Agentless scan identifying a private image(AMI) as marketplace image requiring EULA along with other market place images.

• Agentless scan identifying a few AMI's as marketplace image requiring subscription. 

• This fails the Scanner to be deployed and console logs the below message: 

ERRO 2024-06-16T20:50:17.260 types.go:590 (agentless/orchestrator.go:2211) Failed to deploy scanner: failed to deploy scanner ---snip
: subscription required
OptInRequired: In order to use this AWS Marketplace product you need to accept terms and subscribe. To do so please visit https://aws.amazon.com/marketplace/pp?sku=1o0kp4lye72fbgbb39noij1xu
status code: 401, request id: e19ff056-c8f1-2d12-9217-772eb47eb293. Skipping instances: [<instance-ids> <instance-ids> <instance-ids>] target="<target-account-id>" hub="<hub-account-id>" region="ap-southeast-2" availabilityDomain="" job="Scan" workerID="z5fd2351-6123-4424-9127-cd12345d12d6"

• Prisma Cloud
  • AWS 
  • Agentless scanning

• The Prisma Cloud Scanner is failed to be deployed when one of the AMIs in the scanning list requires a subscription. This causes the scanning of other AMIs that don't require a subscription to also fail, since the scanner itself failed to launch.
• If an AMI requires a subscription (paid or accept EULA), the account needs to complete the marketplace subscription process before launching instances from that AMI. Without the necessary subscription, the instance will be blocked from running.
• With the current architecture, such AWS Marketplace issues are only detected when the Prisma Cloud Scanner is launched in the cloud account. Multiple instances are scanned in a single scanner instance, and the failure of the scanner deployment due to a subscription issue impacts all instances in the scanning list, including those that do not require a subscription.
• The issue is commonly noticed with the Hub account scanning. The agentless scan is performed through a hub account, where the EULA/subscription for the marketplace AMI (for the other accounts' AMIs) has not been accepted in the Hub account. When the scanner attempts to scan multiple instances, it fails if any of the hosts (using a marketplace AMI) in the scanner list requires a subscription. This causes all the hosts, including those that don't require a subscription, to be reported as requiring EULA.

• To address this, the recommended approach is to ensure that the hub account used for the agentless scan has the required EULA/subscription accepted for any marketplace AMIs that are part of the scanning list. This will allow the scanner to be successfully deployed and scan all the instances, including those using private AMIs.
• The subscription link is printed in the console logs:

ERRO 2024-06-16T20:50:17.260 types.go:590 (agentless/orchestrator.go:2211) Failed to deploy scanner: failed to deploy scanner 
---snip
: subscription required
OptInRequired: In order to use this AWS Marketplace product you need to accept terms and subscribe. To do so please visit >>>>>>https://aws.amazon.com/marketplace/pp?sku=1o0kp4lye72fbgbb39noij1xu. <<<<<<<<<<<
status code: 401, request id: e19ff056-c8f1-2d12-9217-772eb47eb293. Skipping instances: [<instance-ids> <instance-ids> <instance-ids>] target="<target-account-id>" hub="<hub-account-id>" region="ap-southeast-2" availabilityDomain="" job="Scan" workerID="z5fd2351-6123-4424-9127-cd12345d12d6"

• Failure to accept the EULA causes scanner to be failed. This causes all the hosts, including those that don't require a subscription, to be reported as requiring EULA.

Workaround:

• The steps to handle this would be:
  1. Identify the AMIs that have EULA requirements that cannot be accepted.
  2. Add an tag to those specific AMIs.
  3. Configure the agentless scan to exclude the AMIs with the specific exclusion tag.
• This way, the agentless scan will not attempt to pick up and scan those marketplace AMIs that have such subscription restrictions, and thus avoid any failures or errors during the scanning process.

When does AWS AMI (Amazon Machine Image) requires a marketplace subscription?
 

• The AWS AMI requires marketplace subscription if:
  • Pre-configured AMIs from AWS Marketplace:  To use an AMI that has been pre-configured and made available through the AWS Marketplace,  the account needs to subscribe to that AMI's marketplace listing. This gives the account, the right to use the software or services included in the AMI.
  • Private AMIs shared from other AWS accounts: If another AWS account owner has shared a private AMI with you, and that AMI contains software or services that require a marketplace subscription, you will need to subscribe to the relevant marketplace listing before you can launch instances from that AMI.
  • Community AMIs with paid software: Some community AMIs available in the AWS Marketplace contain software that requires a paid subscription. In this case, you will need to subscribe to the marketplace listing before launching instances from that AMI.
• In general, if an AMI you want to use contains any software or services that require a subscription, you will need to complete the marketplace subscription process before you can launch instances from that AMI. The marketplace subscription grants you the necessary usage rights and permissions.
• If the AMI you want to use does not contain any software or services requiring a marketplace subscription, then you do not need to subscribe to any marketplace listing to use that AMI.
   

Why this is common with Hub account scanning?

• In an agentless scanning scenario, the scans are performed on the running instances and their associated Amazon Machine Images (AMIs). If the instance is already running, it implies that the account used to launch the instance had the necessary marketplace subscription to use that AMI.
• Therefore, when scanning instances within the same account that owns the AMI, the agentless scan should be successful, as the subscription requirements are already met and the AMI is already running
• However, in a scenario where the scanning is performed through a hub account, the scanner will be deployed by running the target AMI on the hub account. Since the marketplace subscription for that AMI is associated with a different account and not the hub account, the attempt to run the AMI on the hub account will fail, and the scan will return an error message indicating the missing subscription.