Onboard AWS Cloud Account in SCM
Focus
Focus
AI Runtime Security

Onboard AWS Cloud Account in SCM

Table of Contents

Onboard AWS Cloud Account in SCM

Onboard your AWS cloud account in Strata Cloud Manager (SCM).
Onboard the AWS cloud account in SCM and create a Terraform configuration to generate a service account to discover the cloud assets.
Where Can I Use This?What Do I Need?
  • Creating an AWS Service Account for SCM Integration
  1. Log in to SCM.
  2. Select Insights → AI Runtime Security.
    1. If you're onboarding a cloud account for the first time, click Get Started.
    2. If you have previously onboarded a cloud account, click the Cloud Account Manager (cloud) icon.
  3. Select Cloud Service Provider as AWS and select Next.
  4. Enter basic information:
    • A unique Name to identify your onboarded cloud account. (Limit the name to 32 characters).
    • S3 bucket name (limit the name to 32 characters).
      To get the S3 bucket name, Go to AWS Management Console -> navigate to S3 and copy your bucket name).
    • Select Next.
  5. In Application Definition, select Next.
  6. Input Role Name (Use only alphanumeric characters and hyphens, avoid using a hyphen at the beginning or end, and limit the name under 19 characters).
  7. Download Terraform.
  8. Execute Terraform. Save and unzip the downloaded Terraform zip file: `aws-onboard-terraform.zip`. Navigate to `panw-discovery-10xxxx684868-onboarding/aws` and follow the `README.md` instructions to apply the Terraform in AWS to create the resources and add the role assignments.
    #Deploy the Terraform terraform init terraform plan terraform apply
    Output:
    Apply complete! Resources: 1 added, 0 changed, 0 destroyed. Outputs: cross_account_role_arn = "arn:aws:iam::10xxxx684868:role/airs-prod-role-2"
  9. Copy the role ARN from the Terraform apply output in the previous step and paste it in the Role ARN field.
    Alternatively, you can also fetch the role ARN in the AWS Management Console. Navigate to IAM > Access Management > Roles; select the role name you entered in step 6 and copy the ARN from the summary page.
  10. Select Done.
    This validates the successful creation of a service account in AWS.
    Initial data should populate on SCM in about 30 minutes and the flow logs may have a delay of about 1 hour to show up on the SCM web interface.
  11. You can now view and manage the onboarded cloud accounts in SCM.
  12. The SCM dashboard under Insights → AI Runtime Security shows all the cloud assets discovered.
    Next, protect the network traffic flow by deploying an AI Runtime Security instance in AWS.
  13. Add an EKS cluster viewer role. Refer to the section below.

Add an EKS Cluster Viewer Role

Assign an EKS Cluster Viewer role to the role created in AWS by the onboarding Terraform. Add this role to all the clusters.
  1. Sign in to the AWS Management Console.
  2. Go to IAM > Roles.
  3. Locate and click on the role created by your onboarding Terraform.
  4. Under the Permissions tab, click the Add permissions button.
  5. Choose Attach policies and search for EKS.
  6. Check the box next to AmazonEKSClusterPolicy.
  7. Click Add permissions.