How to set up Auto-defend hosts In Prisma Cloud Compute
6182
Created On 04/15/22 21:40 PM - Last Modified 02/15/23 22:48 PM
Objective
The objective of this article is how to set up Auto host defend in AWS EC2 and report to Prisma Cloud Compute
Environment
- Self-Hosted Version 21.04 and above
- AWS Public Cloud Environment
Procedure
Please complete the following steps to implement the auto-host defend:
- SSH to the EC2 instance that you would like to add as an auto-host defender and make sure the SSM agent is running from checking the status of the SSM agent
- For checking SSM Agent status and starting the agent, please see the following document mentioned here
- Follow the following steps to create a policy in AWS to add to the IAM role to automatically protect EC2 instances in your AWS account:
- Search IAM in the search bar
- Select Policies from Access Management options list on the left-hand side
- Select Create Policy
- Select JSON tab and paste the JSON found in step 3a of the "Additional Information" section to create the Policy
3. Then create an IAM Role and attach both the policy created in step 2 along with the internal AWS policy named "AmazonSSMManagedInstanceCore"
Note: In our example we will be using "ssmtest" as the role name and "prismatestssm" as the policy name
4 . Attach the role to the EC2 instance by going to the EC2 > Actions > Instance settings > Attach/Replace IAM Role
- Add a host auto-protect rule: Host auto-defend rules let you specify which hosts you want to protect. You can define a specific account by referencing the relevant credential or collection.
Note: Each auto-defend rule is evaluated separately
- Open Compute Console, and go to Manage > Defenders > Deploy > Host auto-defend
- Click on Add Rule
- In the dialog, enter the following settings:
- Enter a rule name
- In Provider - only AWS is supported
- In Console, specify a DNS name or IP address that the installed Defender can use to connect back to Console after it’s installed
- (Optional) In Scope, target the rule to specific hosts
- Create a new collection. Supported attributes are hosts, images, labels, account IDs
- The following example shows a collection that is based on hosts labels, in this case a label of "host_demo" with the value "centos"
- Specify the scanning scope
- Select or create credentials so Prisma Cloud can access your account as mentioned here
Note: The service account must have the minimum permissions specified here
- Click Add. The new rule appears in the table of rules
- Apply the Rule: By default, host auto-protect rules are evaluated every 24 hours. Click the Apply button to force a new scan.
Note: The following screenshot shows that the "auto-defend-testgroup" discovered two EC2 instances and deployed two Defenders (2/2)
Additional Information
The following sections describe the minimum requirements to auto-defend to hosts in AWS.
- AWS Systems Manager: Prisma Cloud uses AWS Systems Manager (formerly known as SSM) to deploy Defenders to instances. This means that:
- The SSM Agent must be installed on every instance.
- AWS Systems Manager must have permission to perform actions on each instance.
- To view all SSM managed instances, go to the AWS console
- SSM Agent: Prisma Cloud uses the SSM Agent to deploy Host Defender on an instance. The SSM Agent must be installed prior to deploying the Host Defenders. The SSM Agent is installed by default on the following distros:
Note: For more information regarding SSM Agent, please refer to the following document mentioned here
- Amazon Linux
- Amazon Linux 2
- Amazon Linux 2 ECS-Optimized AMIs
- Ubuntu Server 16.04, 18.04, and 20.04
- The SSM Agent doesn’t come installed out of the box but supported on the following distributions. Ensure its installed ahead of time before proceeding:
- CentOS
- Debian Server
- Oracle Linux
- Red Hat Enterprise Linux
- SUSE Linux Enterprise Server
- IAM instance profile for Systems Manager: By default, AWS Systems Manager doesn’t have permission to perform actions on your instances. You must grant it access with an IAM instance profile:
- If you’ve used System Manager’s Quick Setup feature, assign the AmazonSSMManagedInstanceCore role to your instances.
- Prisma Cloud needs a service account with the following permissions to automatically protect EC2 instances in your AWS account. Add the following policy to an IAM user or role:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeRegions", "ssm:SendCommand", "ssm:DescribeInstanceInformation", "ssm:ListCommandInvocations", "ssm:CancelCommand" ], "Resource": "*" } ] }