By Jonathan Brox, Customer Success Engineer
Prisma Cloud agentless scanning is initially configured in the same account scanning architecture. In this article, we describe an alternative approach as customers might prefer the hub and target account scanning architecture.
The Terraform onboarding script deploys in each subscription a resource group for the agentless resources. Prisma Cloud Service Principal (SP) gets individually assigned the Prisma Cloud agentless write policy for each resource group. In this case, we have to loop over all subscriptions of a tenant and perform actions. This is a valid approach in case of same account scanning. The final architecture will look like this:
Figure 1: Azure-tenant-with-agentless-
During the terraform deployment additional resource groups (highlighted in red in fig. 1) have been created and the role has been assigned on resource group level. In enterprise environments, there are quite often hundreds of subscriptions organized in several management groups inside one single tenant. This approach will take some time, as resource groups will be deployed in each of the subscriptions and the role will be assigned accordingly once the resource group is created.
In this article, we describe an alternative and more efficient approach to onboard and configure Prisma Cloud for agentless scanning.
We suggest using a dedicated subscription and host the scanner instances in it. In addition the Prisma Cloud SP access is limited with its “agentless write policy” to the subscription, which is considered as the Hub subscription [1] Agentless Scanning Modes
In this case, it might be just a stand-alone subscription without any agentless related assets inside. In Azure, it is quite common using initiatives (group of policies) on the individual management groups. Please consider if applicable placing this hub subscription outside your standard management groups or define subscription specific exceptions. A final architecture is shown in figure 2.
Figure 2: Prisma-Cloud-Agentless-Hub-
During the onboarding process, we make use of a lot of resources which are used during a standard onboarding for an Azure tenant to Prisma Cloud [2] Connect your Azure Tenant
In a first phase, the Azure tenant will be onboarded as read-only, without any additional configured services. Please leave out all optional configurations as shown in figure 3.
Figure 3: Default-Azure-Tenant-
On the next page, the dialog will ask for the Tenant ID, once it is copied in the download of the default read-only Terraform template is available. Please open it with a tool of your choice.
There are two roles in the template listed:
The Built-in Reader
Custom Role: It contains about 350 permissions in the “custom_role_actions”.
Create the Entreprise App and grant the permissions:
Login to your Azure Portal and create a new App registration with a name according to your naming convention indicating that it is related to Prisma Cloud as the Service Principle (PC SP) has the same name. There is no need to configure anything else than just creating the SP.
Once the App Registration is done, please select the registered app and create a secret in “Manage” - “Certificates & Secrets”. Please store it in a safe place, as there is no way to obtain it at a later stage from the portal again.
As the next step you need to assign permissions on the appropriate level. Therefore the person performing these steps has to have the role “global administrator” and you have to activate the “Access Management for Azure Resources” in the Microsoft Entra ID in “Manage” - “Properties”, please see also Troubleshoot Azure Account Onboarding.
Figure 4: Configuring-Access-Management-
Go to Management Groups and select the Root tenant Group of your Azure tenant and click on “Access Control (IAM)”.
Add role assignment: “Add” - “Add role assignment" - “Job function roles” - “Reader” click next and select the Prisma Cloud Service Principle as a member of your tenant. Save the role assignment. It might take some time to properly sync.
In the next step, we “Add” - “Add a custom role”. Please provide a name according to your naming convention and switch to the json-tab. Click on “Edit” and copy the list of permissions listed in the terraform under “custom_role_actions” - “default” (figure 5) to the actions in the json document (figure 6). Please check the formatting before saving.
Figure 5: Screenshot-PrismaCloud-
Figure 6: JSON-template-of-custom-role-
Please assign the new role to the PC SP on Root Tenant Group as well.
Once this is done please check the role assignments for the Root Tenant Group in Access Control (IAM) - Role assignments. Confirm whether both roles are assigned to the PC SP. It might take some time to properly sync. Click on the name of the PC SP. Please keep this tab open.
Switch back to Prisma Cloud.
The Application ID can be copied in. The Enterprise Object ID is listed in Azure as “Object ID”. There are at least two object IDs in Azure, so please use the object ID as shown at the end of step 8. Please provide the secret for the Service Principal as generated beforehand as well.
Include / exclude certain subscriptions if needed and click next. Once all checks are completed, you can save and exit. Now all resources of the tenant will be step-by-step ingested.
Initial read only onboarding is done - as the terraform script would have done it in a similar way.
These steps will help to perform the next steps. In case of any doubts please check the steps described above.
In this article the focus is on Hub/Target Account scanning.
Select the onboarded tenant in Prisma Cloud and click on the pencil to edit it.
Tick the box for Agentless scanning. It is important to deactivate the “Organizational Scan”. In case this is set to active, Prisma Cloud will trigger an agentless scan right after the configuration is saved. The activation of the scanning will be done at a later stage.
Click next and download the Terraform from the next page.
Please open the tf.json with your tool of choice. Compared to the Terraform beforehand, this file contains an additional role. It has about 15 additional permissions:
Figure 7: Agentless-permissions-
As described before, create another custom role on Root Tenant Group via “Management Groups” - “Root Tenant Groop” - “Access Control (IAM)” - “Add” - “Add custom role”. Please consider a reasonable name for this role, as this one will have different permissions compared to the one created before. Copy the permissions listed in figure 7 to the JSON-template of the role in the “actions” section.
Create a subscription, if needed, to deploy the agentless resources in it. Please consider the hierarchy of the management groups in your tenant as shown in figure 2. It will be considered as the Hub Account. Select your hub subscription on Azure and assign the role to your PC SP, created in the step before. This can be done via “Access Control (IAM)” - “Add” - “Add role assignment”. Select the name of the role created in step 4 and select the Prisma Cloud Service Principal. There is no need to grant these permissions to Prisma Cloud on all subscriptions - just the hub subscription.
Go back to Prisma Cloud and click next to reach the last tab of the onboarding process. It might look like figure 8:
Figure 8: Permission-Check-Prisma-Cloud-
The listed permission “.../resourceGroups/write” can be granted if needed. There are two options how to proceed
It does not have to be as the resource group can be easily created manually.
Please go to your Hub subscription on Azure and create a resource group with the name “
Otherwise there is the option to create another role in your Azure tenant on Root tenant level (as described before), which has this permission and assign it to the Prisma Cloud Service Principal on Hub subscription level. In this case Prisma Cloud will create the resource group by itself.
Switch back to Prisma Cloud and check the permission in the onboarding dialog. It shows all checks in green.
Switch to Runtime Security - Manage - Cloud Accounts and select the subscription, which has been configured on Azure as the Hub account.
Edit it and set it as Hub and save it (figure 9). Please check the “Advanced Settings” for additional configurations. Further explanations on the available options is shared in [3] Prisma Cloud Enterprise Edition. As shown in figure 9, agentless scanning is still disabled for the accounts.
Figure 9: Agentless-configuration-
Configure the target accounts accordingly: Edit the individual account and select “Scan with Hub” and select the Hub account from the dropdown (figure 10). The advanced settings are subscription specific, so please configure them accordingly.
Figure 10: Agentless-configuration-
Switch back to Cloud Security - Settings - Cloud Providers and select the onboarded tenant. Click on the tenant name, all subscriptions will be listed.
Select the subscription configured as the hub account for Agentless and click on edit. Switch the toggle for agentless scanning to active.
Do the same for the individual target accounts.
Switch back to Runtime Security - Manage - Cloud Accounts and filter based on the tenant name. You will get an overview as shown in figure 11. The Scan mode column might be hidden and can be activated via the table configuration on the right side above the account table.
Figure 11: PrismaCloud-RuntimeSecurity-
This article provides a step-by-step guide on how to configure Prisma Cloud agentless scanning for Azure in the Hub- and Target account architecture. The Prisma Cloud Service Principle got a least set of permissions assigned, where needed.
The account specific configuration in Runtime Security - Manage - Cloud Accounts can be automized via script as there is an API endpoint which provides the relevant information.
In enterprise environments it might be necessary to have more than one hub subscription to fulfill e.g. compliance requirements or Non-production and production isolation. In this case the custom roles created on tenant level can be assigned to additional hub subscriptions as well. In this case please configure the accounts in Prisma Cloud Runtime Security accordingly.
[3] Prisma Cloud Enterprise Edition
