Fix #122: Incorporate PM feedback. (#136)

iansk · web-flow · commit 61e2e6baf2f9 · 2021-04-21T20:56:28.000-05:00
diff --git a/admin_guide/compliance/cloud_discovery.adoc b/admin_guide/compliance/cloud_discovery.adoc
@@ -43,10 +43,14 @@ Auto-defend utilizes rule-based policies to automatically deploy Prisma Cloud to
 [#_min_perms]
 === Minimum permissions
 
-When creating credentials, Prisma Cloud needs some set of minimum permissions to list all the various resources in use in your account.
-After finding those resources, Prisma Cloud needs additional permissions to retrieve those resources and inspect them for vulnerabilities and compliance issues.
+Prisma Cloud needs one set of minimum permissions to discover and itemize all the resources in your account.
+After finding those resources, Prisma Cloud typically needs an additional set of permissions to protect them (e.g. retrieve those resources and inspect them for vulnerabilities and compliance issues.
+
+For example, the service account for cloud discovery uses the `ecr:DescribeRepositories` permission to list all ECR repositories in your AWS accounts.
+If you find a repository that's not being scanned, and you want to configure Prisma Cloud to scan it, Prisma Cloud needs another service account with deeper permissions that lets it auth with the ECR service and download images from the repository (e.g., `ecr:GetAuthorizationToken`, `ecr:BatchGetImage`, etc).
+The permissions required for cloud discovery to scan your accounts are documented here.
+Permissions required to enable protection (e.g. scanning a repo) are documented in each protection feature's respective article.
 
-These are the minimum set of permissions required for each type of account:
 
 ==== AWS
 
diff --git a/admin_guide/install/install_defender/auto_defend_host.adoc b/admin_guide/install/install_defender/auto_defend_host.adoc
@@ -11,6 +11,7 @@ After setting up auto-defend for hosts, Prisma Cloud discovers and protects unse
 
 . Discover - Prisma Cloud uses cloud provider APIs to get a list of all VM instances.
 . Identify  - Prisma Cloud identifies unprotected instances.
+. Verify - Ensure unprotected resources meet auto-defend prerequisites.
 . Install - Primsa Cloud installs Host Defender on unprotected instances using cloud provider APIs.
 
 
@@ -65,6 +66,10 @@ Hosts must have either wget or curl installed.
 Auto-defend is supported for stand-alone hosts only, not hosts that are part of clusters.
 For hosts that are part of clusters, use one of the cluster-native install options (e.g., DaemonSets on Kubernetes).
 
+NOTE: When configuring the scope of hosts that should be auto-defended, ensure that the scope doesn't include any hosts that are part of a cluster or that run containers.
+Auto-defend doesn't currently check if a host is part of cluster.
+If you  mistakenly include nodes that are part of a cluster in an auto-defend rule, and the cluster is not already protected, the auto-defend rule will deploy Host Defenders to the cluster nodes.
+
 
 [#_perms]
 === Required permissions
