diff --git a/docs/en/compute-edition/32/admin-guide/agentless-scanning/onboard-accounts/configure-aws.adoc b/docs/en/compute-edition/32/admin-guide/agentless-scanning/onboard-accounts/configure-aws.adoc index e2cdd89bcc..cc63ce15c6 100644 --- a/docs/en/compute-edition/32/admin-guide/agentless-scanning/onboard-accounts/configure-aws.adoc +++ b/docs/en/compute-edition/32/admin-guide/agentless-scanning/onboard-accounts/configure-aws.adoc @@ -26,6 +26,8 @@ image::agentless-aws-pcee-advanced-settings.png[width=540] . Click *Save* to return to *Compute > Manage > Cloud accounts*. +NOTE: Agentless scanning enforces boot volume encryption by default. + [#aws-agentless-modes] === Scan Settings @@ -123,8 +125,70 @@ The following combinations are possible for the network resources. * If you only configure the *Subnet name*, Prisma Cloud validates that the subnet exists and assumes that all required network resources exist and are attached to that subnet. Prisma Cloud uses the default security group created by AWS for that subnet. +=== Resource Tagging +//CWP-59114 + +This section lists the conventions used for identifying resources that are created by agentless scanning in Amazon Web Services (AWS). These conventions ensure that resources are effectively managed and uniformly identified in AWS cloud environments. + +In Amazon Web Services (AWS), tags are used to identify resources created by agentless scanning. Here are the details for various types of resources. + +*Agentless Scanner VMs* + +* Name format: `prismacloud-scan-` + +* Tags: + +** `created-by: prismacloud-agentless-scan` + +** `Name: prismacloud-scan-` + +** `prismacloud-agentless-unique-id: ` + +`scan-unique-id` is a unique identifier generated for each scan. It changes with every scan, resulting in a distinct name for the resources created during that scan. + +`console-unique-id` is a unique number associated with each console. For Prisma Cloud SaaS customers, it remains constant even after upgrades. For on-premises setups, it may change if a new console is created without using data from the previous console. This ID is used to track resources and facilitate their cleanup after the scan is completed. + +*Security Groups (SG)* + +* Name format: `sg--prismacloud-scan-` + +* Tags: Not applicable + +sg-ID is an AWS ID generated during agentless scanning. It is derived from the `scan-unique-id` and `console-unique-id`. If these IDs are missing, the SG-ID value will remain empty. + +*Subnets* + +* Name format: `subnet- / prismacloud-scan-` + +* Tags: + +** `created-by: prismacloud-agentless-scan` + +** `Name: prismacloud-scan-` + +`subnetId` is the identifier for a subnet within the cloud environment. + +*Snapshots* + +* Name format: `snap-(prismacloud-scan-)` + +* Tags: + +** `created-by: prismacloud-agentless-scan` + +** `Name: prismacloud-scan-` + +** `prismacloud-agentless-unique-id: ` + +`snapshotId` is the identifier for a snapshot, a point-in-time copy of a resource in the cloud environment. + +*Volumes* + +Volumes are not tagged by Prisma Cloud. + === Known Limitations * *LVM-based AMIs:* Due to the lack of an official LVM-based Amazon Machine Image (AMI) on AWS, agentless scanning might not recognize and scan AMIs using a non-standard LVM configuration. These AMIs will currently not be supported for agentless scanning. * *Unsupported Marketplace AMIs:* Certain AMIs available on the AWS Marketplace are configured in a way that prohibits mounting them as secondary volumes. Consequently, agentless scanning is not compatible with these AMIs. If scanning is essential for such hosts, please contact the vendor of the specific AMI to request a configuration change that will enable agentless to scan instances launched from that AMI, by removing that limitation. + diff --git a/docs/en/compute-edition/32/admin-guide/deployment-patterns/performance-planning.adoc b/docs/en/compute-edition/32/admin-guide/deployment-patterns/performance-planning.adoc index 1e726b0e37..d4aebdc693 100644 --- a/docs/en/compute-edition/32/admin-guide/deployment-patterns/performance-planning.adoc +++ b/docs/en/compute-edition/32/admin-guide/deployment-patterns/performance-planning.adoc @@ -9,7 +9,7 @@ For example, heavily loaded hosts have fewer available resources than hosts with === Scale -Prisma Cloud has been tested and optimized to support up to 10,000 Defenders per Console. +Prisma Cloud has been tested and optimized to support up to 20,000 Defenders per Console. ifdef::compute_edition[] Higher numbers of Defenders per Console can be supported, as long as the xref:../install/system-requirements.adoc#hardware[required resources] are allocated to Console. diff --git a/docs/en/compute-edition/33/admin-guide/agentless-scanning/onboard-accounts/configure-aws.adoc b/docs/en/compute-edition/33/admin-guide/agentless-scanning/onboard-accounts/configure-aws.adoc index fba2f5c13e..6b766ad9bb 100644 --- a/docs/en/compute-edition/33/admin-guide/agentless-scanning/onboard-accounts/configure-aws.adoc +++ b/docs/en/compute-edition/33/admin-guide/agentless-scanning/onboard-accounts/configure-aws.adoc @@ -26,6 +26,8 @@ image::agentless-aws-pcee-advanced-settings.png[width=540] . Click *Save* to return to *Compute > Manage > Cloud accounts*. +NOTE: Agentless scanning enforces boot volume encryption by default. + [#aws-agentless-modes] === Scan Settings diff --git a/docs/en/compute-edition/33/admin-guide/deployment-patterns/performance-planning.adoc b/docs/en/compute-edition/33/admin-guide/deployment-patterns/performance-planning.adoc index 1e726b0e37..d4aebdc693 100644 --- a/docs/en/compute-edition/33/admin-guide/deployment-patterns/performance-planning.adoc +++ b/docs/en/compute-edition/33/admin-guide/deployment-patterns/performance-planning.adoc @@ -9,7 +9,7 @@ For example, heavily loaded hosts have fewer available resources than hosts with === Scale -Prisma Cloud has been tested and optimized to support up to 10,000 Defenders per Console. +Prisma Cloud has been tested and optimized to support up to 20,000 Defenders per Console. ifdef::compute_edition[] Higher numbers of Defenders per Console can be supported, as long as the xref:../install/system-requirements.adoc#hardware[required resources] are allocated to Console. diff --git a/docs/en/enterprise-edition/content-collections/runtime-security/agentless-scanning/configure-accounts/configure-aws.adoc b/docs/en/enterprise-edition/content-collections/runtime-security/agentless-scanning/configure-accounts/configure-aws.adoc index 23247ad47e..20af731e3c 100644 --- a/docs/en/enterprise-edition/content-collections/runtime-security/agentless-scanning/configure-accounts/configure-aws.adoc +++ b/docs/en/enterprise-edition/content-collections/runtime-security/agentless-scanning/configure-accounts/configure-aws.adoc @@ -29,6 +29,8 @@ image::runtime-security/agentless-aws-configuration.png[] . Click *Save* to return to *Compute > Manage > Cloud accounts*. +NOTE: Agentless scanning enforces boot volume encryption by default. + [#aws-agentless-modes] ==== Scan Settings