How to set up Serverless function scanning in Prisma Cloud Compute

How to set up Serverless function scanning in Prisma Cloud Compute

7820
Created On 12/15/21 20:24 PM - Last Modified 12/06/22 01:08 AM


Objective


The objective of this article is to show you how to set up Serverless function scanning in Prisma Cloud Compute.

Environment


  • Prisma Cloud Compute SaaS version
  • Prisma Cloud Compute Self-Hosted version 22.01 and above

Procedure


Follow the following steps to create a policy in AWS for Serverless function scanning:
  1. Search IAM in the search bar
  2. Select Policies from Access Management options list on the left-hand side.
  3. Select Add Policy
User-added image
  1. Select JSON tab and paste the following JSON to create the Policy.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PrismaCloudComputeServerlessAutoProtect",
            "Effect": "Allow",
            "Action": [
                "iam:SimulatePrincipalPolicy",
                "iam:ListAttachedRolePolicies",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:ListRolePolicies",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "lambda:GetFunction",
                "lambda:GetFunctionConfiguration",
                "lambda:GetLayerVersion",
                "lambda:ListFunctions",
                "lambda:PublishLayerVersion",
                "lambda:UpdateFunctionConfiguration",
                "lambda:ListLayerVersions",
                "lambda:ListLayers",
                "lambda:DeleteLayerVersion",
                "kms:decrypt"
            ],
            "Resource": "*"
        }
    ]
}
  1. Once the Policy is created, go to the user to whom you want to attach this policy to.
  2. After you have selected that user, select Add Permissions button.
User-added image
  1. Select Attach existing policies directly tab
User-added image
  1. Search for the policy you created in step 4 and attach it to the user.
  2. Go to the Prisma Cloud Compute console.
  3. Go to the following path:
Defend > Vulnerabilities > Functions > Functions
  1. Click Add the first item button and you will see the following
User-added image
  1. Add the credentials of the AWS service user.
  2. Once the scope is added, click the green Save button.
  3. Go to the following path to view the scan results of the Serverless function scan
Monitor > Vulnerabilities > Functions > Scanned functions

Additional Information


Refer to the documentation for the Serverless function scanning.

Note for SaaS version users:
IAM roles cannot be used in Prisma Cloud serverless scanning as the Console is not hosted within AWS for Enterprise Edition.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMrbCAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language