- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
This article walks you through configuring and running Prisma Cloud Azure VM Image Scan. Prisma Cloud supports three types of Azure images: Managed, Gallery, and Marketplace.
The Prisma Cloud Compute Console handles VM image scanning and does not require Prisma Cloud Defenders. The Prisma Cloud Console scans a VM image by launching or creating a VM instance that is running the VM image to be scanned.
VM image scanning is essential for Security, Compliance and efficiency by:
Identifying Security Vulnerabilities
Ensuring Compliance
Preventing Deployment of Vulnerable Images
Maintaining System Integrity
Once the VM images have been scanned the results include:
Vulnerabilities
Compliance Information
Package Information
Prisma Cloud supports scanning the following image types:
Marketplace images (publicly available images)
Managed (custom) images
Shared image galleries
Encrypted images
Azure Linux images
Prisma Cloud does not support the following image types:
Azure paid images
For the latest information on supported image types, refer to:
The service account Prisma Cloud uses to scan Azure images must have at least the following permissions:
To scan encrypted images, use the Azure Key Vault Crypto Service Encryption User built-in role.
If you have managed and gallery images limited to specific regions, Prisma Cloud skips the scan when the region defined in the scope doesn’t match the region defined for the image.
The permissions to an existing service principal can be updated or a new service principal can be created. The steps to accomplish creating the service principal are documented here:
Create an Azure Service Principle
For Enterprise Edition(SaaS) Go to Runtime Security>Manage>Cloud Accounts>Add Account and select Azure
Parameters:
Region Type: <Regular regions>
Description: <Any_string>
Account Name: <Any string>
Service account: <COPY_THE_ABOVE_SERVICE_
Figure 1: Azure Account Config_PaloAltoNetworks
Click Next Disable Agentless scanning and Cloud Discovery
Click Save.
Go to Runtime Security> Defend > Vulnerabilities > Hosts > VM Images > Click "Add the first Item" if there is no policy, if there is a policy click "Add scope", it will pop-up a new windows for policy configuration
Figure 2: VM images scope_PaloAltoNetworks
Configure VM Image Scan Scope
The steps to Configure VM Image Scan Scope are:
Figure 3: Add new VM image scan scope_PaloAltoNetworks
Provider: Azure
Credential: select the credentials from the dropdown in 4. Configuring Azure Cloud account with a service account
Image type (Azure only) : Specify the relevant image type. Prisma Cloud supports three image types:
Managed: custom, encrypted, Azure Linux
Gallery
Marketplace.
Images: Specify the VM images to scan. Leave * to scan all images.
Excluded VM images: Specify VM images to exclude from the scan. This field supports pattern matching.
Region: Specify the Region to Scan
Number of scanners: default Value is 1 but you can choose the # of scanners per requirement.
Cap: on a per-scope basis. For example, if scope includes three images, AMI1, AMI2, and AMI3, and you set cap to 2, Prisma la Cloud scans only the two most recently modified images. To scan all VM images in scope, set cap to 0
Subnet resource ID: Go to Azure Console>Virtual Networks and Sort by Resource Groups. Once you view the Json View should see see an ID with below format:
/subscriptions/$
Instance type: Standard_D2s_v4 is selected as the default instance type to ensure images that require minimum instance type can be scanned.
CLICK ADD. This should trigger automatic scanning of the image ACCORDING TO THE CONFIGURE POLICY RULES
Go to Monitor > Vulnerabilities> Hosts > VM Images and check the results
You can filter with provider:Azure to check all the Results.
Figure 4: View VM image scan reports_PaloAltoNetworks
If you remove a VM image, or it becomes unavailable, Prisma Cloud maintains the scan results for 30 days. After 30 days, the scan results are automatically deleted. When a scan is canceled, it might take a few minutes for the scan to stop completely.
In this article, we showed you how to Configure Azure VM Image scanning, including the process of configuring permissions on Azure Portal and the CLI. We covered supported Azure Image types for VM image scanning, Creating the service account with necessary permissions. Configuring Azure cloud account with a service account and Configuring VM image scan.
We showed that after successful configuration how to check the results for Azure VM Image scan.
Sriram Choudary Nimmagadda is a Cloud Security Engineer on the Prisma™ Cloud CSPM team, specializing in supporting all non-compute solutions for Prisma™ Cloud AWS, Azure, GCP, OCI, and Alibaba.