Skip to content

Correct AMI scanning permissions #97

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
iansk merged 1 commit into from
Jul 1, 2020
Merged

Correct AMI scanning permissions #97

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 27 additions & 14 deletions admin_guide/vulnerability_management/vm_image_scanning.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,27 +9,40 @@ RHCOS uses Ignition.
* Images that use paravirtualization.
* Images that only support old TLS protocols (less than TLS 1.1) for utilities such as curl.
For example, Ubuntu 12.10.
* Encrypted images.


=== Prerequisites

The service account Prisma Cloud uses to scan VM images must have the following permissions:

* ec2:CreateSecurityGroup
* ec2:DescribeSecurityGroup
* ec2:RevokeSecurityGroupEgress
* ec2:AuthorizeSecurityGroupIngress
* ec2:DeleteSecurityGroup
* ec2:RunInstances
* ec2:DescribeInstances
* ec2:TerminateInstances

NOTE: Prisma Cloud cannot scan encrypted AMIs.

The service account Prisma Cloud uses to scan AMIs must have at least the following policy:
----
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:CreateSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:RunInstances",
"ec2:CreateTags",
"ec2:TerminateInstances"
],
"Resource": "*"
}
]
}
----

=== Deployment

VM image scanning is handled by the Console. Prisma Cloud’s Console scans a VM image by creating a _VM instance_, which is running the VM image to be scanned.
VM image scanning is handled by the Console. Prisma Cloud’s Console scans a VM image by creating a VM instance which is running the VM image to be scanned.
When you configure Prisma Cloud to scan VM images, you can define the number of scanners to use. Defining more than one scanner means that the Console will create a number of VM instances to scan multiple VM images simultaneously.
For scanning large numbers of VM images, increase the number of scanners to improve throughput and reduce scan time.

Expand Down