Prisma Cloud Azure VM image Scanning

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L4 Transporter
No ratings

By Sriram Choudary Nimmagadda, Cloud Security Engineer

 

 

This article walks you through configuring and running Prisma Cloud Azure VM Image Scan. Prisma Cloud supports three types of Azure images: Managed, Gallery, and Marketplace.

 

The Prisma Cloud Compute Console handles VM image scanning and does not require Prisma Cloud Defenders. The Prisma Cloud Console scans a VM image by launching or creating a VM instance that is running the VM image to be scanned. 

 

VM image scanning is essential for Security, Compliance and efficiency by:

  • Identifying Security Vulnerabilities 

  • Ensuring Compliance

  • Preventing Deployment of Vulnerable Images 

  • Maintaining System Integrity

 

Once the VM images have been scanned the results include:

  1. Vulnerabilities

  2. Compliance Information

  3. Package Information

 

Supported Azure Image Types

 

Prisma Cloud supports scanning the following image types:

  1. Marketplace images (publicly available images)

  2. Managed (custom) images

  3. Shared image galleries

  4. Encrypted images

  5. Azure Linux images

 

Prisma Cloud does not support the following image types:

  1. Azure paid images

 

For the latest information on supported image types, refer to: 

Scan VM Images

 

Prerequisites

 

The service account Prisma Cloud uses to scan Azure images must have at least the following permissions:

 Prerequisites

 

To scan encrypted images, use the Azure Key Vault Crypto Service Encryption User built-in role.

 

If you have managed and gallery images limited to specific regions, Prisma Cloud skips the scan when the region defined in the scope doesn’t match the region defined for the image.

 

The permissions to an existing service principal can be updated or a new service principal can be created. The steps to accomplish creating the service principal are documented here:

 Create an Azure Service Principle

 

Configuring Azure Cloud Account with a Service Account 

 

For Enterprise Edition(SaaS) Go to Runtime Security>Manage>Cloud Accounts>Add Account and select Azure

 

Parameters:

  1. Region Type: <Regular regions> 

  2. Description: <Any_string>

  3. Account Name: <Any string>

  4. Service account: <COPY_THE_ABOVE_SERVICE_ACCOUNT_JSON> 

 

 
unnamed.png

Figure 1:  Azure Account Config_PaloAltoNetworks

 

Click Next Disable Agentless scanning and Cloud Discovery
Click Save. 

 

Configuring Azure Images Scan

 

Go to Runtime Security> Defend > Vulnerabilities > Hosts > VM Images > Click "Add the first Item" if there is no policy, if there is a policy click "Add scope", it will pop-up a new windows for policy configuration 

 

     

unnamed.png

Figure 2:  VM images scope_PaloAltoNetworks

            

Configure VM Image Scan Scope

The steps to Configure VM Image Scan Scope are:

 

unnamed.png

Figure 3: Add new VM image scan scope_PaloAltoNetworks

 

  1. Provider: Azure

  2. Credential: select the credentials from the dropdown in  4. Configuring Azure Cloud account with a service account

  3. Image type (Azure only) : Specify the relevant image type. Prisma Cloud supports three image types: 

    1. Managed: custom, encrypted, Azure Linux

    2. Gallery

    3. Marketplace.

  4. Images: Specify the VM images to scan. Leave * to scan all images.

  5. Excluded VM images: Specify VM images to exclude from the scan. This field supports pattern matching.

  6. Region: Specify the Region to Scan

  7. Number of scanners:  default Value is  1 but you can choose the # of scanners per requirement.

  8. Cap: on a per-scope basis. For example, if scope includes three images, AMI1, AMI2, and AMI3, and you set cap to 2, Prisma la Cloud scans only the two most recently modified images. To scan all VM images in scope, set cap to 0

  9. Subnet resource ID:  Go to Azure Console>Virtual Networks and Sort by Resource Groups. Once you view the Json View should see see an ID with below format:

  10. /subscriptions/$SUbscriptionID/resourceGroups/$ResourceGroupname/providers/Microsoft.Network/virtualNetworks/$VirtualNetworkNamesubnets/default

  11. Instance type: Standard_D2s_v4 is selected as the default instance type to ensure images that require minimum instance type can be scanned.

  12. CLICK ADD. This  should trigger automatic scanning of the image ACCORDING TO THE CONFIGURE POLICY RULES 

 

Checking Results for Azure VM Image Scan

 

Go to Monitor > Vulnerabilities> Hosts > VM Images and check the results 

You can filter with provider:Azure to check all the Results.

 
unnamed.png

Figure 4: View VM image scan reports_PaloAltoNetworks

 

If you remove a VM image, or it becomes unavailable, Prisma Cloud maintains the scan results for 30 days. After 30 days, the scan results are automatically deleted. When a scan is canceled, it might take a few minutes for the scan to stop completely.

 

Conclusion

 

In this article, we showed you how to  Configure Azure VM Image scanning, including the process of configuring permissions on Azure Portal and the CLI. We covered supported Azure Image types for VM image scanning, Creating the service account with necessary permissions. Configuring Azure cloud account with a service account and Configuring VM image scan.

 

We showed that after successful configuration how to check the results for Azure VM Image scan.

 

References

 

[1]Scan VM Images

[2]VM image scanning

 

About the Author

 

Sriram Choudary Nimmagadda is a Cloud Security Engineer on the Prisma™ Cloud CSPM team, specializing in supporting all non-compute solutions for Prisma™ Cloud  AWS, Azure, GCP, OCI, and Alibaba.

Rate this article:
  • 297 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎09-27-2024 03:03 PM
Updated by: