Workload Scanner Configuration

Questions and Answers

What is the primary function of the Workload Scanner in Wiz?

• Managing cloud compliance policies and alerts
• Automating the deployment of cloud applications across multiple regions
• Scanning cloud workloads, such as VM disks and serverless functions (correct)
• Optimizing cloud resource costs based on usage

Where in the Wiz interface can you enable and configure non-OS disk scanning?

• Settings > Scanners > Workload Scanner (correct)
• Policies > Scanning Configuration > Disk Settings
• Settings > General > Scanning Preferences
• Explorer > Workloads > Disk Scanning Options

Why does Wiz recommend sharing Customer-Managed Keys (CMKs) for AWS VMs?

• To avoid the need for creating snapshots of the volumes
• To comply with AWS's key management best practices
• To grant Wiz full administrative access over encrypted resources
• To accelerate and reduce the cost of scanning encrypted AWS disks (correct)

What is the potential impact of enabling non-OS disk scanning on Wiz?

It can affect the number of billable units that Wiz scans. (D)

How does Wiz handle scanning of encrypted AWS disks when CMKs are not shared?

Wiz copies the encrypted snapshots and re-encrypts them with a Wiz key. (A)

What is the key advantage of using temporary volumes during AWS workload scanning?

It helps overcome AWS snapshot copy limitations for encrypted VMs. (A)

What must be considered when enabling temporary volumes for AWS workload scanning?

The quota for GP3 volumes and potential additional AWS costs. (B)

Before Wiz can scan AWS Lightsail instances, what preliminary step is required?

Exporting Lightsail instances to EC2. (D)

When configuring the number of AWS Lambda function versions to scan, what does setting the value to '0' signify?

Scan only the latest version. (D)

For which cloud environments are custom scanner tags supported in Wiz?

AWS, Azure, and GCP. (D)

What is the purpose of custom scanner tags in Wiz?

To define additional tags for temporary resources created by Wiz. (A)

What is the default behavior of Wiz regarding tag inheritance during the scanning process?

Wiz inherits the tags from the original resources by default. (C)

How can you prevent a workload from being scanned by the Wiz Workload Scanner?

By tagging the workload with the key WizExclude (or wizexclude in GCP). (C)

Regardless of whether a workload is excluded from scanning, is it still counted for billable units and still shows existing findings?

Yes, billable units and existing findings will still show. (C)

What criteria does Wiz use to sample instances from a compute instance group?

Instances is that generated from identical VM image and Creation date (oldest VMs are sampled). (C)

When sampling compute instance groups, under what condition does Wiz fully scan VMs, rather than sampling?

When VMs are running containers. (C)

What is the purpose of the 'Prioritize active hosts scanning' option in the Compute Instance Group Sampling section?

To ensure the sampled VMs are active when possible. (C)

What is the minimum number of VMs to scan per compute instance group, according to Wiz?

10% is recommended. (B)

What requirement about tags is used to to uniquely group VMs for the purpose of creating a Compute Instance Group in Wiz?

Tags must have both a key and a value. (B)

Considering more than one tag key to associate VMs with the same Compute Instance Group, what will happen if VMs have identical sets of corresponding tag values?

VMs are assigned to same custom Compute Instance Group. (B)

Flashcards

What is a Scanner?

Scanners analyze your environment and save the insights to the Explorer and Reports pages.

Non-OS Disk Scanning

Extends Wiz's scanning to include non-boot disks attached to VMs, uncovering additional findings.

Shared CMKs

Sharing customer-managed keys to allow faster and cheaper scanning of encrypted AWS disks.

AWS Snapshot Copy Limit

Wiz creates snapshots of VMs for scanning, subject to AWS limits of concurrent snapshot copy operations.

Compute Instance Group Sampling

Wiz generates billable units only for a sampled instance from a set of identical VMs.

Workload Scanner

The workload scanner is responsible for scanning cloud workloads, such as VM disks and serverless functions

Non-OS disk scanning capabilities

Includes scanning non-OS disks attached to VMs (i.e. volumes actively in use). Detecting malware, secrets, and vulnerabilities on all your attached VM disks enables Wiz to provide a complete picture of your VMs, more context, and better prioritization of your security issues.

Temporary volumes

Wiz can create temporary volumes for encrypted VMs whose key was not shared, but only if there are no available snapshot copy slots

AWS Lightsail scanning

Extend Wiz's workload and data scanning capabilities to include the scanning of AWS Lightsail instances and disks

AWS Lambda scanning

Extend workload scanning to include versions of Lambda functions, to detect security risks (misconfigurations, sensitive data, vulnerabilities, and more)

Custom scanner tags

Define additional tags for Wiz to add to these temporary resources in AWS, Azure, and GCP only

Tag inheritance

By default, choose whether resources don't inherit the tags of the original resource, you can exclude specific tags from inheritance-with the exception of Wiz-generated tags.

Custom Compute Instance Groups

You can define custom tag keys to force VMs that are not automatically grouped to be represented as a Compute Instance Group on the Security Graph

Study Notes

Workload Scanner Overview

• Scanners extract data, analyze it, and save insights to the Explorer and Reports pages.
• The Workload Scanner is responsible for scanning cloud workloads, such as VM disks and serverless functions.
• Agentless scanning can be used with the Workload Scanner.

Settings Page Options

• Access options via Settings > Scanners > Workload Scanner.
• Options include enabling and configuring non-OS disk scanning, sharing CMKs for AWS VMs, and enabling AWS workload scanning concurrent snapshot copy.
• Can also enable/configure temporary volumes, Lightsail scanning, and Lambda scanning.
• Options to define custom scanner tags, turn off tag inheritance, exclude workloads, configure Compute Instance Group sampling, and define custom Compute Instance Groups exist.

Non-OS Disk Scanning

• Enabling non-OS disk scanning impacts the number of billable units.
• Extends scanning capabilities to include non-OS disks attached to VMs, detecting malware, secrets, and vulnerabilities on attached VM disks
• It gives a complete picture of VMs and context for prioritizing security issues.
• Non-OS disk scanning uses the same Connectors and set of permissions as workload scanning.
• Non-OS disks are identified and scanned separately, detecting secrets, malware, library vulnerabilities, file-path vulnerabilities, container images, and package libraries.
• Wiz can scan the package manager installation folder whether the var folder is located on the OS or non-OS disk.

Configuring Non-OS Disk Scanning

• Navigate to Settings > Scanners > Workload Scanner, and toggle on Enable Non-OS disk Scanning.
• Can optionally select the scope (default: scan all resources) and change the scan frequency (default: every 7 days).

Shared CMKs

• Sharing is only supported in AWS.
• A time-consuming part of scanning encrypted AWS disks involves copying and re-encrypting snapshots with a Wiz key
• It is then shared with the Workload Scanner's account for volume creation.
• Sharing CMKs allows for faster and cheaper scanning by using the initial snapshot to create a volume in the scanning account.

Sharing CMKs with Wiz

• Identify keys to be shared using a query to find keys encrypting a large number of volumes.
• Copy and store the **External ID ** (ARN) property of the CMKs.
• Add a policy statement to each CMK.

JSON Customization for CMK Sharing

• Replace with the CMK's account number in line 5.
• Replace with the name of the Wiz role in the account in line 5; for Outpost Deployments, this is the scanner role name.
• In line 6, "arn:aws:iam::935122746343:root" is the principal of the external account.

AWS Account IDs for SaaS Deployments

• For commercial, leave the default value (935122746343).
• For GovCloud, replace the default value with 419232110379.
• For Outpost Deployments, replace with the Outpost account ID.
• Restrict sharing by replacing root with role/WizOrchestratorNodePoolRole; update policy if Wiz changes this role name.
• Add a new principal for forensics copy volume.
• Replace eu-central-1 with the region of the CMK in line 16.
• Add a statement to the Wiz role or scanner role for Outpost Deployments (if the key and volumes are not in the same account).
• Navigate to Settings > Scanner > Workload Scanner page and add external IDs.

AWS Workload Scanning Concurrent Snapshot Copy

• When configuring the number of Wiz allocated snapshots, not to set a number higher than the regional quota, or higher than 90% of the quota
• During workload scanning, Wiz creates snapshots of VMs and AWS limits these operations to 20 in commercial (10 in China and Gov). By default, Wiz uses 10 slots.
• Snapshot copy timeouts can be due to VMs with PMKs/CMKs that cannot be shared and the time it takes to copy.

Configuring Concurrent Snapshots

• Configure how many concurrent snapshots can be used in every account and region.
• Set a global configuration for AWS commercial, China, and Gov.
• Configure the number of concurrent snapshot copies for a given account and region to override the global configuration.

Temporary Volumes for Scanning

• Enabling temporary volumes may result in extra AWS costs.
• Volume quotas for GP3 might need to be increased.
• Used when Wiz creates snapshots of VMs to scan them, with the limit of 20 snapshot copy operations in AWS for a given region and account.

Scanning AWS VMs with Temporary Volumes

• If snapshot copy slots are available: The process stays the same.
• If snapshot copy slots are unavailable: Original volume > snapshot (with original key) in the scanned account > volume (with Wiz key) in the scanned account > snapshot (with Wiz key) in the scanned account > share snapshot > volume in scanning account

Temporary Volumes Configuration

• Navigate to Settings > Scanners > Workload Scanner and toggle on Enable AWS workload scanning using temporary volumes.
• Set the global configuration (default is one).
• Configure the number of concurrent temporary volumes for a given account and region.

AWS Lightsail Scanning

• Include the scanning of AWS Lightsail instances and disks if non-OS disk scanning is enabled.
• Detect malware, secrets, and vulnerabilities on AWS Lightsail instances and disks.
• Export Lightsail instances to EC2 as they are not regular EC2 resources.
• High-level flow: Lightsail snapshot > EBS snapshot > volume in scanning account.

Configuring Lightsail Scanning

• Navigate to Settings > Scanners > Workload Scanner, scroll down, and toggle on Enable AWS Lightsail workload scanning.
• Update the permissions of your AWS Connector for SaaS or Outpost Deployments.

AWS Lambda Scanning

• Generates billable units.
• Extends workload scanning to include versions of Lambda functions, detecting security risks across Lambda versions.
• Wiz can scan up to 10 AWS Lambda function versions. Aliased versions are scanned first, followed by active non-aliased versions.

Configuring Lambda Scanning

• Navigate to Settings > Scanners > Workload Scanner, scroll down to the AWS Lambda Workload Scanning section.
• Adjust the Number of versions to scan per Lambda function, with a value of 0 disabling the feature and scanning only the latest version.

Custom Scanner Tags

• Supported in AWS, Azure, and GCP only.
• Wiz creates temporary resources in deployed accounts tagged with wiz: auto-gen-<resource_type> by default.
• Enabling custom tags allows defining additional tags for these temporary resources.

Resource Types for Custom Scanner Tags

• Utilized in Cloud Platform, AWS (Encryption Keys, Snapshots, Volumes), Alibaba (Encryption Keys, Resource Shares), Azure (Snapshots), and GCP (Snapshots, Images)

Custom Scanner Tag Configuration

• Navigate to Settings > Scanners > Workload Scanner, and toggle on Enable custom scanner tags.
• Define tags using or : formatting, separated by commas.
• Newly defined custom tags are added to temporary resources created by future scans; existing resources are not retroactively tagged.

Tag Inheritance

• Tag inheritence is supported in AWS, Azure, and GCP only.
• Wiz creates temporary resources and inherits tags from original resources but You can choose whether such resources don't inherit the tags of the original resource or exclude specific tags.

Configuring Tag Inheritance

• Navigate to Settings > Scanners > Workload Scanner, and toggle off Enable Tag inheritance.
• Alternatively, define tag keys that will be excluded from inheritance.

Excluding Workloads from Scanning

• Available from July 11th, 2023.
• VM tags created before this date affect the scanning of serverless functions with same tags.
• Workloads in cloud estates are scanned by default, except those tagged with the key WizExclude (or wizexclude in GCP), regardless of the tag's value.
• Excluded workloads are still scanned for misconfigurations and counted for billable units as well as existing findings.

Excluding Workloads Configuration

• Navigate to Settings > Scanners > Workload Scanner, and toggle on Enable excluding workloads from scanning.
• Enter one or more custom tag keys.
• Tag keys and values are case-sensitive.
• Add the custom tag key to all workloads.

Compute Instance Group Sampling

• Scans only a single instance from identical VMs, sampling only VMs generated from an identical VM image (e.g., AMI), not hosting containers, selecting oldest VMs by creation date or by alphabetic order.
• Sampling is never applied to VMs running containers.
• Consider increasing the number of VMs scanned with changed states.

Compute Instance Group Sampling Configuration

• Navigate to Settings > Scanners > Workload Scanner and scroll down to the Compute Instance Group Sampling section.
• Check Prioritize active hosts scanning.
• Enter the number of VMs to scan per compute instance group, recommending 10% of the average number.
• Non-sampled instances are counted for billable units.

Custom Compute Instance Groups

• Represent multiple VMs from the same image; prevents duplication.
• You can define custom tag keys to force VMs that are not automatically grouped to be represented as a Compute Instance Group
• VMs with the same tag value join the same Compute Instance Group.

Tag Requirements and Options

• Tags must have both a key and a value.
• In GCP, use labels, not tags.
• In OCI either free or predefined tags can be used, but predefined tags require the format.
• If multiple tag keys are defined, VMs are assigned to the same custom Compute Instance Group if all values align.
• If multiple tag keys are defined, order matters, and VMs are only assigned to the first matching group.

Custom Compute Instance Group Configuration

• Navigate to Settings > Scanners > Workload Scanner, scroll down to the Custom Compute Instance Groups section.
• Click Add Custom Group.
• Give the custom Compute Instance Group a meaningful name.
• For Tags, enter key(s).
• Tag VMs in cloud environment with the same tag(s) defined in Wiz.