Agentless Workload Posture

The Agentless Workload Posture (AWP) solution for VM instances and serverless functions (AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. EC2 Amazon EC2 - A web service for launching and managing Linux/UNIX and Windows Server instances in Amazon data centers., Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. Virtual Machines, and Function Apps) provides continuous security assessment of your workloads without the need to install agents on each virtual machine. AWP continuously checks your assets for vulnerabilities to ensure the workloads meet your organization's security standards. AWP shows the vulnerabilities of each workload and suggests remediation.

Benefits

Deep security visibility with seamless deployment
Continuous scanning for vulnerabilities and secrets
Automatic update of scanning tools and vulnerability databases
Feed for CloudGuard Risk Management solution to identify and prioritize risks

Prerequisites

Your account (AWS account or Azure subscription) must be onboarded to CloudGuard before AWP can scan your virtual machines and serverless functions. If your account is not yet onboarded, see instructions in Onboarding Cloud Environments.

How AWP Works

AWP focuses on the file system of your workload.

AWP does not install an agent to scan the files on the machine. Instead, it makes snapshots of the virtual machine volumes or disks. AWP uses these snapshots to statically scan your packages, dependencies, and libraries on a dedicated AWP scanner machine. During scanning, AWP checks the VMs for known vulnerabilities (such as Log4j) and hardcoded secrets registered in security databases. The databases are updated daily according to the current security trends.

Azure Function Apps scanning is enabled by default when you select to scan Azure VMs with In-Account or Sub-Account mode. You can disable this option when you start onboarding. After initial scanning upon onboarding, AWP scans Function Apps when it detects changes.

After scanning is done, the CloudGuard portal shows the scan results for each supported entity. If AWP detects a vulnerability or a hardcoded secret, it shows you the vulnerable entity and suggests remediation. Then, by default AWP scans your VMs once every 24 hours. For Function Apps, AWP inspects the lastModifiedTimeUtc attribute of the Function App and rescans it when the attribute changes.

You can select one of two modes for AWP:

SaaS Mode - AWP creates the snapshots of your EC2 volumes or VM disks and scans the snapshots on a virtual machine located in CloudGuard's own AWS account or Azure subscription. With this mode, you do not pay for the scans, and CloudGuard fully manages all the required resources.
In-Account Mode - AWP scans data locally, so everything stays in your AWS or Azure account. The only data sent to CloudGuard are the AWP scanner findings. With this mode, you can keep all your data private, but the volumes/disks scanning entails additional costs.

Onboarding AWP

To enable AWP in your environment:

In the CloudGuard portal, navigate to Assets > Environments.
Click Enable AWP for your environment.
Follow the instructions on the wizard page that opens. For more details, see:
1. AWS - AWP for AWS Environments
2. Azure - AWP for Azure Environments
In the CloudGuard wizard, click Next. CloudGuard completes the process to enable AWP scanning.

AWP starts to scan the VMs and functions and shows the first results within several minutes. Depending on the number of assets, the scan can take up to a few hours. The scanned assets appear on the Protected Assets page of the CloudGuard portal.

Viewing Results

To see the scan results:

In the CloudGuard portal, go to Assets > Protected Assets and filter the view by the asset type AWS EC2 Instance, Azure Virtual Machine or Azure Function App.
Make sure that the Scan Status of the asset that you need is Scanned.
- In Progress - The asset is being scanned.
- Internal Error - The asset scan encountered an error.
- Pending Scan - The asset is not scanned yet.
- Scanned - AWP scanned the asset, and the results are available.
- Skipped - AWP excluded the asset from scanning (For types of skipped entities, see Known Limitations).
Click the asset to see its page and go to the Vulnerabilities tab that contains the scan results. It shows the most recent scan date and time.

You can search and filter the scan results by appropriate criteria in the Remediation Summary.

See in the tabs these types of vulnerability:

CVEs - Shows scan of packages installed on the EC2, scanning package managers existing on the machine, and all libraries. Results are sorted by severity. Each package contains a list of CVEs found on it, sorted by severity as well. The header shows the file path, so if the package is installed in more than one place, you must apply the remediation for every found instance of the CVE The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.. If the issue is fixable, the Remediation section in the header shows the way.
Secrets - Shows insecure or exposed keys, passwords, and where each of them was found. You find the insecure item in the code and delete it.
Remediation Summary - Shows the contents of the three previous pages in one location. For secrets and threats, it directs you to the file. For CVEs, it indicates which package requires an upgrade.

To export the scan results:

Use the CloudGuard API to export the results to a file. For details, see the API Reference Guide.

Known Limitations

AWP cannot scan some types of assets and skips them. In the table below, see the reasons for the Skipped status.

Virtual Machine Images

Platform	Parameter	Status
AWS	Linux operating system	Scanned
	Windows operating system	Scanned
	Marketplace licensed AMIs (Amazon Machine Image)	Skipped
AWS China	Encrypted volumes in SaaS mode for Beijing region	Skipped
Azure	Subscription scope lock	Skipped
	AWP resource group scope lock	Skipped
	Linux operating system	Scanned
	Windows operating system	Scanned
	Azure Disk Storage Server-Side Encryption - In-Account	Scanned
	Azure Disk Storage Server-Side Encryption - SaaS	Skipped
	Azure Disk Encryption - In-Account	Skipped
	Azure Disk Encryption - SaaS	Skipped
	VMs runtime is less than 4 hours	Skipped
	VMs runtime is 4 hours or more	Scanned
All	Running VM	Scanned
	Stopped VM	Skipped
	One of the VM disks is larger than 1 TB	Skipped

File System in Scanned Machines

Linux

Operating System files and directories are mounted on the top level of the file system ('/').
Data Disk can be partitioned logically or physically.
Supported file system formats:
- XFS
- EXT2
- EXT3
- EXT4
- NTFS
- BTRFS

Windows

Temporary disks are not mounted.

Function Apps

To scan Azure Function Apps, AWP needs to download the Function App source code. The availability of the source code depends on how the Function App is deployed.

In general, Function Apps are deployed and available on the SCM (Source Code Management) site.

The SCM site can be inaccessible in these cases:

SCM IP is restricted.
Linux Function App is deployed with the Consumption hosting plan.

In addition to the SCM site, Azure allows Function App deployment with other technologies. For more details, see Azure documentation.

This table shows the supported types of Function Apps that AWP can download and scan:

Operating System	Download Source	Deployment Type	Hosting Plan	Usage Conditions
Windows	SCM	All	All
Windows	URL	External package URL	All	SCM is blocked
Linux	SCM	All	Non-consumption¹
Linux	Storage Account	In-Portal	Consumption
Linux	Storage Account	ZIP Deploy	Consumption
Linux	URL	External package URL	All	SCM is blocked OR App plan is Consumption

¹ Non-consumption hosting plans are, for example, Premium and Dedicated.

AWP skips scanning Function Apps in these cases:

Function App has Container A lightweight and portable executable image that contains software and all of its dependencies. Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling. deployment
Logical-App Function App (no source code)