Use the Prisma Cloud Extension for AWS DevOps

Summary of Prisma Cloud extension for AWS devOps
With a Prisma Cloud Enterprise Edition license, you can integrate compliance and vulnerability checks into your AWS continuous integration/continuous (CI/CD) and build environments. The sections below illustrate such integrations with your AWS CodePipeline pipelines and AWS CodeBuild projects.

Use the Prisma Cloud Plugin for AWS CodePipeline

With the Prisma Cloud Enterprise edition license, you can customize your AWS CodePipeline to check Infrastructure-as-Code (Iac) templates, container images, and serverless zip files against Prisma Cloud security policies. The following examples show you how to integrate this security checking into your CodePipeline.
You have two options to scan your IaC templates against Prisma Cloud security policies. You can use an AWS Lambda function, or you can use a custom action with a Bash shell script.

Use an AWS Lambda Function

You can configure an AWS Lambda function and add it to your pipeline to check your IaC templates against Prisma Cloud security policies.
  1. Configure a Lambda function.
    This example shows you how to configure the Lambda function that scans the IaC templates in your AWS CodePipeline and checks them against Prisma Cloud security policies.
    1. Download
      PrismaCloudIaCScan.zip
      to an accessible location.
      You can find the file at
      https://github.com/PaloAltoNetworks/Prisma-Cloud-DevOps-Security/blob/aws-codepipeline/aws-codepipeline/PrismaCloudIacScan/Lambda/PrismaCloudIaCScan.zip
    2. Run the following command to create your Lambda function.
      aws --profile ${AWS_PROFILE} --region ${AWS_DEFAULT_REGION} \ lambda create-function \ --function-name ${AWS_LAMBDA_FUNCTION} \ --runtime python3.6 \ --handler lambda_handler \ --environment Variables= \ "{Prisma_Cloud_API_URL=<Prisma Cloud API URL>,Access_Key=<Prisma Cloud access key>,Secret_Key=<Prisma Cloud secet key>}” \ --zip-file fileb://PrismaCloudIaCScan.zip
      The following table describes the environment variables that are required to access the Prisma Cloud security policies.
      Environment Variable
      Value
      Prisma_Cloud_API_URL
      Your Prisma Cloud API URL (e.g.
      https://api.prismacloud.io
      ). The exact URL depends on the Prisma Cloud region and cluster of your tenant
      Access_Key
      Your Prisma Cloud access key for API access
      Secret_Key
      The secret key that corresponds to your Prisma Cloud access key
      If you prefer to use the AWS console instead of the AWS CLI, you can use the console to create and edit your Lambda function. When you create your Lambda function through the console, specify Python 3.6 as the runtime of your function. To complete your Lambda function, edit your newly created function with the following information.
      Field
      Value
      Code entry type
      Upload a .zip file
      Handler
      PrismaCloudIaCScan.lambda_handler
      Prisma_Cloud_API_URL
      Your Prisma Cloud API URL (e.g.
      https://api.prismacloud.io
      ). The exact URL depends on the region and cluster of your Prisma Cloud tenant
      Access_Key
      Prisma Cloud access key for API access
      Secret_Key
      Prisma Cloud secret key
      Upload the
      PrismaCloudIaCScan.zip
      file that you saved as your function package.
  2. Add the Lambda function to your pipeline.
    The following steps describe how to invoke your Lambda function in the AWS console.
    1. In the AWS console, navigate to
      Services
      Developer Tools
      CodePipeline
      Edit Pipeline
      . Choose your pipeline and select
      Edit
      .
    2. Between any phase stage, select
      + Add Stage
      and provide a stage name of your choice.
    3. Select
      + Add action group
      . In
      Edit action
      , provide the information required to define a custom action.
      The table below identifies the fields that have values specific to Prisma Cloud. The value for the
      User parameters
      is in JSON format and specifies the conditions under which the pipeline job status will fail. For the example in the table, the job will fail if the plugin finds one high-severity violation or two medium-severity violations or five low-severity violations.
      Field
      Value
      Action provider
      AWS Lambda
      Function name
      The function name you used when you created the Lambda function (e.g.
      PrismaCloudIaCScan
      )
      User parameters
      {"FailureCriteria": {"High":1,"Medium":2,"Low":5,"Operator":"or"}}
      Valid values for
      “Operator”
      are
      “or”
      and
      “and”
    4. Select
      Done
      .
    5. Once you’ve executed your pipeline, you can view the execution results. Select the
      Details
      to see the latest CloudWatch logs to view any security violations that Prisma Cloud identified.
      aws-pipeline-lambda-details.png
      aws-pipeline-cloudwatch-log-err.png

Use a Custom Action with Bash

You can use an AWS custom action with a Bash shell script to integrate Prsima Cloud security checking into your AWS CodePipeline.
  1. Create a custom action.
    The following example shows you how to use an AWS custom action with a Bash shell script to scan your IaC templates and compare them against Prisma Cloud security policies. There are some prerequisites for a pipeline with this custom action.
    • Your AWS account must have the required AWS CodePipeline service role to run AWS CodePipelines.
    • jq, version 1.6 or higher (
      https://stedolan.github.io/jq/
      ) must exist on the EC2 instance or system where your job worker runs.
    • The following AWS CLI options must be available where your job worker runs:
      • aws codebuild
      • aws codepipeline
    • If your job worker runs in an EC2 instance, your EC2 instance user must have permission to run CodePipeline.
    The following steps show how to create a custom action that checks your IaC resources against Prisma Cloud security policies.
    1. Download the
      CustomAction.json
      file to your working location, such as your EC2 instance.
      You can find this file at
      https://github.com/PaloAltoNetworks/Prisma-Cloud-DevOps-Security/blob/aws-codepipeline/aws-codepipeline/PrismaCloudIacScan/Bash/PrismaCloudIaCAction.json
      .
    2. Optionally, you can edit the category property in
      PrismaCloudIaCAction.json
      to match your environment (e.g. Test or Build), but don’t change any other properties.
    3. Execute the following command.
      aws codepipeline create-custom-action-type --cli-input-json \ file://PrismaCloudIaCAction.json
  2. Add the custom action to your pipeline.
    1. In the AWS console, navigate to
      Services
      Developer Tools
      CodePipeline
      Edit Pipeline
      . Choose your pipeline and select
      Edit
      .
    2. Configure the values for the pipeline. The following fields are specific to Prisma Cloud.
      Field
      Value
      Action provider
      Prisma-Cloud-IaC-Scan
      Prisma_Cloud_API_URL
      Your Prisma Cloud API URL (e.g.
      https://api.prismacloud.io
      ). The exact URL depends on the region and cluster of your Prisma Cloud tenant
      Access_Key
      Your Prisma Cloud access key for API access
      Secret_Key
      Your Prisma Cloud secret key
      Failure_Criteria_High_Severity
      Number of high-severity violations needed to trigger job failure (e.g. 1)
      Failure_Criteria_Medium_Severity
      Number of medium-severity violations needed to trigger job failure (e.g. 2)
      Failure_Criteria_Low_Severity
      Number of low-severity violations needed to trigger job failure (e.g. 5)
      Failure_Criteria_Operator
      Accepted values:
      and
      ,
      or
      . Values are case-sensitive and work with failure criteria to control trigger of job failure
      S3BucketName
      Although this field is not specific to Prisma Cloud, a valid
      S3BucketName
      is required for this custom action
      The following example includes these fields.
      aws-pipeline-custom-action.png
    3. Save the pipeline changes.
  3. Configure a custom action job worker.
    To create a custom action to check IaC resources against Prisma Cloud security policies, you must create a job worker that will listen for requests, execute the job, and report the result. The job worker can exist in any location, like an EC2 instance or a standalone system. With an EC2 instance, ensure that the EC2 instance user has permission to run the CodePipeline.
    This example assumes the job worker is in an EC2 instance, so the following steps occur on your EC2 instance.
    1. Download the
      poll.sh
      file to your EC2 instance.
      This file is available at
      https://github.com/PaloAltoNetworks/Prisma-Cloud-DevOps-Security/blob/aws-codepipeline/aws-codepipeline/PrismaCloudIacScan/Bash/poll.sh
      .
    2. Execute the following command to set up the job worker.
      ./poll.sh "category=Test,owner=Custom,version=1, \ provider=Prisma-Cloud-IaC-Scan"
    3. To test your pipeline, you can use the AWS console to release the pipeline manually. After your stage completes, you can view the results of the checks against Prisma Cloud security profile in the log report in S3 by selecting the
      Details
      link.

Use The Prisma Cloud Extension for AWS CodeBuild

Set up AWS CodeBuild to run Prisma Cloud Compute scans
You can integrate Prisma Cloud Compute scans into your AWS CodeBuild build project to scan container images for vulnerabilities. Add the following steps to your normal AWS CodeBuild build project set up steps to add Prisma Cloud Compute scans to your build project. The scans apply both to images and to images that AWS CodeBuild manages.
  1. Download the latest twistcli binary from the Prisma Cloud Compute Console to your local machine.
    Get the binary from
    ComputeManageSystemDownloads
    (for the Prisma Cloud Compute Edition, use
    ManageSystemDownloads
    ). The Prisma Cloud Compute console and the twistcli binary must be from the same version—SaaS or self-hosted.
  2. In your AWS CodeBuild project set the following environment variables, which the sample buildspec.yml file will use.
    Environment Variable
    Description
    PC_COMPUTE_USER
    Prisma Cloud Compute user with the CI User role
    PC_COMPUTE_PASS
    Prisma Cloud Compute user password
    PC_COMPUTE_CONSOLE_URL
    Base URL for the Prisma Cloud Compute console (e.g.
    http://console.<example>.com:8083
    )
    IMAGE_REPO_NAME
    Docker repository for image to be scanned for vulnerabilities
    IMAGE_TAG
    Docker tag for image to be scanned for vulnerabilities
  3. Provide a
    buildspec.yaml
    file that runs the
    twistcli
    command to scan the specified container image for vulnerabilities.
    The following shows an example
    buildspec.yml
    that uses the environment variables you set to run a Prisma Cloud Compute scan against a specified image.
    The following example splits some of the lines of code for documentation formatting. If you choose to copy this example directly, ensure the commands are not split into multiple lines in your code.
    version: 0.1 # In this example, we're using environment variables # to store the username and password of our Prisma Cloud Compute CI user account # and the URL to our console # PC_COMPUTE_USER: The Prisma Cloud Compute user with the CI User role # PC_COMPUTE_PASS: The password for this user account # PC_COMPUTE_CONSOLE_URL: The base URL for the console # i.e. http://console.<my_company>.com:8083 (without a trailing /) phases: install: runtime-versions: docker: 18 build: commands: - echo Build started on `date` - echo Building the Docker image..$IMAGE_TAG - docker build -t $IMAGE_REPO_NAME:$IMAGE_TAG . post_build: commands: - echo Build completed on `date` - curl -k -u $PC_COMPUTE_USER:$PC_COMPUTE_PASS --output ./twistcli $PC_COMPUTE_CONSOLE_URL/api/v1/util/twistcli - chmod +x ./twistcli - echo Scanning with twistcli $PC_COMPUTE_PASS $PC_COMPUTE_USER # Run the scan with twistcli, providing detailed results in CodeBuild and # pushing the results to the Prisma Cloud Compute console. # --details returns all vulnerabilities and compliance issues rather # than just summaries. # -address points to our Prisma Cloud Compute console # -u and -p provide credentials for the console. These creds # only need the CI User role. # Finally, we provide the name of the image we built with 'docker build', # above. - ./twistcli images scan --details -address $PC_COMPUTE_CONSOLE_URL -u $PC_COMPUTE_USER -p $PC_COMPUTE_PASS $IMAGE_REPO_NAME:$IMAGE_TAG # Add --vulnerability-threshold and/or --compliance-threshold #to this command to # fail builds based on the thresholds. # See twistcli documentation for more details.

Recommended For You