By Sriram Choudary Nimmagadda, Cloud Security Engineer

Introduction

This article walks you through configuring and running Prisma Cloud Azure VM Image Scan. Prisma Cloud supports three types of Azure images: Managed, Gallery, and Marketplace.

The Prisma Cloud Compute Console handles VM image scanning and does not require Prisma Cloud Defenders. The Prisma Cloud Console scans a VM image by launching or creating a VM instance that is running the VM image to be scanned. 

VM image scanning is essential for Security, Compliance and efficiency by:

• Identifying Security Vulnerabilities 

• Ensuring Compliance

• Preventing Deployment of Vulnerable Images 

• Maintaining System Integrity

Once the VM images have been scanned the results include:

1. Vulnerabilities

2. Compliance Information

3. Package Information

Supported Azure Image Types

Prisma Cloud supports scanning the following image types:

1. Marketplace images (publicly available images)

2. Managed (custom) images

3. Shared image galleries

4. Encrypted images

5. Azure Linux images

Prisma Cloud does not support the following image types:

1. Azure paid images

For the latest information on supported image types, refer to: 

Scan VM Images

Prerequisites

The service account Prisma Cloud uses to scan Azure images must have at least the following permissions:

 Prerequisites

To scan encrypted images, use the Azure Key Vault Crypto Service Encryption User built-in role.

If you have managed and gallery images limited to specific regions, Prisma Cloud skips the scan when the region defined in the scope doesn’t match the region defined for the image.

The permissions to an existing service principal can be updated or a new service principal can be created. The steps to accomplish creating the service principal are documented here:

 Create an Azure Service Principle

Configuring Azure Cloud Account with a Service Account 

For Enterprise Edition(SaaS) Go to Runtime Security>Manage>Cloud Accounts>Add Account and select Azure

Parameters:

1. Region Type: <Regular regions> 

2. Description: <Any_string>

3. Account Name: <Any string>

4. Service account: <COPY_THE_ABOVE_SERVICE_ACCOUNT_JSON> 

Figure 1:  Azure Account Config_PaloAltoNetworks

Click Next Disable Agentless scanning and Cloud Discovery
Click Save. 

Configuring Azure Images Scan

Go to Runtime Security> Defend > Vulnerabilities > Hosts > VM Images > Click "Add the first Item" if there is no policy, if there is a policy click "Add scope", it will pop-up a new windows for policy configuration 

Figure 2:  VM images scope_PaloAltoNetworks

Configure VM Image Scan Scope

The steps to Configure VM Image Scan Scope are:

Figure 3: Add new VM image scan scope_PaloAltoNetworks

1. Provider: Azure

2. Credential: select the credentials from the dropdown in  4. Configuring Azure Cloud account with a service account

3. Image type (Azure only) : Specify the relevant image type. Prisma Cloud supports three image types: 

1. Managed: custom, encrypted, Azure Linux

2. Gallery

3. Marketplace.

4. Images: Specify the VM images to scan. Leave * to scan all images.

5. Excluded VM images: Specify VM images to exclude from the scan. This field supports pattern matching.

6. Region: Specify the Region to Scan

7. Number of scanners:  default Value is  1 but you can choose the # of scanners per requirement.

8. Cap: on a per-scope basis. For example, if scope includes three images, AMI1, AMI2, and AMI3, and you set cap to 2, Prisma la Cloud scans only the two most recently modified images. To scan all VM images in scope, set cap to 0

9. Subnet resource ID:  Go to Azure Console>Virtual Networks and Sort by Resource Groups. Once you view the Json View should see see an ID with below format:

10. /subscriptions/$SUbscriptionID/resourceGroups/$ResourceGroupname/providers/Microsoft.Network/virtualNetworks/$VirtualNetworkNamesubnets/default

11. Instance type: Standard_D2s_v4 is selected as the default instance type to ensure images that require minimum instance type can be scanned.

12. CLICK ADD. This  should trigger automatic scanning of the image ACCORDING TO THE CONFIGURE POLICY RULES 

Checking Results for Azure VM Image Scan

Go to Monitor > Vulnerabilities> Hosts > VM Images and check the results 

You can filter with provider:Azure to check all the Results.

Figure 4: View VM image scan reports_PaloAltoNetworks

If you remove a VM image, or it becomes unavailable, Prisma Cloud maintains the scan results for 30 days. After 30 days, the scan results are automatically deleted. When a scan is canceled, it might take a few minutes for the scan to stop completely.

Conclusion

In this article, we showed you how to  Configure Azure VM Image scanning, including the process of configuring permissions on Azure Portal and the CLI. We covered supported Azure Image types for VM image scanning, Creating the service account with necessary permissions. Configuring Azure cloud account with a service account and Configuring VM image scan.

We showed that after successful configuration how to check the results for Azure VM Image scan.

References

[1]Scan VM Images

[2]VM image scanning

About the Author

Sriram Choudary Nimmagadda is a Cloud Security Engineer on the Prisma™ Cloud CSPM team, specializing in supporting all non-compute solutions for Prisma™ Cloud  AWS, Azure, GCP, OCI, and Alibaba.