Prisma Cloud: How to sync cloud accounts when settings under Cloud Security (CSPM) not updating under Runtime Security (Compute CWP)

This article explains how to sync Runtime Security (CwP) with Cloud Security (CSPM) settings to refresh ingestion between modules when updates are not taking effect.

Issue: Agentless Scan not disabled in Runtime Security after disabling feature for cloud account in Cloud Security

Prisma Cloud

• Prisma Cloud - Cloud Security
• Prisma Cloud - Runtime Security
  • Agentless Scan
    

1. Disable 'Agentless Workload Scanning' for cloud account in CSPM before making changes to CWP
   • Cloud Security > Settings > Providers > Search <Account ID/Name>
2. Delete out-of-sync cloud account from CWP
   • Runtime Security > Manage > Cloud accounts > Filter <Account ID/Name>
3. Disable and reenable cloud account in CSPM
   • Cloud Security > Settings > Providers > Search <Account ID/Name>
4. Confirm cloud account is rediscovered in CWP, with settings configured under CSPM (Agentless scan 'Off')
   • Runtime Security > Manage > Cloud accounts > Filter <Account ID/Name>

• Cloud accounts onboarded a while ago can sometime require account rediscovery in Compute, which is performed via this manual method.
• Based on 'Hub' account configuration, you may receive the following error message:
  • Failed to delete cloud rule: hub account "<account info>" deletion is not allowed as it is being used by target accounts: <target account info> ...
• This happens because Agentless scan mode = Hub Account Mode [1], and target accounts still remain in "Hub Account Mode", which requires changing configuration of target accounts to "Same Account Mode" to disassociate hub from target account(s)
  • A centralized account, called the hub account, scans hosts in other cloud accounts, called target accounts [1]

Keep in mind, when it comes to Agentless scanning, there are 3 main ways the scan will kick off:

1. Scheduled scan
2. Manual initiated scan
3. New cloud account is onboarded, or ingested into 'Compute' with Agentless scan ON
   1. If customer wishes to prevent scanning during this process, and we does not want a scan to trigger, we need to disable Agentless under CSPM; actions above forces a fresh ingestion of a cloud account, so it will sync the cloud account with Agentless 'Off' avoiding a scan to trigger.

Reference