Azure Onboarding: Alternative Approach

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter
No ratings

By Jonathan Brox, Customer Success Engineer

 

 

 

Prisma Cloud agentless scanning is initially configured in the same account scanning architecture. In this article, we describe an alternative approach as customers might prefer the hub and target account scanning architecture. 

 

Design of the terraform based process

 

The Terraform onboarding script deploys in each subscription a resource group for the agentless resources. Prisma Cloud Service Principal (SP) gets individually assigned the Prisma Cloud agentless write policy for each resource group. In this case, we have to loop over all subscriptions of a tenant and perform actions. This is a valid approach in case of same account scanning. The final architecture will look like this:

 

 

unnamed.png

Figure 1: Azure-tenant-with-agentless-resourcegroups_PaloAltoNetworks

 

During the terraform deployment additional resource groups (highlighted in red in fig. 1) have been created and the role has been assigned on resource group level. In enterprise environments, there are quite often hundreds of subscriptions organized in several management groups inside one single tenant. This approach will take some time, as resource groups will be deployed in each of the subscriptions and the role will be assigned accordingly once the resource group is created.

 

The alternative approach

 

In this article, we describe an alternative and more efficient approach to onboard and configure Prisma Cloud for agentless scanning. 

We suggest using a dedicated subscription and host the scanner instances in it. In addition the Prisma Cloud SP access is limited with its “agentless write policy” to the subscription, which is considered as the Hub subscription [1] Agentless Scanning Modes


In this case, it might be just a stand-alone subscription without any agentless related assets inside. In Azure, it is quite common using initiatives (group of policies) on the individual management groups. Please consider if applicable placing this hub subscription outside your standard management groups or define subscription specific exceptions. A final architecture is shown in figure 2.

 

 

unnamed.png

Figure 2: Prisma-Cloud-Agentless-Hub-Architecture_PaloAltoNetworks

 

During the onboarding process, we make use of a lot of resources which are used during a standard onboarding for an Azure tenant to Prisma Cloud [2] Connect your Azure Tenant  

 

Read-only onboarding

 

In a first phase, the Azure tenant will be onboarded as read-only, without any additional configured services. Please leave out all optional configurations as shown in figure 3.  

 

 

unnamed.png

Figure 3: Default-Azure-Tenant-Onboarding-Configuration_PaloAltoNetworks

 

On the next page, the dialog will ask for the Tenant ID, once it is copied in the download of the default read-only Terraform template is available. Please open it with a tool of your choice.

 

There are two roles in the template listed:

  1. The Built-in Reader

  2. Custom Role: It contains about 350 permissions in the “custom_role_actions”.

 

Create the Entreprise App and grant the permissions:

  1. Login to your Azure Portal and create a new App registration with a name according to your naming convention indicating that it is related to Prisma Cloud as the Service Principle (PC SP) has the same name. There is no need to configure anything else than just creating the SP.

  2. Once the App Registration is done, please select the registered app and create a secret in “Manage” - “Certificates & Secrets”. Please store it in a safe place, as there is no way to obtain it at a later stage from the portal again.

  3. As the next step you need to assign permissions on the appropriate level. Therefore the person performing these steps has to have the role “global administrator” and you have to activate the “Access Management for Azure Resources” in the Microsoft Entra ID in “Manage” - “Properties”, please see also Troubleshoot Azure Account Onboarding.

     

     

    unnamed.png

    Figure 4: Configuring-Access-Management-for-Azure-Resources_PaloAltoNetworks

 

  1. Go to Management Groups and select the Root tenant Group of your Azure tenant and click on “Access Control (IAM)”.

  2. Add role assignment: “Add” - “Add role assignment" - “Job function roles” - “Reader” click next and select the Prisma Cloud Service Principle as a member of your tenant. Save the role assignment. It might take some time to properly sync.

  3. In the next step, we “Add” - “Add a custom role”. Please provide a name according to your naming convention and switch to the json-tab. Click on “Edit” and copy the list of permissions listed in the terraform under “custom_role_actions” - “default” (figure 5) to the actions in the json document (figure 6). Please check the formatting before saving. 

     

     

    unnamed.png

    Figure 5: Screenshot-PrismaCloud-Terraform-Onboarding-Template_PaloAltoNetworks

     

     
    unnamed.png

    Figure 6: JSON-template-of-custom-role-definition_PaloAltoNetworks

  4. Please assign the new role to the PC SP on Root Tenant Group as well.

  5. Once this is done please check the role assignments for the Root Tenant Group in Access Control (IAM) - Role assignments. Confirm whether both roles are assigned to  the PC SP. It might take some time to properly sync. Click on the name of the PC SP. Please keep this tab open.

  6. Switch back to Prisma Cloud.
    The Application ID can be copied in. The Enterprise Object ID is listed in Azure as “Object ID”. There are at least two object IDs in Azure, so please use the object ID as shown at the end of step 8. Please provide the secret for the Service Principal as generated beforehand as well.

  7. Include / exclude certain subscriptions if needed and click next. Once all checks are completed, you can save and exit. Now all resources of the tenant will be step-by-step ingested.

 

Initial read only onboarding is done - as the terraform script would have done it in a similar way. 

 

These steps will help to perform the next steps. In case of any doubts please check the steps described above.

 

Grant the relevant agentless permissions

 

In this article the focus is on Hub/Target Account scanning. 

 

  1. Select the onboarded tenant in Prisma Cloud and click on the pencil to edit it.

  2. Tick the box for Agentless scanning. It is important to deactivate the “Organizational Scan”. In case this is set to active, Prisma Cloud will trigger an agentless scan right after the configuration is saved. The activation of the scanning will be done at a later stage.
    Click next and download the Terraform from the next page. 

  3. Please open the tf.json with your tool of choice. Compared to the Terraform beforehand, this file contains an additional role. It has about 15 additional permissions:

     

     

    unnamed.png

    Figure 7: Agentless-permissions-PrismaCloud-Azure_PaloAltoNetworks

  4. As described before, create another custom role on Root Tenant Group via “Management Groups” - “Root Tenant Groop” - “Access Control (IAM)” - “Add” - “Add custom role”. Please consider a reasonable name for this role, as this one will have different permissions compared to the one created before. Copy the permissions listed in figure 7 to the JSON-template of the role in the “actions” section. 

  5. Create a subscription, if needed, to deploy the agentless resources in it. Please consider the hierarchy of the management groups in your tenant as shown in figure 2. It will be considered as the Hub Account. Select your hub subscription on Azure and assign the role to your PC SP, created in the step before. This can be done via “Access Control (IAM)” - “Add” - “Add role assignment”. Select the name of the role created in step 4 and select the Prisma Cloud Service Principal. There is no need to grant these permissions to Prisma Cloud on all subscriptions - just the hub subscription.

  6. Go back to Prisma Cloud and click next to reach the last tab of the onboarding process. It might look like figure 8:

     

    unnamed.png

    Figure 8: Permission-Check-Prisma-Cloud-agentless_PaloAltoNetworks

  7. The listed permission “.../resourceGroups/write” can be granted if needed. There are two options how to proceed 

    • It does not have to be as the resource group can be easily created manually.
      Please go to your Hub subscription on Azure and create a resource group with the name “PCCAgentlessScanResourceGroup”. This name is case sensitive and has to match. Otherwise Prisma Cloud Agentless will fail as it searches for exactly this resource group. In this case you can ignore the warning.

    • Otherwise there is the option to create another role in your Azure tenant on Root tenant level (as described before), which has this permission and assign it to the Prisma Cloud Service Principal on Hub subscription level. In this case Prisma Cloud will create the resource group by itself. 

 

Switch back to Prisma Cloud and check the permission in the onboarding dialog. It shows all checks in green.

 

Activating the Agentless Scanning

 

  1. Switch to Runtime Security - Manage - Cloud Accounts and select the subscription, which has been configured on Azure as the Hub account.

  2. Edit it and set it as Hub and save it (figure 9). Please check the “Advanced Settings” for additional configurations. Further explanations on the available options is shared in [3] Prisma Cloud Enterprise Edition. As shown in figure 9, agentless scanning is still disabled for the accounts.

     

     

    unnamed.png

    Figure 9: Agentless-configuration-HubAccount-PrismaCloud_PaloAltoNetworks

  3. Configure the target accounts accordingly: Edit the individual account and select “Scan with Hub” and select the Hub account from the dropdown (figure 10). The advanced settings are subscription specific, so please configure them accordingly.

     

     

    unnamed.png

    Figure 10: Agentless-configuration-TargetAccount-PrismaCloud_PaloAltoNetworks

  4. Switch back to Cloud Security - Settings - Cloud Providers and select the onboarded tenant. Click on the tenant name, all subscriptions will be listed. 

  5. Select the subscription configured as the hub account for Agentless and click on edit. Switch the toggle for agentless scanning to active.

  6. Do the same for the individual target accounts.

  7. Switch back to Runtime Security - Manage - Cloud Accounts and filter based on the tenant name. You will get an overview as shown in figure 11. The Scan mode column might be hidden and can be activated via the table configuration on the right side above the account table. 

     

    unnamed.png

    Figure 11: PrismaCloud-RuntimeSecurity-CloudAccount-Overview_PaloAltoNetworks

 

Conclusion

 

This article provides a step-by-step guide on how to configure Prisma Cloud agentless scanning for Azure in the Hub- and Target account architecture. The Prisma Cloud Service Principle got a least set of permissions assigned, where needed.

 

The account specific configuration in Runtime Security - Manage - Cloud Accounts can be automized via script as there is an API endpoint which provides the relevant information.

 

In enterprise environments it might be necessary to have more than one hub subscription to fulfill e.g. compliance requirements or Non-production and production isolation. In this case the custom roles created on tenant level can be assigned to additional hub subscriptions as well. In this case please configure the accounts in Prisma Cloud Runtime Security accordingly.

 

References

 

[1] Agentless Scanning Modes

[2] Connect your Azure Tenant  

[3] Prisma Cloud Enterprise Edition 

 
 
Rate this article:
  • 396 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎11-15-2024 04:56 PM
Updated by: