Hello everyone and welcome to another episode of PANCast. Today I am going to introduce you to a very interesting and powerful feature of Prisma Cloud Compute. Have you ever thought about defending your hosts with just one click in your cloud environment? What I am going to share today is definitely gonna help you with that! No time to waste, now let’s get started with “Agentless”!
So what is Agentless scan and why should you use it?
As the name suggests, agentless scan enables you to protect hosts in the cloud without the multiple installation hassle which can be the worst nightmare for all the Cloud Administrators out there. Basically agentless will discover all supported cloud hosts in AWS, Azure or GCP to initiate scans for all of them automatically once you click on the “Agentless Scan” button. Doesn’t it sound amazing and easy? Because we all know that installing defenders on every host usually takes a lot of time and energy, this is exactly why agentless scanning is here to make life much easier.
Now you must be wondering, if a defender is not installed, then how does agentless scanning work to protect your environments such as AWS, Azure and GCP? Now let’s dig in a little bit deeper to get this question answered! Agentless scanning indeed doesn’t require manually installing defenders on all of your cloud hosts, this is the true beauty of it. So how it does scanning is by spinning up another scanner instance inside your cloud account, and it will automatically equip with our best friend twistcli which is a very useful tool to process the scan. After this, a working scanner instance is spun up and ready to do all the protecting and scanning work for you. So in order to minimize the impact on your EC2 machines, agentless is not scanning directly on your EC2, instead Prisma Cloud Compute will create a snapshot of the EC2 machines in the cloud account and attach the snapshots to the scanner instance to process the scan. By this way agentless scan can keep the impact on the EC2 machines to the minimum! Hope by now you have a rough idea on how agentless scan works without installing agents manually.
So how should you configure to ensure Agentless is set up properly?
Let’s take an example, now you are a Prisma Cloud Compute administrator who wants to protect all the EC2 VMs in your company AWS account.
First step you need to do is to onboard your AWS account in Prisma Cloud in Monitor & Protect mode if you haven’t already done so. You might be using a self-hosted version, no worries here, you just need to make sure you have enough permissions to create service keys and security groups in your cloud account.
Now that your cloud account is onboarded. What’s next? Remember we talked about how agentless scan will spin up a scanner instance in your AWS cloud account? In order for agentless to do that, the necessary permissions must be applied to the cloud account to be able to create instances, list them in your AWS, scan, and in the end terminate the scanner instance! Simple, right? If you are wondering where to find the permissions required for agentless, no worries we have it ready for you in our permission guide which I have attached in related articles.
Once cloud accounts and permissions are in place, we can start configuring agentless scan for the account on Prisma Cloud Compute web console! Here is something I would like to bring to your attention to make it clearer for you, agentless provides two ways of scanning for cloud accounts. First one is Same Account scanning, it basically means you are spinning up a scanner instance to scan all the hosts inside the same cloud account. Another one is Hub Account scanning, where you are scanning hosts in cloud account A, known as target account, and using the scanner instances in cloud account B, known as Hub account. So you can actually choose which mode suits you better in your case scenario. The detailed steps to configure agentless on console have been provided in the related articles section. You can follow the guide and we are good to complete the configuration! Time to manually trigger an agentless scan, just a simple click on cloud accounts page, your cloud account is protected now with agentless!
Well now that the scan has been started, you might be asking “where do I find the result of agentless scan?” Great question! In order to make it more convenient for you, the product has been designed in a way that all the hosts scan results are showing at the same location as where your agent-based scan results are. A click on Monitor page and you will get all the scan results from both agent-based and agentless scan. If you want to distinguish between agent-based and agentless scan results, we already have it covered for you. The hosts which are protected by agentless will show as scanned by agentless on the web console!
Now that you have details of what you can achieve with agentless scan. Let’s go through some scenarios you might run into with an example. Let’s say you currently have agentless configured and the scan has been initiated, however you are not seeing as many hosts as there are in your cloud environment. What could be happening here and what can you self-check? First please take note that certain types of EC2 are not supported by agentless scanning, such as Windows VMs, any environment where the OS filesystem is partitioned, and if you are scanning encrypted root volumes with a hub account in AWS, it is also not supported. Secondly please check if your cloud account has permissions to all the cloud resources in the specific region or in all the regions depending on how you configured agentless setting. Sometimes the permission might not be added for all the regions under the cloud account especially when you have a Service Control Policy in place. Last but not least, please check if you have enough credits for agentless scan. For credit consumption, I have also attached an official document for your reference.
Ok, we are reaching the end of this episode for agentless, I do hope you had a great time learning together with me.
Please remember the takeaways for this episode:
With the key points in mind, I wish you a pleasant journey with agentless scanning.
You can find the transcript and some useful links on live.paloaltonetworks.com under PANCast. Until next time.
Check out the full PANCast YouTube playlist: PANCast: Insights for Your Cybersecurity Journey.