How to set up Auto-defend hosts In Prisma Cloud Compute

How to set up Auto-defend hosts In Prisma Cloud Compute

6162
Created On 04/15/22 21:40 PM - Last Modified 02/15/23 22:48 PM


Objective


The objective of this article is  how to set up Auto host defend in AWS EC2 and report to Prisma Cloud Compute
 

Environment


  • Self-Hosted Version 21.04 and above
  • AWS Public Cloud Environment

Procedure


Please complete the following steps to implement the auto-host defend:
  1. SSH to the EC2 instance that you would like to add as an auto-host defender and make sure the SSM agent is running from checking the status of the SSM agent
    1. For checking SSM Agent status and starting the agent, please see the following document mentioned here
Snapshot displaying the SSM Agent status using a SSH session to our AWS EC2 instance
 
  1. Follow the following steps to create a policy in AWS to add to the IAM role to automatically protect EC2 instances in your AWS account:
    1. Search IAM in the search bar
    2. Select Policies from Access Management options list on the left-hand side
    3. Select Create Policy
    4. Select JSON tab and paste the JSON found in step 3a of the "Additional Information" section to create the Policy
       
Snapshot displaying the JSON output within the AWS Policies Tab.
 
3. Then create an IAM Role and attach both the policy created in step 2 along with the internal AWS policy named "AmazonSSMManagedInstanceCore"
Note: In our example we will be using "ssmtest" as the role name and "prismatestssm" as the policy name
> IAM Roles ssmtest > ssmtest Allows EC2 instances to call AWS services on your behalf. Summary Creation date oct0ber 27, 2021, 11108 (UTC-OSOO) Last activity 20 minutes ago Delete Edit Instance profile ARN ARN Q] arn:aws:iam::867498639488:role/ssmtest Maximum session duration 1 hour Permissions Trust relationships Tags Access Advisor Permissions policies (2) You can attach up to 10 managed policies Q Filter policies by property or po/jcy name and press enter Policy name prismatestssm AmazonSSMManagedlnstanceCore Revoke sessions Type Customer managed AWS managed Simulate Remove Add permissions Description The policy tor Amazon EC2 Role to enable AWS Systems Manager service core functionality.
 
 4 . Attach the role to the EC2 instance by going to the EC2 > Actions > Instance settings > Attach/Replace IAM Role
 
Snapshot displaying the Instance Settings options within AWS
 
Snapshot displaying the Attach/Replace IAM Role dialog box within AWS

 
  1. Add a host auto-protect rule: Host auto-defend rules let you specify which hosts you want to protect. You can define a specific account by referencing the relevant credential or collection.
Note: Each auto-defend rule is evaluated separately
  1. Open Compute Console, and go to Manage > Defenders > Deploy > Host auto-defend
  2. Click on Add Rule
  3. In the dialog, enter the following settings:
    • Enter a rule name
    • In Provider - only AWS is supported
    • In Console, specify a DNS name or IP address that the installed Defender can use to connect back to Console after it’s installed
    • (Optional) In Scope, target the rule to specific hosts
Edit demo centos Please Note When creating or updating collections, the set of image resources that belong to a collection isn't updated until the next scan. To force an update, manually initiate a rescan. demo centos Enter a description Name Description Color Containers Hosts Images Labels App IDs (App-Embedded) Functions Namespaces Account IDs Code Repositories * Specify a container Specify a host Specify an image host_demo:centos x Specify a tag * Specify an app ID * Specify a function * Specify a namespace Specify an account ID * Specify a repository cancel
  1. Create a new collection. Supported attributes are hosts, images, labels, account IDs
  2. The following example shows a collection that is based on hosts labels, in this case a label of "host_demo" with the value "centos"
  3. Specify the scanning scope
  4. Select or create credentials so Prisma Cloud can access your account as mentioned here
Note: The service account must have the minimum permissions specified here
  1. Click Add. The new rule appears in the table of rules
  1. Apply the Rule: By default, host auto-protect rules are evaluated every 24 hours. Click the Apply button to force a new scan. 
Note: The following screenshot shows that the "auto-defend-testgroup" discovered two EC2 instances and deployed two Defenders (2/2)
Snapshot displaying the AutoDefend Rules tab within Prisma Cloud
 

 

Additional Information


The following sections describe the minimum requirements to auto-defend to hosts in AWS.
  1. AWS Systems ManagerPrisma Cloud uses AWS Systems Manager (formerly known as SSM) to deploy Defenders to instances. This means that:                            
  • The SSM Agent must be installed on every instance.
  • AWS Systems Manager must have permission to perform actions on each instance.
  • To view all SSM managed instances, go to the AWS console
  1. SSM Agent: Prisma Cloud uses the SSM Agent to deploy Host Defender on an instance. The SSM Agent must be installed prior to deploying the Host Defenders. The SSM Agent is installed by default on the following distros:
Note: For more information regarding SSM Agent, please refer to the following document mentioned here
  • Amazon Linux
  • Amazon Linux 2
  • Amazon Linux 2 ECS-Optimized AMIs
  • Ubuntu Server 16.04, 18.04, and 20.04
  1. The SSM Agent doesn’t come installed out of the box but supported on the following distributions. Ensure its installed ahead of time before proceeding:
  • CentOS
  • Debian Server
  • Oracle Linux
  • Red Hat Enterprise Linux
  • SUSE Linux Enterprise Server
  1.  IAM instance profile for Systems Manager: By default, AWS Systems Manager doesn’t have permission to perform actions on your instances. You must grant it access with an IAM instance profile:
    1.  If you’ve used System Manager’s Quick Setup feature, assign the AmazonSSMManagedInstanceCore role to your instances.
    2. Prisma Cloud needs a service account with the following permissions to automatically protect EC2 instances in your AWS account. Add the following policy to an IAM user or role:
{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": [
               "ec2:DescribeImages",
               "ec2:DescribeInstances",
               "ec2:DescribeRegions",
               "ssm:SendCommand",
               "ssm:DescribeInstanceInformation",
               "ssm:ListCommandInvocations",
               "ssm:CancelCommand"
           ],
           "Resource": "*"
       }
   ]
}


Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNcSCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language