>
    Strata Copilot
    AWS Required Permissions
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Activation & Onboarding
    4. Onboard and Activate a Cloud Account in Strata Cloud Manager
    5. Onboard Cloud Account in AWS
    6. AWS Required Permissions
    Download PDF
    Prisma AIRS

    AWS Required Permissions

    Table of Contents

    AWS Required Permissions

    Review what AWS permissions are required when onboarding your account to Prisma AIRS.
    Where Can I Use This?What Do I Need?
    • Prisma AIRS Network Intercept
    • AWS
    Prisma AIRS requires the permissions listed below to ensure that you can use the following functions in your onboarded cloud account
    • Discovery—this option is pre-selected and cannot be disabled. This allows Prisma AIRS to identify and monitor assets in your AWS environment.
    • Fully orchestrated security VPC—provides the necessary permissions for Prisma AIRS to read and write in your security VPC account.
    • Fully automated traffic redirection application VPCs—provides the necessary permissions for Prisma AIRS to read and write in your application VPC account.
    • IP-Tag Harvesting—grants the necessary permissions to collect IP address to tag information to enforce tag-based security policy that adapts to IP address changes in your AWS environment.

    Discovery

        "elasticloadbalancing:Describe*",
    "elasticloadbalancing:Get*",
    "network-firewall:Get*",
    "network-firewall:Describe*",
    "network-firewall:List*",
    "ec2:Describe*",
    "ec2:List*",
    "ec2:Get*",
    "lambda:List*",
    "lambda:Get*",
    "eks:AccessKubernetesApi",
    "eks:DescribeCluster",
    "eks:ListClusters",
    "bedrock:ListCustomModels"

    Security VPC Orchestration

        "autoscaling-plans:CreateScalingPlan",
    "autoscaling-plans:DeleteScalingPlan",
    "autoscaling-plans:DescribeScalingPlans"
        "servicequotas:GetServiceQuota"
        "autoscaling:CreateAutoScalingGroup",
    "autoscaling:DeleteAutoScalingGroup",
    "autoscaling:DeletePolicy",
    "autoscaling:DescribeAutoScalingGroups",
    "autoscaling:DescribeLaunchConfigurations",
    "autoscaling:DescribePolicies",
    "autoscaling:DescribeScalingActivities",
    "autoscaling:DescribeScheduledActions",
    "autoscaling:PutLifecycleHook",
    "autoscaling:PutScalingPolicy",
    "autoscaling:UpdateAutoScalingGroup"
        "cloudwatch:DeleteAlarms",
    "cloudwatch:DescribeAlarms",
    "cloudwatch:PutMetricAlarm"
        "ec2:AllocateAddress",
    "ec2:AssociateAddress",
    "ec2:AssociateRouteTable",
    "ec2:AssociateTransitGatewayRouteTable",
    "ec2:AttachInternetGateway",
    "ec2:AuthorizeSecurityGroupEgress",
    "ec2:AuthorizeSecurityGroupIngress",
    "ec2:CreateInternetGateway",
    "ec2:CreateLaunchTemplate",
    "ec2:CreateLaunchTemplateVersion",
    "ec2:CreateNatGateway",
    "ec2:CreateNetworkInterface",
    "ec2:CreateRoute",
    "ec2:CreateRouteTable",
    "ec2:CreateSecurityGroup",
    "ec2:CreateSubnet",
    "ec2:CreateTags",
    "ec2:CreateTransitGateway",
    "ec2:CreateTransitGatewayRoute",
    "ec2:CreateTransitGatewayRouteTable",
    "ec2:CreateTransitGatewayVpcAttachment",
    "ec2:CreateVpc",
    "ec2:CreateVpcEndpoint",
    "ec2:CreateVpcEndpointServiceConfiguration",
    "ec2:DeleteInternetGateway",
    "ec2:DeleteLaunchTemplate",
    "ec2:DeleteNatGateway",
    "ec2:DeleteNetworkInterface",
    "ec2:DeleteRoute",
    "ec2:DeleteRouteTable",
    "ec2:DeleteSecurityGroup",
    "ec2:DeleteSubnet",
    "ec2:DeleteTransitGateway",
    "ec2:DeleteTransitGatewayRoute",
    "ec2:DeleteTransitGatewayRouteTable",
    "ec2:DeleteTransitGatewayVpcAttachment",
    "ec2:DeleteVpc",
    "ec2:DeleteVpcEndpoints",
    "ec2:DeleteVpcEndpointServiceConfigurations",
    "ec2:DescribeAddresses",
    "ec2:DescribeAddressesAttribute",
    "ec2:DescribeAvailabilityZones",
    "ec2:DescribeImages",
    "ec2:DescribeInstanceAttribute",
    "ec2:DescribeInstances",
    "ec2:DescribeInstanceTypes",
    "ec2:DescribeInternetGateways",
    "ec2:DescribeLaunchTemplates",
    "ec2:DescribeLaunchTemplateVersions",
    "ec2:DescribeNatGateways",
    "ec2:DescribeNetworkAcls",
    "ec2:DescribeNetworkInterfaceAttribute",
    "ec2:DescribeNetworkInterfaces",
    "ec2:DescribePrefixLists",
    "ec2:DescribeRouteTables",
    "ec2:DescribeSecurityGroups",
    "ec2:DescribeSubnets",
    "ec2:DescribeTags",
    "ec2:DescribeTransitGatewayRouteTables",
    "ec2:DescribeTransitGateways",
    "ec2:DescribeTransitGatewayVpcAttachments",
    "ec2:DescribeVolumes",
    "ec2:DescribeVpcAttribute",
    "ec2:DescribeVpcEndpoints",
    "ec2:DescribeVpcEndpointServiceConfigurations",
    "ec2:DescribeVpcEndpointServicePermissions",
    "ec2:DescribeVpcEndpointServices",
    "ec2:DescribeVpcs",
    "ec2:DetachInternetGateway",
    "ec2:DetachNetworkInterface",
    "ec2:DisableTransitGatewayRouteTablePropagation",
    "ec2:DisassociateAddress",
    "ec2:DisassociateRouteTable",
    "ec2:DisassociateTransitGatewayRouteTable",
    "ec2:EnableTransitGatewayRouteTablePropagation",
    "ec2:GetEbsDefaultKmsKeyId",
    "ec2:GetTransitGatewayRouteTableAssociations",
    "ec2:GetTransitGatewayRouteTablePropagations",
    "ec2:ModifyInstanceAttribute",
    "ec2:ModifyLaunchTemplate",
    "ec2:ModifyVpcAttribute",
    "ec2:ModifyVpcEndpointServicePermissions",
    "ec2:ReleaseAddress",
    "ec2:RevokeSecurityGroupIngress" 
    "ec2:RevokeSecurityGroupEgress",
    "ec2:RunInstances",
    "ec2:SearchTransitGatewayRoutes",
    "ec2:TerminateInstances"
        "elasticloadbalancing:AddTags",
    "elasticloadbalancing:CreateListener",
    "elasticloadbalancing:CreateLoadBalancer",
    "elasticloadbalancing:CreateTargetGroup",
    "elasticloadbalancing:DeleteListener",
    "elasticloadbalancing:DeleteLoadBalancer",
    "elasticloadbalancing:DeleteTargetGroup",
    "elasticloadbalancing:DescribeListeners",
    "elasticloadbalancing:DescribeLoadBalancerAttributes",
    "elasticloadbalancing:DescribeLoadBalancers",
    "elasticloadbalancing:DescribeTags",
    "elasticloadbalancing:DescribeTargetGroupAttributes",
    "elasticloadbalancing:DescribeTargetGroups",
    "elasticloadbalancing:DescribeTargetHealth",
    "elasticloadbalancing:ModifyLoadBalancerAttributes",
    "elasticloadbalancing:ModifyTargetGroupAttributes"
        "events:DeleteRule",
    "events:DescribeRule",
    "events:ListTagsForResource",
    "events:ListTargetsByRule",
    "events:PutRule",
    "events:PutTargets",
    "events:RemoveTargets",
    "events:TagResource"
        "iam:AddRoleToInstanceProfile",
    "iam:AttachRolePolicy",
    "iam:CreateInstanceProfile",
    "iam:CreateRole",
    "iam:DeleteInstanceProfile",
    "iam:DeleteRole",
    "iam:DeleteRolePolicy",
    "iam:GetInstanceProfile",
    "iam:GetPolicy",
    "iam:GetPolicyVersion",
    "iam:GetRole",
    "iam:GetRolePolicy",
    "iam:ListAttachedRolePolicies",
    "iam:ListInstanceProfilesForRole",
    "iam:ListRolePolicies",
    "iam:PassRole",
    "iam:PutRolePolicy",
    "iam:RemoveRoleFromInstanceProfile",
    "iam:TagRole"
        "kms:DescribeKey",
    "kms:ListAliases"
        "lambda:AddPermission",
    "lambda:CreateFunction",
    "lambda:DeleteFunction",
    "lambda:GetFunction",
    "lambda:GetFunctionCodeSigningConfig",
    "lambda:GetPolicy",
    "lambda:ListVersionsByFunction",
    "lambda:RemovePermission",
    "lambda:TagResource"
        "eks:AccessKubernetesApi",
    "eks:DescribeCluster",
    "eks:ListClusters"

    Traffic Redirection

        "ec2:AssociateRouteTable",
    "ec2:CreateRoute",
    "ec2:CreateRouteTable",
    "ec2:CreateSubnet",
    "ec2:CreateTags",
    "ec2:CreateTransitGatewayRoute",
    "ec2:CreateTransitGatewayRouteTable",
    "ec2:CreateTransitGatewayVpcAttachment",
    "ec2:CreateVpcEndpoint",
    "ec2:DeleteRoute",
    "ec2:DeleteSubnet",
    "ec2:DeleteTransitGatewayRouteTable",
    "ec2:DeleteTransitGatewayVpcAttachment",
    "ec2:DeleteVpcEndpoints",
    "ec2:DescribeAvailabilityZones",
    "ec2:DescribeSecurityGroups",
    "ec2:EnableTransitGatewayRouteTablePropagation",
    "ec2:ModifyTransitGatewayVpcAttachment",
    "ec2:ReplaceRoute",
    "ec2:ReplaceTransitGatewayRoute",
    "ram:AssociateResourceShare",
    "ram:CreateResourceShare",
    "ram:DeleteResourceShare",
    "ram:DisassociateResourceShare",
    "ram:GetResourceShareAssociations",
    "ram:GetResourceShares",
    "ram:ListResourceSharePermissions",
    "ram:TagResource"
        "ec2:DescribeInternetGateways",
    "ec2:DescribeRouteTables",
    "ec2:DescribeSubnets",
    "ec2:DescribeTransitGatewayAttachments",
    "ec2:DescribeTransitGatewayRouteTables",
    "ec2:DescribeTransitGateways",
    "ec2:DescribeTransitGatewayVpcAttachments",
    "ec2:DescribeVpcEndpoints",
    "ec2:DescribeVpcs",
    "ec2:GetTransitGatewayRouteTableAssociations",
    "ec2:SearchTransitGatewayRoutes"

    © 2026 Palo Alto Networks, Inc. All rights reserved.