Onboard AWS Cloud Account in Strata Cloud Manager

1. Log in to Strata Cloud Manager.
2. Select Insights → Prisma AIRS→ Prisma AIRS AI Runtime: Network Intercept. (If you are onboarding for the first time, click Get Started.
3. If you have previously onboarded a cloud account; from the top right corner, click the Cloud Account Manager (cloud) icon.

4. Select Cloud Service Provider as AWS and select Next.

5. Enter basic information:

   • A unique Name to identify your onboarded cloud account. (Limit the name to 32 characters).
   • S3 bucket name (limit the name to 32 characters).
     To get the S3 bucket name, log in to AWS Management Console. Navigate to S3 bucket and copy your bucket name.
   • Select Next.
6. In Application Definition, configure how your assets will be grouped for discovery.

   Enhanced application definition options provide granular boundary criteria using workload-specific methods such as tags, subnets, and namespaces that align with your application deployment patterns and business logic.

   1. Your selected application boundaries determine which applications appear in the deployment workflow. For all workload types, Prisma AIRS AI Runtime: Network intercept maps applications to their VPCs, and the firewall protects traffic at the VPC level. The namespace shows applications from Pods/Cluster workloads, while VPC/VNETs display applications from virtual machine workloads.
   2. For container workloads, regardless of the application definition method you select (namespace, cluster, or tag), please annotate all pods if you want to add protection with the Palo Alto Networks-specific label "paloaltonetworks.com/firewall": "pan-fw". This annotation is needed to secure the pods, in addition to defining the application boundaries.

   When using tag-based application boundaries, if your cloud provider allows tags with only keys (no values), you should use the application name as the tag key.

   Table: Workload-specific selection guide

   Container Workloads	Application Definition Method	Choose When
   Container Workloads (Default boundary: namespace)	Namespace Cluster Name Tag	Applications are separated by Kubernetes namespaces for logical isolation. Applications span multiple namespaces but remain within a single cluster. Applications require custom grouping based on business logic, regardless of infrastructure.
   Virtual Machines (Default boundary: VPC/VNET)	Subnet Name VPC/VNET Tag	VMs are organized by network segments that align with application boundaries. You prefer a broader network perimeter-based application grouping (default). Uses key-value pairs for business-context-driven application organization.
   Serverless Compute (Default boundary VPC/VNET)	Subnet Name VPC/VNET Tag	Functions are deployed in specific subnet boundaries within the application domain. You want to group all functions within the same network level using VPC/VNET boundaries. Uses key-value pairs for flexible business requirement-based grouping.

7. Input Role Name (Use only alphanumeric characters and hyphens, avoid using a hyphen at the beginning or end, and limit the name to 19 characters).
8. Download Terraform.

9. Execute Terraform. Save and unzip the downloaded Terraform zip file: `aws-onboard-terraform.zip`. Navigate to `panw-discovery-10xxxx684868-onboarding/aws` and follow the `README.md` instructions to apply the Terraform in AWS to create the resources and add the role assignments.

   #Deploy the Terraform
   terraform init
   terraform plan
   terraform apply
   

   Output:

   Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
   
   Outputs:
   cross_account_role_arn = "arn:aws:iam::10xxxx684868:role/airs-prod-role-2"

10. Copy the role ARN from the Terraform apply output in the previous step and paste it in the Role ARN field.

    Alternatively, you can also fetch the role ARN in the AWS Management Console. Navigate to IAM > Access Management > Roles, select the role name you entered in step 6 and copy the ARN from the summary page.
11. Select Done.
12. Add the following policy to enable Strata Cloud Manager to discover your Kubernetes clusters' assets:

    1. Sign in to the Amazon EKS Console.
    2. Navigate to the EKS Console and click on your EKS cluster.
    3. In the Access tab, select the IAM access entries section. Click the Create access entry button.
    4. Find the IAM principal ARN role that was created as part of the onboarding process when you executed the onboarding Terraform.
    5. Add AmazonEKSAdminViewPolicy under Policy name.
    6. Click Create and finish the creation process.
13. You can now view and manage the onboarded cloud accounts in Strata Cloud Manager.
14. To discover your protected and unprotected cloud assets, see the page on discovering your cloud resources.

    This validates the successful creation of a service account in AWS.

    Initial data should populate on Strata Cloud Manager in about 30 minutes and the flow logs may have a delay of about an hour to show up on the Strata Cloud Manager dashboard.

    Next, protect the network traffic flow by deploying Prisma AIRS AI Runtime: Network intercept or VM-Series firewall in AWS.