How to Avoid "failed scanning ami" errors while scanning AWS AMI Images in Prisma Cloud?
9369
Created On 12/07/21 12:10 PM - Last Modified 12/22/21 03:05 AM
Objective
- When Prisma Cloud Console attempts to scan AWS AMI images, it may return the following error message after couple of retries and wait time.
- To avoid such errors, this article intends to accomplish the following:-
- Outline some of the most common reasons behind failures when scanning AWS AMI Images in Prisma Cloud.
- Provide a checklist of workarounds or solutions to address them.
Environment
- Prisma Cloud Compute
- AWS
Procedure
Confirm that the AMI in question is Supported
- Prisma Cloud can scan Linux Amazon Machine Images (AMIs).
- However, the following AMIs aren’t supported:
- Images that don’t use cloud-init for bootstrapping, such as Red Hat Enterprise Linux CoreOS (CoreOS for OpenShift). RHCOS uses Ignition.
- Images that use paravirtualization.
- Images that only support old TLS protocols (less than TLS 1.1) for utilities such as curl. For example, Ubuntu 12.10.
IAM Policy for Scanning
- The service account Prisma Cloud uses to scan AMIs must have at least the following IAM policy:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PrismaCloudComputeAMIScanning",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DeleteSecurityGroup",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:RunInstances",
"ec2:TerminateInstances"
],
"Resource": "*"
}
]
}
VPC Selection
- If default VPC is selected in Prisma Cloud Console but not configured in AWS, the following error message may be encountered.
- To resolve this error message, recreate the Default VPC in AWS : Create a default VPC
- It is also important to note that, as per AWS documentation, previous deleted default VPC cannot be restored, and an existing non-default VPC cannot be marked as a default VPC.
- Moving forward, custom non-default VPCs are also supported and If you want a custom VPC for the scanner VM instance, the VPC id can be specified: Configure VM image scanning
Connectivity to Console
- Access from the default/custom VPC to Console via the port used for Defender to Console communication (default 8084) needs to be allowed to enable Defenders on VMs created by Console to send scan results back.
- If IGW (Internet Gateway) is used for internet access, ensure that the VM instances involved in the scanning process have public IP addresses.
- This can be addressed by enabling "auto-assign public IPv4 address" on the subnets in which the VM instances reside in : Enable auto-assign public IPv4 address
- With this, new EC2 instances (new VMs) launched after enabling this setting, will be able to establish connectivity to the Prisma Cloud Console and report back the scan results.
Deployment
- Ensure all the deployment steps have been correctly followed as described here : Configure VM image scanning
AMI Image Name
- Avoid blank spaces and double "/" in AMI Image Name.
- Some of the examples of AMI Image Names which may run into scan failures are:
- Test.region.amazonaws.com//tss/test
- Test AMI
Note:
If issue still persists, open a new case with Palo Alto Networks TAC Support and attach the Defender and Console Logs as described here, for further investigation: Debug dataAdditional Information
- There is an existing Feature Request to Support the scanning of encrypted AMIs, with no ETA at this time : https://prismacloud.ideas.aha.io/ideas/TP-I-346