Managing your resource tags can be a challenge, but it's important to define scopes (chargeback, owner, application scope) and prioritize sensitive workloads. To make monitoring easier, it's recommended to take advantage of this technology.
However, sometimes there's a problem because it wasn't implemented when the resource code was created, and it becomes complicated to manage tag conventions once everything is in production or simply because it takes a lot of time.
In this article, I will first review how Prisma Cloud allows you to deploy tags. In the second part, I will show you the benefits you'll gain through Prisma Cloud with tags.
Requirements :
Figure 01: 3 tiers-design_PaloAltoNetworks
Under the module Application Security → Home → Projects →
Figure 02: UI-Manage-IAC-Tags_PaloAltoNetworks
You will be able to create a rule (your repository can only be part of one rule, make sure it is not attached to different rules):
Figure 03: Edit-Tag-Rule_PaloAltoNetworks
You would like to define that this code is dedicated to your 3-tier application that is named “Key : ApplicationTags” and “Value : AppDNA”.
If you want to apply this rule only to a scope of this repository, it is possible to apply this rule only to resources that already have a certain tag. In this case, in this repository you have 3 folders (3tiersapp, appdna & attackpaths) . The goal is to have the ApplicationTags tag with a value corresponding to the environment of these applications.
Once the rule is configured, during the next automatic scan of your repository (there are 2 per day), Prisma Cloud will create a Pull Request in your VCS.
Figure 04: GitHub-PR_PaloAltoNetworks.jpg
Tags will be applied to all resources that can be tagged.
Figure 05: PR-Modification_PaloAltoNetworks
Figure 06: git-pull-CLI_PaloAltoNetworks
Figure 07: Terraform-Code_PaloAltoNetworks
Now you can apply your modification to your CSP with:
Figure 08: Terraform-CLI_PaloAltoNetworks
Figure 09: AWS-Console-modification_PaloAltoNetworks
To summarize what you did:
1) Onboard your repository with AWS IAC TF Code.
2) Create an application security tag rule.
3) Prisma Cloud creates Pull Request.
4) You can pull our new code locally.
5) You can deploy it to AWS with Terraform.
6) Prisma will now ingest new tags.
Figure 11: Dashboard-TagsUsage_PaloAltoNetworks
These applications will allow you to have a better view of your critical assets and prioritize efforts:
Figure 12 Inventory-TagsUsage_PaloAltoNetworks
It is possible to filter the evaluation of your resources against standards on a scope defined by your tags / ResourceList
Alerts:
Figure 13: Compliance-Tags Usage_PaloAltoNetworks
This approach will greatly increase your visibility into your environment and also in Prisma Cloud.
On the Cloud side, you will be able to create scopes by tag and application according to your repositories.
You will also be able to benefit from this in Prisma Cloud, to help you consistently and effectively manage your most critical alerts. These tags will also free up your bandwidth to dedicate towards more sensitive resources.
Mathieu Dalbès is a Prisma Cloud Customer Success Engineer who is an expert in all things related to Cloud architecture and automation. When not assisting customers with their Cloud infrastructure setup, one can find Mathieu participating in various sports or on a wakeboard.
