Transcription
Prisma Certified CloudSecurity EngineerSTUDY GUIDEOctober 2020
Palo Alto Networks, Inc.www.paloaltonetworks.com 2020 Palo Alto Networks – all rights reserved.Aperture, AutoFocus, GlobalProtect, Palo Alto Networks, PAN-OS, Panorama, Traps, and WildFire are trademarks of Palo Alto Networks, Inc. All othertrademarks are the property of their respective ownersPRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 2
Table of ContentsExam Domains and Objectives . 71Install and Upgrade.71.1 Deploy and manage the Console for the Compute Edition. . 71.2 Deploy and manage Defenders. . 72 Visibility, Security, and Compliance .102.1 Configure policies . 102.2 Configure alerting and notifications. . 112.3 Understand third-party integrations. . 122.4 Perform ad hoc investigations. 122.5 Identify assets in a cloud account. . 152.6 Use Prisma Cloud APIs. . 153 Cloud Workload Protection Platform .173.1 Monitor and protect against Docker image vulnerabilities. . 173.2 Monitor and protect against host vulnerabilities. 183.3 Monitor and enforce Docker image and container compliance. . 183.4 Monitor and enforce host compliance. . 203.5 Monitor and enforce container runtime. . 213.6 Configure web-application and API security (WAAS). . 223.7 Monitor and protect against serverless vulnerabilities. 234 Data Loss Prevention .254.1 Onboarding. . 254.2 Use Data Dashboard features. 254.3 Assess Data Policies and Alerts . 265 Web Application and API Security .275.1 Configure WAAS policies. . 276 DevSecOps Security (Shift Left) .296.1 Implement scanning for IAC templates. . 296.2 Configure policies in the Console for IaC scanning. . 306.3 Integrate Compute scans into CI/CD pipeline. . 316.4 Configure CI policies for Compute scanning. . 327 Prisma Cloud Administration (Including Cloud Compute).34PRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 3
7.1 Onboard accounts. . 347.2 Configure RBAC. . 347.3 Configure the admission controller. 357.4 Configure logging. . 367.5 Manage enterprise settings. 377.6 Understand third-party integrations. . 397.7 Leverage Compute APIs. . 40Sample Questions . 42Answers to Sample Questions . 64Glossary . 68PRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 4
Prisma Certified Cloud Security Engineer Study GuideWelcome to the Prisma Certified Cloud Security Engineer Study Guide. The purpose of thisguide is to help you prepare for your Prisma Certified Cloud Security Engineer exam andachieve your PCCSE credential.OverviewThe PCCSE program is a formal, third-party proctored certification. Success on the PCCSEexam shows that you possess the in-depth skills and knowledge about administering cloudsolutions, visibility, data loss prevention, security and compliance, web application and APIsecurity, and Dev SecOps Security, and demonstrate the highest standard of deploymentmethodology and operational best practices associated with the Palo Alto Networks PrismaCloud. The exam is not intended to trick you with its questions or to test obscure detail.However, a nuanced understanding, and the ability gained through significant experience tomake subtle technical distinctions, will help you make better answer choices.More information is available from the Palo Alto Networks public page isma Cloud technical documentation is located -cloud.htmlExam FormatThe test format is 75-85 multiple-choice items. Candidates will have 5 minutes to complete theNon-Disclosure Agreement (NDA), 90 minutes (1 hour, 30 minutes) to complete the questions,and 5 minutes to complete a survey at the end of the exam.The approximate distribution of items by topic (Exam Domain) and topic weightings are shownin the following table.Exam DomainWeight (%)Install and Upgrade18%Visibility, Security, and Compliance20%Cloud Workload Protection Platform22%Data Loss Prevention9%Web Application and API Security5%PRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 5
Exam DomainWeight (%)DevSecOps Security (Shift Left)11%Prisma Cloud Administration15%Total100%How to Take This ExamThe exam is available through the third-party Pearson VUE testing platform. To register for theexam, visit ration ResourcesThe document is a compilation of key resources to guide exam preparation. These resourcescover the material designated by the exam objectives. To study efficiently, focus on thesuggested topics listed for each resource. Be sure that you have a clear and completeunderstanding of these topics before you take the exam.PRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 6
Exam Domains and Objectives1 Install and UpgradeThis domain describes the software for Prisma Cloud Compute. In contrast with the rest of thePrisma Cloud suite, which is software as a service (SaaS), Prisma Cloud Compute requires theinstallation of Defenders. You also can install your own console instead of using the SaaSconsole. In this domain, you can validate your knowledge about how to deploy and managePrisma Cloud Compute.1.1 Deploy and manage the Console for the Compute Edition.For Prisma Cloud Compute you can use a data collection and user interface platform hosted byPalo Alto Networks. Or you can host your own console with software provided to you as aDocker image. See the following links for more information:Prisma Cloud release software: l/twistlock container images.htmlThe Console for a Onebox configuration: l/install onebox.htmlThe Console for Kubernetes: l/install kubernetes.htmlAn upgrade on the Console: e.html1.2 Deploy and manage Defenders.Whether you use a hosted console or the SaaS console, you need to install Defenders in yourapplication’s infrastructure to enforce the policies from Prisma Cloud Compute:PRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 7
There are multiple types of Defenders, with different capabilities:Understand Defender types: oud/prisma-cloud-admincompute/install/defender types.htmlDeploy Container Defenders: l/install defender/install single container defender.html l/install defender/install cluster container defender.htmlDeploy Host Defenders: host activityPRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 8
e defense/runtime defense hosts ance/host scanningDeploy Serverless Defenders: /en ditionadmin/install/install defender/install serverless defender.html /en ditionadmin/install/install defender/install serverless defender layer.htmlDeploy App Embedded Defenders: l/install defender/install app embedded defender.html /en ditionadmin/install/install defender/install app embedded defender fargate.html /en ditionadmin/install/install defender/install app embedded defender pivotal pas.htmlConfigure networking for Defender to Console connectivity: l/getting started.html l/install defender/install single container defender.htmlPerform an upgrade on Defenders: oud/prisma-cloud-admincompute/upgrade.htmlPRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 9
2 Visibility, Security, and ComplianceIn this domain you can validate your knowledge about how to use Prisma Cloud to view activitywith your applications, ensure system security, and verify compliance with required standards.2.1 Configure policiesPolicies in Prisma Cloud have two main elements:1. A query to identify elements that are insecure or out of compliance:2. Remediation action to fix the problem:In this task you validate that you can create and manage these policies.Understand policies related to compliance standards: ance/compliance explorer.htmlPRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 10
ance/manage compliance.htmlBuild custom policies: -a-policy entify policy types: -a-policy2.2 Configure alerting and notifications.Prisma Cloud alerts can trigger a notification to a manual and/or automatic remediation:Understand alert states: iew-respond-to-prisma-cloud-alerts.htmlBuild alert rules: reate-an-alert-rule.htmlCreate alert notifications: y-tools.htmlInvestigate alerts: iew-respond-to-prisma-cloud-alerts.html enerate-reports-on-prisma-cloud-alerts.html lert-payload.htmlPRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 11
isk-rating-for-a-resource.html2.3 Understand third-party integrations.An organization’s IT department typically has existing alert mechanisms. This task describeshow to connect these alert mechanisms with Prisma Cloud:Understand inbound and outbound notifications: oud/prisma-cloud-admincompute/alerts.html oud/prisma-cloud-admincompute/alerts/alert mechanism.html oud/prisma-cloud-admincompute/alerts/email.html oud/prisma-cloud-admincompute/alerts/slack.html ons-on-prisma-cloud.html2.4 Perform ad hoc investigations.Ad hoc investigations happen when an administrator sees a vulnerability or suspicious activityand decides to investigate further. This investigation has two purposes:1. Identify whether the relevant entity (virtual machine instance, Docker container, etc.)really has been broken into. For example, a vulnerability could exist but never have beenexploited.PRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 12
2. If the entity has been broken into, identify the harm done and whether the entity itselfwas used as a conduit for attacking other entities.An investigation typically starts with an RQL query that shows details about what is happeningFor example, here is the result of a query asking which APIs were used and when:Next, you can drill down for additional information about a specific data point, which in this caseis the query for the cloudresourcemanager.googleapis.com in June 2020. This query returns a listof the items that were aggregated. In this case, it is a list of events.PRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 13
You can then click the eye icon on any line in the list for its full details:Investigate resource configurations with RQL: -query.htmlInvestigate user activity using RQL: query.htmlInvestigate network activity using RQL: k-query.htmlPRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 14
Investigate anomalous user event(s): query/event-query-attributes.html#id192IG500ES0, using theanomaly.type field2.5 Identify assets in a cloud account.This task identifies assets and distinguishes between assets that comply with the policy and thosethat do not, and then generates an alert:Identify the inventory of resources in a cloud account: t-inventoryIdentify how to check resource configuration history: icies/configuration-policies-build-phase.html2.6 Use Prisma Cloud APIs.You can automate repetitive tasks using the Prisma Cloud API:PRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 15
Use APIs for the automation of tasks: https://api.docs.prismacloud.io/referenceUse APIs for custom queries: anager ISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 16
3 Cloud Workload Protection PlatformIn this domain you can validate your knowledge about how to use Prisma Cloud to protect yourworkloads, whether they are running as virtual machines, Docker containers, or serverlessfunctions. This protection involves three different areas:1. Protecting against known vulnerabilities by scanning, updating, and removing librariesknown to contain those vulnerabilities2. Monitoring for compliance with standards that improve security3. Reducing the attack surface by deploying the Cloud Native Application Firewall (CNAF)3.1 Monitor and protect against Docker image vulnerabilities.This task shows you how Prisma Cloud Compute can scan the Docker images you intend to useto identify any vulnerabilities, so steps then can be taken to remove those vulnerabilities beforethey can be abused and put the integrity of the container at risk.Understand how to investigate Docker image vulnerabilities: oud/prisma-cloud-admincompute/vulnerability management/vuln explorer.html oud/prisma-cloud-admincompute/vulnerability management/registry scanning.html oud/prisma-cloud-admincompute/vulnerability management/registry scanning0.html oud/prisma-cloud-admincompute/vulnerability management/search cves.html oud/prisma-cloud-admincompute/vulnerability management/windows image scanning.html oud/prisma-cloud-admincompute/vulnerability management/cvss scoring.htmlConfigure an image vulnerability policy:PRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 17
oud/prisma-cloud-admincompute/vulnerability management/vuln management rules.html3.2 Monitor and protect against host vulnerabilities.In this task you learn to secure the hosts that run your application by removing vulnerable code.Even if you use Docker, a chain is only as strong as its weakest link, and a Docker containerrunning inside an insecure host is vulnerable if that host is successfully attacked.Understand how to investigate host vulnerabilities: oud/prisma-cloud-admincompute/vulnerability management/vuln explorer.html oud/prisma-cloud-admincompute/vulnerability management/search cves.html oud/prisma-cloud-admincompute/vulnerability management/vm image scanning.html oud/prisma-cloud-admincompute/vulnerability management/detect vulns unpackaged software.html oud/prisma-cloud-admincompute/vulnerability management/cvss scoring.htmlConfigure a Host Vulnerability policy: oud/prisma-cloud-admincompute/vulnerability management/vuln management rules.html3.3 Monitor and enforce Docker image and container compliance.Task 3.1 was about identifying known vulnerabilities in images. This task is about ensuringcompliance with accepted standards.PRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 18
The compliance rules that Prisma enforces come from various standards, such as CCPA 2018,SA CCM 3.10.1, GDPR, and Palo Alto Networks own research:Understand how to investigate Docker image and container compliance:PRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 19
e explorer.html oud/prisma-cloud-admincompute/compliance/manage compliance.htmlConfigure a Docker image and container compliance policy: oud/prisma-cloud-admincompute/compliance/cis benchmarks.html oud/prisma-cloud-admincompute/compliance/prisma cloud compliance checks.html oud/prisma-cloud-admincompute/compliance/custom compliance checks.html e compliance checks.html oud/prisma-cloud-admincompute/compliance/detect secrets.html3.4 Monitor and enforce host compliance.As is the case with vulnerabilities, hosts need to comply with security standards to be safe, eitherfor applications running directly on the host or for Docker containers:Understand how to investigate host compliance: e explorer.html oud/prisma-cloud-admincompute/compliance/manage compliance.htmlConfigure a Host Compliance policy: oud/prisma-cloud-admincompute/compliance/cis benchmarks.html oud/prisma-cloud-admincompute/compliance/prisma cloud compliance checks.htmlPRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 20
tml oud/prisma-cloud-admincompute/compliance/custom compliance checks.html e compliance checks.html oud/prisma-cloud-admincompute/compliance/host scanning.html oud/prisma-cloud-admincompute/compliance/vm images scanning.html oud/prisma-cloud-admincompute/compliance/detect secrets.html oud/prisma-cloud-admincompute/runtime defense/runtime defense hosts.html3.5 Monitor and enforce container runtime.Containers are not supposed to be flexible. To change container behavior, you typically need tocreate an image with the new behavior, stop the old container, and deploy a new container usingthe new image. Therefore, you almost always should investigate anomalous container behavior:Understand container models: oud/prisma-cloud-admincompute/runtime defense/runtime defense overviewPRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 21
Configure container runtime policies: oud/prisma-cloud-admincompute/vulnerability management/vuln management rules.html oud/prisma-cloud-admincompute/runtime defense/custom runtime rules.html oud/prisma-cloud-admincompute/runtime defense/runtime defense processes.html oud/prisma-cloud-admincompute/runtime defense/runtime defense networking.html oud/prisma-cloud-admincompute/runtime defense/runtime defense fs.htmlUnderstand container runtime audits: oud/prisma-cloud-admincompute/runtime defense/runtime defense overview.html oud/prisma-cloud-admincompute/runtime defense/discrete blocking.htmlInvestigate incidents using Incident Explorer: oud/prisma-cloud-admincompute/runtime defense/incident explorer.html3.6 Configure web-application and API security (WAAS).Cloud Compute provides web-application and API security (WAAS) through a web applicationfirewall (WAF) designed for both hosts and containers. This WAF secures web apps byinspecting and filtering Layer 7 traffic to and from the application.WAAS enhances the traditional WAF for container environments by binding itself tocontainerized web apps. It can do this binding regardless of the cloud, orchestrator, node, or IPaddress where that containerized web app is running and without the need to configure anycomplicated routing. For non-containerized web apps, WAAS simply binds to the host where theapp runs:PRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 22
.7 Monitor and protect against serverless vulnerabilities.This task shows you how to identify and protect against vulnerabilities in serverless apps. Theterm “serverless” does not mean there is no server. It means that for most purposes you canignore the server, because it is managed by the service provider. However, it still is implementedon a virtual machine, possibly on a Docker container, that runs an application runtimeenvironment such as Node.js or Tomcat. This environment, and any libraries you import intoyour serverless app, still can contain vulnerabilities:PRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 23
Understand how to investigate serverless vulnerabilities: oud/prisma-cloud-admincompute/vulnerability management/serverless functions.html oud/prisma-cloud-admincompute/vulnerability management/search cves.htmlConfigure serverless Vulnerability policy: s.htmlConfigure serverless auto-protect functionality: oud/prisma-cloud-admincompute/install/install defender/install serverless defender oud/prisma-cloud-admincompute/install/install defender/install serverless defender layer.htmlPRISMA CERTIFIED CLOUD SECURITY ENGINEER STUDY GUIDE 24
4 Data Loss PreventionPrisma Cloud Data Security is Limited GA available to select Prisma Cloud Enterprisecustomers only. The Data Security capabilities on Prisma Cloud enable you to discover andclassify data stored in AWS S3 buckets and protect accidental exposure, misuse, or sharing ofsensitive data. To identify and detect confidential and sensitive data, Prisma Cloud Data Securityintegrates with the Palo Alto Networks Enterprise DLP service and provides built-in dataprofiles, which include data patterns that match sensitive information such as PII, healthcare,financial information, and intellectual property. In addition to protecting your confidential andsensitive data, your data is protected against threats—known and unknown (zero-day)malware—using the Palo Alto Networks WildFire service.4.1 Onboarding.Prisma Cloud Data Security requires you to configure an AWS CloudTrail bucket. To save cost,ensure that you follow the instructions to select only Write events instead of Read and Writeevents.Configure CloudTrail and SNS: tmlOnly monitor mode is supported.Configure Scan options -- Forward & Back, and Forward: onitor-data-
Prisma Certified Cloud Security Engineer Study Guide, The purpose of this guide is to help you prepare for your Prisma Certified Cloud Security Engineer exam and achieve your PCCSE credential. Overview , The PCCSE program is a formal, third-party proctored certification.
