Palo Alto Prisma Cloud for AWS and Kubernetes

Updated: Aug 29

Problem statement

Security in a cloud contains many layers, so it can be quite challenging to cover everything, especially if you have many different workloads and need to pass a compliance audit, like HIPAA or PCI DSS. Moreover, security issues can be related not only to the cloud itself. Libraries and packages can have vulnerabilities, Kubernetes can be configured incorrectly from the security perspective, Docker images can be built disregarding the best practices, applications inside a Kubernetes cluster should also be configured appropriately. Many solutions can help with all these issues in the market, but they have quite a narrow coverage area. If we need to have one solution that can solve all or majority of mentioned issues, we recommend using the Palo Alto Networks Prisma Cloud.


Overview

Prisma® Cloud for Amazon Web Services (AWS®) offers cloud-native security and compliance throughout the entire development lifecycle. Protect AWS environments with comprehensive Cloud Security Posture Management (CSPM) – including support for the CIS AWS Foundations Benchmark – and Cloud Workload Protection (CWP) for hosts, containers, and serverless.

Palo Alto Networks is a partner of Automat-IT. We provide our customers with comprehensive support during the deployment, configuration, and usage of the Prisma Cloud with AWS.


Inventory

The first thing we should do is “Add Cloud Account”.

Prisma Cloud supports 5 cloud providers:

For the AWS we have two options: “Monitor” aka Read-only and “Monitor & Protect” which will be able to perform remediation for some security alerts.

These two options just have different sets of IAM Policies for the IAM role. We have to create an IAM role for cross-account access with an external id as an extra security measure. It can be done in one click.

The IAM role will be created by the CloudFormation stack. We need to find an ARN of the role and paste it to the appropriate file (screenshot above).

With the “Monitor” option you will get a set of read-only permissions for the role.

With the “Monitor & Protect” option the set of permissions will be wider.

Prisma Cloud requires 1-2 hours for collecting all data from the newly added AWS account. You will see a dashboard with Assets (AWS resources) and Alerts + graphs with filters when it is done.

Below we can see a table with all AWS resources that were checked by the Prisma Cloud.


Compliance

Prisma Cloud enables you to view, assess, report, monitor, and review your cloud infrastructure’s health and compliance posture. You can also create reports that contain summary and detailed findings of security and compliance risks in your cloud environment.

There are 52 available compliance standards including HIPAA, PCI DSS, SOC 2, CIS, ISO*, AWS Well-Architected framework, and others.

Compliance dashboard shows all assets for the given account or group of accounts.

You can choose the required standard, if it is available for your cloud provider, for example, AWS Well-Architected Framework.

you will see a pie chart for Pass/Fail checks if you click on it

Click on “Fail” and you will see a list of assets with security issues.


Alerts

Click on any finding, for example, IAM user, and you will see the particular issues, like user’s activity, keys retention, MFA, etc.

For an S3 bucket, you will see public access, encryption, logging, etc.


Alerts reports

You can generate a report with all alerts related to the particular compliance standard and account/group.

First of all, in the generated PDF file you will see a summary, sorted by severity.

Later you can find information about every alert and recommendations for a fix.


Compliance reports

You can generate a compliance report (once or regularly). Click to the required standard

Choose accounts, cloud type, and click “Create Report”

Set a name, email, and schedule:

First of all, in the report, you will see a summary

Later you will find details for every particular check, for example, the password policy for an AWS account.


Code security


VSCode IDE plugin


There are many options for Code Security in the Prisma Cloud. We can connect GitHub, GitLab, Bitbucket as well as install a plugin to the IDE like VSCode and IntelliJ.

When you click to VSCode, you are redirected to the VSCode Marketplace. Just install the plugin.