Agentless Workload Posture

The Agentless Workload Posture (AWP) solution for VM instances and serverless functions (AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. EC2 Amazon EC2 - A web service for launching and managing Linux/UNIX and Windows Server instances in Amazon data centers., Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. Virtual Machines, and Function Apps) provides continuous security assessment of your workloads without the need to install agents on each virtual machine. AWP continuously checks your assets for vulnerabilities to ensure the workloads meet your organization's security standards. AWP shows the vulnerabilities of each workload and suggests remediation.

Benefits

Deep security visibility with seamless deployment
Continuous scanning for vulnerabilities and secrets
Automatic update of scanning tools and vulnerability databases
Feed for CloudGuard Risk Management solution to identify and prioritize risks

Prerequisites

Your account (AWS account or Azure subscription) must be onboarded to CloudGuard before AWP can scan your virtual machines and serverless functions. If your account is not yet onboarded, see instructions in Onboarding Cloud Environments.

How AWP Works

AWP focuses on the file system of your workload.

AWP does not install an agent to scan the files on the machine. Instead, it makes snapshots of the virtual machine volumes or disks. AWP uses these snapshots to statically scan your packages, dependencies, and libraries on a dedicated AWP scanner machine. During scanning, AWP checks the VMs for known vulnerabilities (such as Log4j) and hardcoded secrets registered in security databases. The databases are updated daily according to the current security trends.

Azure Function Apps scanning is enabled by default when you select to scan Azure VMs with In-Account or Sub-Account mode. You can disable this option when you start onboarding. After initial scanning upon onboarding, AWP scans Function Apps when it detects changes.

After scanning is done, the CloudGuard portal shows the scan results for each supported entity. If AWP detects a vulnerability or a hardcoded secret, it shows you the vulnerable entity and suggests remediation. Then, by default AWP scans your VMs once every 24 hours. For Function Apps, AWP inspects the lastModifiedTimeUtc attribute of the Function App and rescans it when the attribute changes.

You can select one of two modes for AWP:

SaaS Mode - AWP creates the snapshots of your EC2 volumes or VM disks and scans the snapshots on a virtual machine located in CloudGuard's own AWS account or Azure subscription. With this mode, you do not pay for the scans, and CloudGuard fully manages all the required resources.
In-Account Mode - AWP scans data locally, so everything stays in your AWS or Azure account. The only data sent to CloudGuard are the AWP scanner findings. With this mode, you can keep all your data private, but the volumes/disks scanning entails additional costs.

Onboarding AWP

To enable AWP in your environment:

In the CloudGuard portal, navigate to Assets > Environments.
In the AWP column, click Enable for your environment.
Follow the instructions on the wizard page that opens. For more details, see:
1. AWS - AWP for AWS Environments
2. Azure - AWP for Azure Environments
In the CloudGuard wizard, click Next. CloudGuard completes the process to enable AWP scanning.

AWP starts to scan the VMs and functions and shows the first results within several minutes. Depending on the number of assets, the scan can take up to a few hours. The scanned assets appear on the Protected Assets page of the CloudGuard portal.

Viewing Results

To see the scan results:

In the CloudGuard portal, go to Assets > Protected Assets and filter the view by the asset type AWS EC2 Instance, Azure Virtual Machine or Azure Function App.
Make sure that the Scan Status of the asset that you need is Scanned.
- In Progress - The asset is being scanned.
- Internal Error - The asset scan encountered an error.
- Pending Scan - The asset is not scanned yet.
- Scanned - AWP scanned the asset, and the results are available.
- Skipped - AWP excluded the asset from scanning (For types of skipped entities, see Known Limitations).
Click the asset to see its page and go to the Vulnerabilities tab that contains the scan results. It shows the most recent scan date and time.

You can search and filter the scan results by appropriate criteria in the Remediation Summary.

See in the tabs these types of vulnerability:

CVEs - Shows scan of packages installed on the EC2, scanning package managers existing on the machine, and all libraries. Results are sorted by severity. Each package contains a list of CVEs found on it, sorted by severity as well. The header shows the file path, so if the package is installed in more than one place, you must apply the remediation for every instance of the CVE The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.. If the issue is fixable, the Remediation section in the header shows the way.

To search for a specific CVE, click Search CVE and go to the CVE Search page.
Secrets - Shows insecure or exposed keys, passwords, and where each of them was found. You find the insecure item in the code and delete it.
Remediation Summary - Shows the contents of the three previous pages in one location. For secrets and threats, it directs you to the file. For CVEs, it indicates which package requires an upgrade.

To export the scan results:

Use the CloudGuard API to export the results to a file. For details, see the API Reference Guide.

Viewing AWP Details

To see the AWP configuration details of the onboarded environment, navigate to Assets > Environments, select the environment, and open the AWP tab.

This page shows the scan statistics, analysis, and other configurable parameters.

To configure these parameters for all onboarded environments, use the Workloads Settings.

Custom Tags

AWP adds its tags to every resource it dynamically creates in your AWS account or Azure subscription. It also allows you to add custom tags to these resources. The maximum number of custom tags is 20.

To set the scan preferences:

On the AWP page, click Advanced Configurations on the top right.
To set the maximum number of simultaneous scans in the same region, enter a number between 1 and 20 (by default, 20) in Max Concurrent Scans per Region.
To set the period between consecutive scans of the same VM, in Scan Interval in Hours, enter a number:
- For the SaaS scan mode, between 24 and 1000 (by default, 24)
- For the In-Account scan mode, between 4 and 1000 (by default, 24)
To configure a custom tag, click Add and enter the tag's key and value.
Click Confirm.

Known Limitations

AWP cannot scan some types of assets and skips them. In the table below, see the reasons for the Skipped status.

Virtual Machine Instances

AWS

Skipped	Scanned
Marketplace licensed AMIs (Amazon Machine Image)	Linux operating system Windows operating system
AWS China - Encrypted volumes in SaaS mode for Beijing region	AWS China region
Stopped VM	Running VM
One of the VM disks is larger than 1 TB

Azure

Skipped	Scanned
Subscription scope lock
AWP resource group scope lock
Azure China and Azure Gov regions
	Linux operating system Windows operating system
Azure Server-Side Encryption + Customer-Managed key: SaaS Azure Disk Encryption: SaaS Centralized	Azure Server-Side Encryption: Platform-Managed key – SaaS, In-Account, Centralized Customer-Managed key – In-Account Centralized Azure Disk Encryption: In-Account¹
VMs runtime is less than 4 hours	VMs runtime is 4 hours or more
Stopped VM	Running VM
One of the VM disks is larger than 1 TB

¹ - Mixing ADE with logical volumes is not supported

File System in Scanned Machines

Linux

Operating System files and directories are mounted on the top level of the file system ('/').
Data Disk can be partitioned logically or physically.
Supported file system formats:
- XFS
- EXT2
- EXT3
- EXT4
- NTFS
- BTRFS

Windows

Temporary disks are not mounted.

Function Apps

To scan Azure Function Apps, AWP needs to download the Function App source code. The availability of the source code depends on how the Function App is deployed.

In general, Function Apps are deployed and available on the SCM (Source Code Management) site.

The SCM site can be inaccessible in these cases:

SCM IP is restricted.
Linux Function App is deployed with the Consumption hosting plan.

In addition to the SCM site, Azure allows Function App deployment with other technologies. For more details, see Azure documentation.

Supported Function Apps

The table below shows the types of Function Apps that AWP can download and scan. AWP uses available methods according to their priority and applicable conditions.

Operating System	Download Source	Priority	Hosting Plan	Usage Conditions
Windows, Linux	External URL	1	All	External URL deployment
Windows	SCM	2	All	SCM is not blocked
Linux	SCM	2	Non-consumption¹	SCM is not blocked
Linux	Blob - Storage Account	2	Consumption	-
Windows, Linux	File Share - Storage Account	3	Consumption, Premium	SCM is blocked The File Share option is enabled at the Function App creation

¹ Non-consumption hosting plans are, for example, Premium and Dedicated.

AWP skips scanning Function Apps in these cases:

Function App has Container A lightweight and portable executable image that contains software and all of its dependencies. Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling. deployment
Logical-App Function App (no source code)
The Function App content is not available. This can happen when the SCM site is the only option and it is blocked (Public Networking is entirely disabled). To allow AWP scanning, see Blocked SCM Troubleshooting.

Blocked SCM Troubleshooting

For security reasons, it is usually recommended to block public networking for your SCM.

To allow AWP to scan your SCM, apply these restrictions:

Enable the inbound networking to the SCM site from the AWP scanner VNet only.
1. For Main site, apply the deny rule to the entire site.
2. For Advanced tool site, apply the allow rule to inbound traffic from the AWP scanner VNet only.
AWP scanner VNet is created after first scan of any VM or Function App.

Azure Resources

AWP scanner requires 4 vCPUs on average. Make sure that your regional vCPU quota is sufficient for launching the scanner.