands, or can remote shell in a single command:
    curl https://gitlab.com/prismacloud-public/shift-left/extension/-/raw/master/aws-codepipeline/image_scan.sh | bash
    Below is an example buildspec to pull the container image and run the scan steps.
    version: 0.2 phases: build: commands: # Build or pull the target container image specified in your environment variable - docker pull $prisma_cloud_scan_image # You may also copy the Shell script content for below URL - curl https://gitlab.com/prismacloud-public/shift-left/extension/-/raw/master/aws-codepipeline/image_scan.sh | bash
    Code copied to clipboard
    Unable to copy due to lack of browser support.
  7. Set Image Scan CodeBuild Environment Variables.
    If you created the buildspec using the above sample, the below CodeBuild environment variables should be added as they’re used by CodeBuild.
    ENVIRONMENT VARIABLE
    DESCRIPTION
    prisma_cloud_scan_image
    Docker image to be scanned for vulnerabilities
    prisma_cloud_compute_username
    Prisma Cloud user with the Compute CI User role
    prisma_cloud_compute_password
    Prisma Cloud user password with the Compute CI User role
    prisma_cloud_compute_url
    The base URL for your Prisma Cloud Compute console.
    Compute
    System
    Downloada
    Path to Console
    prisma_cloud_compute_project
    If Prisma Cloud Compute project is used, specify the project name along with the username and password
  8. View the Scan Results Build Logs.

Recommended For You