A common customer question is how to view host vulnerabilities in the Asset Inventory for each Cloud Service Provider. Host vulnerabilities are easily identified in the Runtime Security Module, by selecting Monitor - Vulnerabilities - Hosts.
Most Cloud Service Providers have a managed offering-- Azure has AKS, Google offers GKE, AWS has EKS and Red Hat offers RedHat openshift; in this article, specifically, we will focus on EKS. The container workloads for all of these managed offerings run on host machines and those machines can contain vulnerabilities.
The Prisma Cloud Command Center (Figure 1) and Vulnerabilities (Figure 2) dashboards are the first high level dashboards that provide visibility into Vulnerabilities, and its purpose is to identify top issues by severity for hosts, images and repositories. In order to narrow the scope and filter based on EKS worker nodes in Cloud Security, it is recommended to explore the asset inventory.
Figure 1: Command Center Top Vulnerable Hosts_PaloAltoNetworks
Figure 2: Vulnerabilities Overview Dashboard_PaloAltoNetworks
The updated Asset Inventory (Figure 3) now displays host vulnerabilities that were previously available in the Compute module. We will also cover how to view vulnerabilities in your EKS worker nodes directly from the Asset Inventory and Asset explorer page.
Figure 3: Asset Inventory page showing assets with vulnerabilities_
The host vulnerabilities, if detected, will exist in AWS on the EKS service worker nodes that run on EC2.
The easiest way to accomplish locating the EKS worker nodes with Asset Inventory is to use the ability to filter cloud resources in Prisma Cloud.
From Cloud Security - Select Inventory and create a filter as shown below
Cloud Type=AWS
Service Name=Amazon EC2
Asset Tag=Key:aws:eks:cluster-name:
These are the example results shown below in Figure 4.
Figure 4: Assets Inventory filter_PaloAltoNetworks
Every EKS worker node that is deployed will have several key-value pairs automatically added to each node at launch. Below are a few keys I have identified that are common across all clusters and can be used to create filters to identify EKS worker nodes in Prisma Cloud Asset Inventory. In our example, we used the EKS cluster name, the 4th key below.
These keys can also be located in the AWS UI as TAGS on each EC2 instance assigned as a worker node.
"key": "alpha.eksctl.io/nodegroup-
"key": "eks:nodegroup-name",
"key": "aws:ec2:fleet-id",
"key": "aws:eks:cluster-name",
Figure 5 below shows a total of 48 cloud resources that match the search filter. 43 of which have vulnerabilities. 39 Critical, 43 High, 43 medium and 41 low.
Figure 5: Filtered cloud Resources_PaloAltoNetworks
Click on the total number from the results in figure 5 and it will take you to the asset explorer page with the filters shown in Figure 6 below.
Figure 6: results from the total number of filtered assets_PaloAltoNetworks
The results you receive from the asset explorer page seen in figure 7 below can be downloaded and given to the stakeholders that are responsible for the resources in a CSV format. The results on this page of 48 match the results from figure 2.
Figure 7: Filtered Results for download_PaloAltoNetworks
The results in CSV when downloaded will include all of the fields such as cloud account, resource name and id. I have redacted some information in figure 8 below, but keep in mind your download will have much more to display.
Figure 8: downloaded csv report_PaloAltoNetworks
Technically you could stop here, but if you want to view more details about the vulnerabilities on the nodes click on the worker node name as shown in figure 9.
Figure 9: Node with vulnerabilities filter_PaloAltoNetworks
This will bring up a sidecar page Figure 10 that will show the Findings Types, click on vulnerabilities.
Figure 10: Side car with total vulnerabilities_
The vulnerabilities page will display more details about the vulnerabilities on each host. This page displays useful information such as CVE name, package in use, CVSS score as shown below in figure 11.
Figure 11: sidecar with useful vulnerability info shown_PaloAltoNetworks
You can also download the sidecar information as a CSV as shown below in figure 12. The CSV download has much more information about the vulnerabilities such as Distro, CVE ID, page name and fix status.
Figure 12: downloaded csv example_PaloAltoNetworks
You can also use the Prisma Cloud Resource Query Language to obtain visibility into the EKS worker nodes.
Bonus TIP!
Here is how we can use RQL to show results for all EKS worker nodes in a specific cloud account. From Prisma Cloud, select Cloud Security, from the drill down - Select Investigate And type out or paste in the RQL query below and press Search. See Figure 13
Figure 13: Investigate Page_PaloAltoNetworks
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*].key contains "eks:cluster-name"
The results from the query will contain a list of all the AWS EC2 instances with a key that contains eks:cluster-name as shown in Figure 14
Figure 14: RQL query used to show nodes with a tag_PaloAltoNetworks
If you click on the asset name from the results Prisma Cloud will launch the same sidecar page shown in Figure 11 above.
This article guides you through the steps to view host vulnerabilities in your AWS EKS Service worker nodes directly from the Asset Inventory and Asset explorer page.
We used filters in the Asset Inventory page to view vulnerability data that normally is displayed in Compute. Using the Asset Explorer is another way to obtain visibility into your environment and the output can be downloaded and provided to stakeholders to take action and remediate.
Prisma Cloud Dashboards -- Asset Inventory
Mark Davis is a Customer Success Engineer on the Prisma Cloud team, specializing in solving enterprise customer questions by empowering the customers with knowledge and guidance in protecting cloud resources and workloads.
