>
    Strata Copilot
    Cross-Account Role CFT Permissions for Cloud NGFW
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for AWS
    3. Cloud NGFW for AWS Administration
    4. Firewall-as-Code
    5. Cross-Account Role CFT Permissions for Cloud NGFW
    Download PDF
    Cloud NGFW for AWS

    Cross-Account Role CFT Permissions for Cloud NGFW

    Table of Contents

    Cross-Account Role CFT Permissions for Cloud NGFW

    Cloud NGFW for AWS requires permissions to access AWS accounts, read VPC info, create/manage endpoints, access logging destinations, and decrypt traffic.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for AWS
    • Cloud NGFW subscription
    • Palo Alto Networks Customer Support Account (CSP)
    • AWS Marketplace account
    • User role (either tenant or administrator)
    Cloud NGFW requires permissions to access information and resources associated with your AWS accounts. When you onboard an AWS account, a CloudFormation Template (CFT) is provided to help you enable the permissions. When you deploy the CFT, it creates a cross-account IAM role in your AWS account. This IAM role provides Cloud NGFW with the permissions necessary to read VPC information required to create and manage endpoints, send logs to logging destinations, and access certificates in the AWS Secrets Manager for traffic decryption.

    Endpoint Configuration

    The cross-account IAM role requires permissions to read information about your VPC resources, allowing you to configure NGFW endpoints in your AWS environment.
    {
    "Sid": "Allow Cloud NGFW to read VPC resources",
    "Effect": "Allow",
    "Action": [
        # The first four permission are the minimum needed
        "ec2:DescribeVpcs",
        "ec2:DescribeSubnets",
        "ec2:DescribeAvailabilityZones        
        "ec2:DescribeVpcEndpoints",
    ],
    "Resource": "*"
}

    Endpoint Creation

    (Optional) You can configure Cloud NGFW to create and manage NGFW endpoints in your AWS account. If you choose not to configure there permissions, you must manually create NGFW endpoints after deploying your NGFW.
    {
    "Sid": "Allow Cloud NGFW to manage NGFW endpoints",
    "Effect": "Allow",
    "Action": [
        "ec2:deleleVpcEndpoints"
        "ec2:CreateVpcEndpoints"
    ],
    "Resource": "*"
}

    Logging and Metric Management

    (Optional) The cross-account role includes permissions required for logging and metrics management. The template does not create the logging destinations; instead, it provides the necessary permissions to access the specified logging destinations. You must create the logging destinations you specify in the template.
    The template provides the default value PaloAltoCloudNGFW for a Cloudwatch Namespace and Kinesis Date Firehose. The template does not provide a default value for an S3 Bucket. You can replace the default value with the value of a corresponding logging destination in your AWS account. 
    {
    "Sid": "Allow Cloud NGFW access to one Cloudwatch Namespace",
     "Effect": "Allow",
     "Resource": "*",
     "Action": "cloudwatch:PutMetricData",
     "Condition": {
         "StringEquals": {
             "cloudwatch:namespace": "PaloAltoCloudNGFW" 
          }
     }
}{
   "Sid":"Allow Cloud NGFW access to write logs in one LogGroup",
   "Action": [
        "logs:CreateLogStream",
        "logs:DescribeLogStreams",
        "logs:PutLogEvents",
   ],
   "Effect": "Allow",
   "Resource": [            
          "arn:aws:logs:*:*:log-group:PaloAltoCloudNGFW"
          "arn:aws:logs:*:*:log-group:PaloAltoCloudNGFW:log-stream:*"
    ],
}{
    "Sid": "Optionally, Allow Cloud NGFW to write logs to one S3 bucket",
    "Effect": "Allow",
    "Action": [
        "s3:putObject"
     ],
     "Resource": [  
          # this is proposal #1 - name is coded based on externalid
          "arn:aws:s3:::<PaloAltoCloudNGFW-ExternalD>/*"
          # this is proposal #2 - name is provided by customer in CFT.
           'arn:aws:s3:::${S3Bucket}/*'
     ]
}{
    "Sid": " Optionally, Allow Cloud NGFW to write logs to Streams",
    "Effect": "Allow",
    "Action": [
"firehose:putRecordBatch"
     ],
    "Resource": [   
      "arn:aws:kinesis:region:account:deliveryStream/PaloAltoCloudNGFW*"
     ],
}

    Decryption

    (Optional) The cross-account role includes permissions for Cloud NGFW to retrieve certificates from the Secrets Manager in your AWS account and use it to decrypt traffic flowing through your NGFW. These permissions use the attribute-based access control (ABAC) mechanism by specifying a tag for access. These permissions are optional and you can choose not to configure them when you deploy the template. 
    {
    "Sid": "Allow Cloud NGFW to pick up certificates",
    "Effect": "Allow",
    "Action": [
            "secretsmanager:GetSecretValue"
    ],
    "Resource": "*",
    "Condition": {
         "StringEquals": {
            "aws:ResourceTag/PaloAltoCloudNGFW": "true"
          }
     }        
}

    Account Monitoring

    (Optional) The existing CloudFormation template (CFT) of your onboarded AWS account can have Account Monitoring permissions added to it.
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:DescribeVpcs",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeInstances",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeSubnets",
                "ec2:DescribeManagedPrefixLists",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTags"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:GetManagedPrefixListAssociations",
                "ec2:GetManagedPrefixListEntries"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:prefix-list/*"
            ],
            "Effect": "Allow"
        }
    ]
}

    © 2025 Palo Alto Networks, Inc. All rights reserved.