PANCast Episode 22: Azure Container Registry and Configuring Scanning Using Service Principal

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L4 Transporter
No ratings

 

Episode Transcript:

 

John:

Hello PANCasters, welcome back. Today we cover some more info on Prisma Cloud and specifically how it can help with Azure Container Registry or ACR. Our guest today is Roshan.
Hi Roshan, could you tell us a bit about yourself?
 

Roshan: Roshan Tulsani is a Staff Technical Support Engineer for Prisma Cloud and Compute, and has a vast experience in the Support Environment. He is passionate about sharing his knowledge and expertise with customers, especially on Prisma Cloud scanning.Roshan Tulsani is a Staff Technical Support Engineer for Prisma Cloud and Compute, and has a vast experience in the Support Environment. He is passionate about sharing his knowledge and expertise with customers, especially on Prisma Cloud scanning.

Hi John and all our friends listening to this, thanks for having me today. I am Roshan, a Staff Technical Support Engineer for Prisma Cloud with years of support experience in the cyber security and Prisma Cloud space.
 
John:
Thanks Roshan. Now let's start with the basics. What is Azure Container Registry?
  

Roshan:

Thanks for asking. To begin with, today, among various Organizations and Businesses, Container Images have become a popular way to package and distribute applications because they provide a lightweight and consistent environment for running softwares. A container image is a lightweight and executable software package that contains all the necessary components, including code and system libraries, to run an application.
 
However, Container images can introduce security risks if they contain weaknesses in their application or code that can be potentially exploited. These vulnerabilities in images are commonly referred to as image vulnerabilities, that can be exploited by attackers to gain unauthorized access, compromise the application, or perform other malicious activities.

Therefore, it is crucial from a security perspective to continuously safeguard these images during modifications to eliminate any known or new vulnerabilities.

To address these security concerns, Organizations often use a private container registry, such as Azure Container Registry (ACR). ACR serves as a Private storehouse where the process of building, storing, and managing container images takes place. It offers a range of functionalities, allowing you to not only use commands to push container images into your registry but also to pull and run images from it, enhancing the overall experience of container image management.

Going forward, if your Organization is leveraging ACR for managing private Container Images, this episode will shed light on how you can leverage Prisma Cloud to Scan existing repositories and images in ACR for identifying potential Vulnerabilities using Service Principal in your Azure Cloud account.
 
John:
OK. So could you explain what a Service Principal is?
 

Roshan:

Sure, so now, to protect your Private Storehouse from the bad guys on the Internet, you need some sort of an authentication mechanism which recognizes you, and only you, as its rightful owner of the ACR. An Azure Service Principal is that key to your storehouse which gives you control over which resources can be accessed and at which level.
 
John:
Got it. So if I understand correctly, Prisma Cloud can scan images in ACR using the Service Principal. So next is how do we configure it?
 

Roshan:

This setup requires only three straightforward actions. It begins by initially establishing the Service Principal on your Azure Cloud Account. Next, you proceed to onboard your Azure Cloud Account in the Prisma Cloud Compute section. Finally, you act as a matchmaker by associating the created Service Principal and the onboarded Azure Cloud Account under 'Registry Settings'.
 

Creation of a Service Principal on Azure Cloud Account

 

You can generate a Service Principal using the powerful Azure CLI tool. The crucial point to remember is that the user-role on Azure who created this (let's say it's you) should be either a contributor or a reader. Think of this role as equivalent to your boss or super boss in a company, who have exclusive access to your current and historical performance metrics. If you're wondering whether you can utilize an existing Service Principal for scanning your ACR instead of creating a new one, the answer is yes, as long as the existing Service Principal is associated with a contributor or reader role. This means you can skip this step if you already have a suitable Service Principal. As we proceed, I have a valuable tip that will save you significant time and effort in the future. Make sure to copy the output of the Service Principal (including the brackets) and save it in a text file.
 

Onboarding Azure Cloud Account on Prisma Cloud Compute

  
To onboard your Azure Cloud Account in the Compute section of Prisma Cloud, follow these simple steps. First, navigate to the Manage Tab and go to the Cloud Accounts section to Add an Account. Choose Azure as the Cloud Provider and give it a name of your choice, such as "MyAzure." Select the Authentication method as Service Key and provide the existing or newly created Service Principal. Remember when I mentioned saving the output Service Principal in a text file? Now is the time to use it. Copy the entire content of the text file and paste it into the Service Key field as it is. By completing these steps, you have successfully configured the basic onboarding of your Azure Cloud Account, which can be saved for future use.
 

Adding the Azure Container Registry for Scanning

  
Now is the time for matchmaking! In the Defend section under Vulnerabilities, add the Azure Container Registry in the Registry Settings, where you can specify your Registry Address that typically ends with azurecr.io. Select the Version as “Azure Container Registry” and the Credential that was created earlier, such as "MyAzure”, and click on "Add." The great news is that other fields are optional and can be configured according to your specific business needs and requirements.

Once you have added the Azure Container Registry, you have the freedom to initiate a manual scan for your ACR whenever you desire. This scan will help you detect any vulnerabilities or other potentially harmful elements that may be lurking within your container images. Isn't it remarkable and effortless?
 
John:
It certainly sounds easy and convenient once you bring all these concepts and technologies together. Roshan, what would be the key takeaways?
 

Key Takeaways

 

Roshan:

Thanks John, the key takeaways for today would be:

  • First, establishing a Private Storehouse which in our case is Azure Container Registry
  • Next, introducing your Security guy of this Storehouse i.e. Service Principal
  • Finally, scanning the ACR by onboarding the Azure Cloud Account on Prisma Cloud and adding the ACR Registry
 
I am hopeful that by now, you have a fair idea on ACR Scanning using Service Principal and create History with it!
 
John:
Thank you, Roshan, for sharing the Prisma Cloud ACR scanning capabilities and features and how we can benefit from them. You can find the transcript and some valuable links on live.paloaltonetworks.com under PANCast.
 
Roshan:
Once again, Thank you John for having me and I hope to join you on another episode of PANCast.
 
John:
PANCasters, if you have topics you need us to cover, please send in your feedback through the Ideas Submission page on LIVEcommunity, and we’ll be happy to review them.
Bye for now.
 
Related Content:
Rate this article:
(2)
Comments
L0 Member

Thank you for sharing this information, this is indeed helpful.