>
    Onboard AWS Cloud Account in SCM
    Focus
    Download PDF
    Focus
    1. Home
    2. AI Runtime Security
    3. Onboard and Activate a Cloud Account in SCM
    4. AWS
    5. Onboard AWS Cloud Account in SCM
    Download PDF
    AI Runtime Security

    Onboard AWS Cloud Account in SCM

    Table of Contents

    Onboard AWS Cloud Account in SCM

    Onboard your AWS cloud account in Strata Cloud Manager (SCM).
    Onboard the AWS cloud account in SCM and create a Terraform configuration to generate a service account to discover the cloud assets.
    Where Can I Use This?What Do I Need?
    • Creating an AWS Service Account for SCM Integration
    1. Log in to SCM.
    2. Select Insights → AI Runtime Security.
      1. If you're onboarding a cloud account for the first time, click Get Started.
      2. If you have previously onboarded a cloud account, click the Cloud Account Manager (cloud) icon.
    3. Select Cloud Service Provider as AWS and select Next.
    4. Enter basic information:
      • A unique Name to identify your onboarded cloud account. (Limit the name to 32 characters).
      • S3 bucket name (limit the name to 32 characters).
        To get the S3 bucket name, Go to AWS Management Console -> navigate to S3 and copy your bucket name).
      • Select Next.
    5. In Application Definition, select Next.
    6. Input Role Name (Use only alphanumeric characters and hyphens, avoid using a hyphen at the beginning or end, and limit the name under 19 characters).
    7. Download Terraform.
    8. Execute Terraform. Save and unzip the downloaded Terraform zip file: `aws-onboard-terraform.zip`. Navigate to `panw-discovery-10xxxx684868-onboarding/aws` and follow the `README.md` instructions to apply the Terraform in AWS to create the resources and add the role assignments.
      #Deploy the Terraform
terraform init
terraform plan
terraform apply
      Output: 
      Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:
cross_account_role_arn = "arn:aws:iam::10xxxx684868:role/airs-prod-role-2"
    9. Alternatively, you can also fetch the role ARN in the AWS Management Console. Navigate to IAM > Access Management > Roles; select the role name you entered in step 6 and copy the ARN from the summary page.
      Copy the role ARN from the Terraform apply output in the previous step and paste it in the Role ARN field.
    10. Select Done.
      This validates the successful creation of a service account in AWS.
      Initial data should populate on SCM in about 30 minutes and the flow logs may have a delay of about 1 hour to show up on the SCM web interface.
    11. You can now view and manage the onboarded cloud accounts in SCM.
    12. The SCM dashboard under Insights → AI Runtime Security shows all the cloud assets discovered.
      Next, protect the network traffic flow by deploying an AI Runtime Security instance in AWS.
    13. Add an EKS cluster viewer role. Refer to the section below.

    Add an EKS Cluster Viewer Role

    Assign an EKS Cluster Viewer role to the role created in AWS by the onboarding Terraform. Add this role to all the clusters.
    1. Sign in to the AWS Management Console.
    2. Go to IAM > Roles.
    3. Locate and click on the role created by your onboarding Terraform.
    4. Under the Permissions tab, click the Add permissions button.
    5. Choose Attach policies and search for EKS.
    6. Check the box next to AmazonEKSClusterPolicy.
    7. Click Add permissions.

    © 2024 Palo Alto Networks, Inc. All rights reserved.