Palo Alto Prisma Cloud for AWS and Kubernetes

Problem statement

Security in a cloud contains many layers, so it can be quite challenging to cover everything, especially if you have many different workloads and need to pass a compliance audit, like HIPAA or PCI DSS. Moreover, security issues can be related not only to the cloud itself. Libraries and packages can have vulnerabilities, Kubernetes can be configured incorrectly from the security perspective, Docker images can be built disregarding the best practices, applications inside a Kubernetes cluster should also be configured appropriately. Many solutions can help with all these issues in the market, but they have quite a narrow coverage area. If we need to have one solution that can solve all or majority of mentioned issues, we recommend using the Palo Alto Networks Prisma Cloud.

Overview

Prisma® Cloud for Amazon Web Services (AWS®) offers cloud-native security and compliance throughout the entire development lifecycle. Protect AWS environments with comprehensive Cloud Security Posture Management (CSPM) – including support for the CIS AWS Foundations Benchmark – and Cloud Workload Protection (CWP) for hosts, containers, and serverless.

Palo Alto Networks is a partner of Automat-IT. We provide our customers with comprehensive support during the deployment, configuration, and usage of the Prisma Cloud with AWS.

Inventory

The first thing we should do is “Add Cloud Account”.

Prisma Cloud supports 5 cloud providers:

For the AWS we have two options: “Monitor” aka Read-only and “Monitor & Protect” which will be able to perform remediation for some security alerts.

These two options just have different sets of IAM Policies for the IAM role. We have to create an IAM role for cross-account access with an external id as an extra security measure. It can be done in one click.

The IAM role will be created by the CloudFormation stack. We need to find an ARN of the role and paste it to the appropriate file (screenshot above).

With the “Monitor” option you will get a set of read-only permissions for the role.

With the “Monitor & Protect” option the set of permissions will be wider.

Prisma Cloud requires 1-2 hours for collecting all data from the newly added AWS account. You will see a dashboard with Assets (AWS resources) and Alerts + graphs with filters when it is done.

Below we can see a table with all AWS resources that were checked by the Prisma Cloud.

Compliance

Prisma Cloud enables you to view, assess, report, monitor, and review your cloud infrastructure’s health and compliance posture. You can also create reports that contain summary and detailed findings of security and compliance risks in your cloud environment.

There are 52 available compliance standards including HIPAA, PCI DSS, SOC 2, CIS, ISO*, AWS Well-Architected framework, and others.

Compliance dashboard shows all assets for the given account or group of accounts.

You can choose the required standard, if it is available for your cloud provider, for example, AWS Well-Architected Framework.

you will see a pie chart for Pass/Fail checks if you click on it

Click on “Fail” and you will see a list of assets with security issues.

Alerts

Click on any finding, for example, IAM user, and you will see the particular issues, like user’s activity, keys retention, MFA, etc.

For an S3 bucket, you will see public access, encryption, logging, etc.

Alerts reports

You can generate a report with all alerts related to the particular compliance standard and account/group.

First of all, in the generated PDF file you will see a summary, sorted by severity.

Later you can find information about every alert and recommendations for a fix.

Compliance reports

You can generate a compliance report (once or regularly). Click to the required standard

Choose accounts, cloud type, and click “Create Report”

Set a name, email, and schedule:

First of all, in the report, you will see a summary

Later you will find details for every particular check, for example, the password policy for an AWS account.

Code security

VSCode IDE plugin

There are many options for Code Security in the Prisma Cloud. We can connect GitHub, GitLab, Bitbucket as well as install a plugin to the IDE like VSCode and IntelliJ.

When you click to VSCode, you are redirected to the VSCode Marketplace. Just install the plugin.

Next, you need to configure the plugin. Set a Prisma API URL and <AccessKey>::<SecretKey>

It scans cloud infrastructure provisioned using Terraform, Cloudformation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfile, Serverless, Bicep, or ARM Templates and detects security and compliance misconfigurations using graph-based scanning.

When you open any Terraform file, the scan is automatically started.

When you hover over the underlined resource, you see all issues that need to be fixed.

Every issue has a link to the “Bridgecrew” website, where you can find a description of the issue and the way to fix it.

One more interesting feature - when you click on the underlined resource, you will see a bubble.

Some issues can be automatically fixed by “one-click”:

The result of the fix is below (CloudTrail was enabled in all Regions):

Example with a Dockerfile scan:

Kubernetes manifest scan:

GitHub integration

Prisma Cloud Code Security can be integrated with all popular VCS solutions, like GitHub, GitLab, Bitbucket, etc. It can be used to scan IaC (Terraform, CloudFormation, Docker, or Kubernetes files).

When you choose a needed solution and authorize Prisma Cloud there, you can select repositories you would like to scan.

In the settings, you can exclude some paths or configure notifications.

The first scan takes several minutes. After that, you will see how many security issues exist in the repository, grouped by category (compute, networking, storage, etc.).

Every finding can be Fixed or Suppressed:

All selected fixes will be put together and you can submit a pull request:

The pull requests appear in your repository.

In this case, we added only one fix (added S3 default encryption)

Example of a Docketfile scan, according to the Docker best practices:

Prisma Cloud can find security issues in Kubernetes manifests, for example,

Containers run with AllowPrivilegeEscalation
Default namespace is used
Read-Only filesystem for containers is not used
Admission of root containers not minimized
Admission of containers with NET_RAW capability is not minimized
securityContext is not applied to pods and containers
seccomp is not set to Docker/Default or Runtime/Default
Admission of containers with capabilities assigned is not limited
Service account tokens are not mounted where necessary
Containers do not run with a high UID
Images are not selected using a digest
Readiness probe is not configured
Liveness probe is not configured

and others

Supply Chain Graph visualize a structure of files in the repository and indicates findings:

Compute scan

Compute scan in the Prisma Cloud contains Hosts (EC2), Images (ECR), Containers in EKS, and Lambda functions. The first page in the “Compute” tab is a Cloud Map

When you choose a Region, you can see a total number of resources (Defended and Undefended). A defender can be deployed to different resources separately.

Serverless scan

Once the initial scan is completed, we can see Lambda functions, their triggers (on the left), and Permissions (on the right).

Lambda functions that are marked as green are safe, red ones contain some vulnerabilities.

Opening the “Vulnerabilities” tag shows what is exactly wrong. In the below example we can see that the Golang version that was used in the Lambda function has some known issues:

Kubernetes cluster scan

Prisma Cloud provides utilities for different platforms and OS, that will be needed for a Defender deployment.

The deployment method can be “Orchestrator” (ECS, Kubernetes, OpenShift) or “Single Defender”.

In the case of Kubernetes, we can use DaemonSet (YAML) or Helm chart, configured beforehand.

“Single Defender” has several options (Container, Host Linux/Windows, Tanzu, or Serverless).

Once defenders are installed, the host appears in the Prisma Cloud console:

The vulnerabilities page has several tabs, the first one shows Application or OS-related issues.

The second tab shows compliance for Linux/Windows host (OS configurations) or Kubernetes node (kubelet configurations and so on).

The package info tab shows all installed packages and known vulnerabilities.

The environment tab shows running containers.

If you click on any displayed container, you will see its details including vulnerabilities

When a Defender is deployed into the Kubernetes cluster, we can see all pods that are running inside, their interconnections, and vulnerabilities:

In the vulnerabilities page, we have similar tabs as a Host (node) has + we can see Layers of the Docker image with found issues:

Continuous Integration

Continuous security checks are very important for CI/CD process. Prisma Cloud can be natively integrated with Jenkins with a plugin, scan application code, and Docker images as a step of every job.

Image Vulnerabilities scan

There is a possibility to perform a Prisma Docker Image Vulnerabilities scan during Jenkins pipeline execution. As a result scan results appear on the Jenkins Job page.

From the Prisma interface scan results are available on Compute - Monitor - Vulnerabilities - Images - CI page:

Code Repository Vulnerabilities scan

There is a possibility to perform Prisma Code Repository Vulnerabilities scan during Jenkins pipeline execution.

Prisma Jenkins plugin can evaluate package dependencies in your code repositories for vulnerabilities. It supports the following runtimes:

• Go

• Java

• Node.js

• Python

• Ruby

As a result of scan results appearing in the Jenkins Job menu.

From the Prisma interface scan results are available on Compute - Monitor - Vulnerabilities - Code repositories - CI page:

Conclusion

Palo Alto Networks Prisma Cloud is a good solution for an Enterprise, which provides full coverage for security scanning of AWS accounts (or other clouds), IaC code (Terraform, CloudFormation, Docker, Kubernetes, Helm, etc.), virtual machines (e.g. EKS nodes), Docker images, running containers and Lambda functions. It has convenient visualization, reporting, continuous monitoring, and alerting, can also be integrated with CI/CD process. Automat-IT can include deployment of the Prisma Cloud in an AWS environment and provide consulting support.