Onboard AWS Cloud Account in Strata Cloud Manager
Focus
Focus
AI Runtime Security

Onboard AWS Cloud Account in Strata Cloud Manager

Table of Contents

Onboard AWS Cloud Account in Strata Cloud Manager

Onboard your AWS cloud account in Strata Cloud Manager.
Onboard the GCP cloud account in Strata Cloud Manager. Create and download an onboarding Terraform template. When you apply this template in your cloud environment, it generates a service account with sufficient permissions. These permissions enable discovery within your cloud environment, granting access to network flow logs, asset inventory details, and other essential cloud resources.
Where Can I Use This?What Do I Need?
  • Creating an AWS Service Account for Strata Cloud Manager Integration
  1. Select Insights → AI Runtime Security.
    1. If you're onboarding a cloud account for the first time, click Get Started under Network tab.
    2. If you have previously onboarded a cloud account, select Network from the AI Runtime Security drop-down list at the top. Click the Cloud Account Manager (cloud) icon.
  2. Select Cloud Service Provider as AWS and select Next.
  3. Enter basic information:
    • A unique Name to identify your onboarded cloud account. (Limit the name to 32 characters).
    • S3 bucket name (limit the name to 32 characters).
      To get the S3 bucket name, Go to AWS Management Console -> navigate to S3 and copy your bucket name).
    • Select Next.
  4. In Application Definition, select Next.
  5. Input Role Name (Use only alphanumeric characters and hyphens, avoid using a hyphen at the beginning or end, and limit the name under 19 characters).
  6. Download Terraform.
  7. Execute Terraform. Save and unzip the downloaded Terraform zip file: `aws-onboard-terraform.zip`. Navigate to `panw-discovery-10xxxx684868-onboarding/aws` and follow the `README.md` instructions to apply the Terraform in AWS to create the resources and add the role assignments.
    #Deploy the Terraform terraform init terraform plan terraform apply
    Output:
    Apply complete! Resources: 1 added, 0 changed, 0 destroyed. Outputs: cross_account_role_arn = "arn:aws:iam::10xxxx684868:role/airs-prod-role-2"
  8. Copy the role ARN from the Terraform apply output in the previous step and paste it in the Role ARN field.
    Alternatively, you can also fetch the role ARN in the AWS Management Console. Navigate to IAM > Access Management > Roles; select the role name you entered in step 6 and copy the ARN from the summary page.
  9. Select Done.
  10. Sign in to the Amazon EKS Console.
    1. Navigate to the EKS Console and click on your EKS cluster.
    2. In the IAM access entries section of the Access tab, click the Create access entry button.
    3. Find the IAM role that was created as part of the onboarding process when you executed the onboarding Terraform.
    4. Click Skip to Review and create and finish the creation process.
  11. You can now view and manage the onboarded cloud accounts in Strata Cloud Manager.
  12. The Strata Cloud Manager dashboard under Insights → AI Runtime Security shows all the cloud assets discovered.
    This validates the successful creation of a service account in AWS.
    Initial data should populate on Strata Cloud Manager in about 30 minutes and the flow logs may have a delay of about an hour to show up on the Strata Cloud Manager dashboard.
    Next, protect the network traffic flow by deploying an AI Runtime Security instance in AWS.
  13. Add an EKS cluster viewer role. Refer to the section below.

Add an EKS Cluster Viewer Role

Assign an EKS Cluster Viewer role to the role created in AWS by the onboarding Terraform. Add this role to all the clusters.
  1. Sign in to the AWS Management Console.
  2. Go to IAM > Roles.
  3. Locate and click on the role created by your onboarding Terraform.
  4. Under the Permissions tab, click the Add permissions button.
  5. Choose Attach policies and search for EKS.
  6. Check the box next to AmazonEKSClusterPolicy.
  7. Click Add permissions.