By Prateek Pawar, Cloud Security Engineer

Overview 

Prisma Cloud uses AWS Systems Manager (formerly known as SSM) to deploy defenders to EC2 instances.

This document is to help streamline the deployment process and provide step by step instructions on how to deploy.

When to use:

Use this guide when you are trying to deploy host defenders automatically on AWS EC2 instances using AWS Systems Manager.

Before you begin:

Requirements:

• Licensed Prisma Cloud console with a user that has a minimum role of Defender Manager attached
• Access to your AWS account that contains the hosts you are trying to defend (linux only)
• Appropriate IAM permissions to access and run AWS Systems Manager commands

Prerequisites:

• SSH accessibility to the host(s) where you are installing Defenders
• Host accessibility on port 443 (SSL)
• Access key(s) and a Secret access key(s) for the AWS account(s) that each host(s) belongs to.  
• You have onboarded each these accounts into Prisma Cloud
• SSM agent installed if using the following distributions: CentOS, Debian Server, Oracle Linux, Red Hat Enterprise Linux, SUSE Linux Enterprise Server

1. IAM instance profile for Systems Manager - How to set up the AmazonSSMRoleForInstancesQuickSetup role to your instances.

EC2’s needing Defender installation will require the above-mentioned IAM role. The permissions look like this:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "VisualEditor0",

            "Effect": "Allow",

            "Action": [

                "ec2:DescribeImages",

                "ec2:DescribeInstances",

                "ssm:SendCommand",

                "ssm:DescribeInstanceInformation",

                "ssm:ListCommandInvocations",

                "ssm:CancelCommand",

                "ec2:DescribeRegions",  //You can ignore if you already have these permissions as apart of the discovery feature

                "ec2:DescribeTags",//You can ignore if you already have these permissions as apart of the discovery feature

                "ssm:SendCommand"

            ],

            "Resource": "*"

        }

    ]

}

Workflow Steps:

• Step 1:  On your AWS console, go to IAM, and create a new role with the permissions stated above and assign it to the respective EC2 hosts and (update IAM role).

Figure 1: iamrole_PaloAltoNetworks.jpeg

Figure 2: modifyiamrole_PaloAltoNetworks.jpeg

• Step 2: SSH into your EC2 host to restart the SSM agent service, so that it picks up the updated permissions assigned above.

sudo systemctl stop amazon-ssm-agent (command for amazon linux)
sudo systemctl start amazon-ssm-agent (command for amazon linux)

2. Add a rule under Host Auto-defend in the console

Workflow Steps:

• Step 1: Before we add a rule, we will need to first create a collection with the account ID of the AWS account(s) which host all EC2 instances. (This is necessary in order for Prisma Cloud to be able to auto-defend the hosts that are/will be added to that account.)
  • Navigate to Manage>Collections and Tags>Add collection and specify a name, description and account ID, as shown below.

     

 Figure 3: create-collection_PaloAltoNetworks.jpeg

• Step 2: Add a new rule in the host Auto-defend section (Kindly refer image for the subsequent steps).
  • Navigate to Manage>Defenders>Host auto-defend>Add rule and specify a rule name.
  • Keep the provider as AWS.
  • The console address will be automatically greyed out and filled in.
  • For the scope please choose the collection that we created in step 1 earlier.
  • Choose “Regular regions” unless your AWS account is in China or Government region.
  • For the credential, select the one that was created while the AWS account was onboarded into Prisma Cloud initially.
  • Add the rule and click “Apply Defense” as shown in the figure 5.

     

Figure 4: add-new-auto-defendrule_PaloAltoNetworks.jpeg

3. Verify the auto-defend install

Workflow Steps:

• Step 1: You should be able to see new defenders added under Manage>Defenders>Defenders:Deployed by filtering out the AWS account ID used.
• Step 2: You should also be able to see a successful defender status under Manage>Defenders>Defenders: Auto-defend>Host Auto-defend.

         The following screenshot shows that Auto-defend discovered 1 EC2 instance and deployed a defender.

Figure 5: defenders-auto-defend_PaloAltoNetworks.jpeg

• Step 3: You should be able to verify a successful installation in your AWS account under AWS Systems Manager>Run Command.

   

Figure 6: aws-run-command_PaloAltoNetworks.jpeg

Conclusion:

You now have a foundation to be able to automatically protect all your hosts in your AWS environment using a Prisma Cloud host defender.

By following the steps outlined in this document, organizations can efficiently deploy host defenders across multiple hosts, ensuring comprehensive security coverage. This automation not only saves time and reduces the potential for human error, but also enhances the overall security posture by maintaining consistent and up-to-date defenses against threats. As cloud environments continue to evolve, utilizing tools like Prisma Cloud Auto-Defend will be crucial for maintaining robust security in an increasingly complex digital landscape.

References:

[1] Onboard Your AWS Account

[2] Auto-defend Hosts

[3] AWS Systems Manager

[4] AWS IAM Roles 

About the Author:

Prateek Pawar is a Cloud Security Engineer on the Prisma™ Cloud CWPP team, specializing in supporting all compute solutions for Prisma™ Cloud  AWS, Azure, GCP, OCI, and Alibaba.

Prateek’s expertise spans from securing most if not all compute workloads including but not limited to containers and Kubernetes on Prisma™ Cloud. He uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage their multi-industry knowledge to inspire success.