Cloud NGFW for AWS requires permissions to access AWS accounts, read VPC info,
create/manage endpoints, access logging destinations, and decrypt traffic.
Where Can I Use This?
What Do I Need?
Cloud NGFW for AWS
Cloud NGFW subscription
Palo Alto Networks Customer Support Account (CSP)
AWS Marketplace account
User role (either tenant or administrator)
Cloud NGFW requires permissions to access information and resources
associated with your AWS accounts. When you onboard an AWS account, a CloudFormation
Template (CFT) is provided to help you enable the permissions. When you deploy the CFT,
it creates a cross-account IAM role in your AWS account. This IAM role provides Cloud
NGFW with the permissions necessary to read VPC information required to create and
manage endpoints, send logs to logging destinations, and access certificates in the AWS
Secrets Manager for traffic decryption.
Endpoint Configuration
The cross-account IAM role requires permissions to read information about your VPC
resources, allowing you to configure NGFW endpoints in your AWS environment.
{
"Sid": "Allow Cloud NGFW to read VPC resources",
"Effect": "Allow",
"Action": [
# The first four permission are the minimum needed
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeAvailabilityZones
"ec2:DescribeVpcEndpoints",
],
"Resource": "*"
}
Endpoint Creation
(Optional) You can configure Cloud NGFW to create and manage NGFW endpoints
in your AWS account. If you choose not to configure there permissions, you must
manually create NGFW endpoints after deploying your NGFW.
(Optional) The cross-account role includes permissions required for logging
and metrics management. The template does not create the logging destinations;
instead, it provides the necessary permissions to access the specified logging
destinations. You must create the logging destinations you specify in the template.
The template provides the default value PaloAltoCloudNGFW for
a Cloudwatch Namespace and Kinesis Date Firehose. The template does not provide a
default value for an S3 Bucket. You can replace the default value with the value of
a corresponding logging destination in your AWS account.
{
"Sid": "Allow Cloud NGFW access to one Cloudwatch Namespace",
"Effect": "Allow",
"Resource": "*",
"Action": "cloudwatch:PutMetricData",
"Condition": {
"StringEquals": {
"cloudwatch:namespace": "PaloAltoCloudNGFW"
}
}
}{
"Sid":"Allow Cloud NGFW access to write logs in one LogGroup",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:PaloAltoCloudNGFW"
"arn:aws:logs:*:*:log-group:PaloAltoCloudNGFW:log-stream:*"
],
}{
"Sid": "Optionally, Allow Cloud NGFW to write logs to one S3 bucket",
"Effect": "Allow",
"Action": [
"s3:putObject"
],
"Resource": [
# this is proposal #1 - name is coded based on externalid
"arn:aws:s3:::<PaloAltoCloudNGFW-ExternalD>/*"
# this is proposal #2 - name is provided by customer in CFT.
'arn:aws:s3:::${S3Bucket}/*'
]
}{
"Sid": " Optionally, Allow Cloud NGFW to write logs to Streams",
"Effect": "Allow",
"Action": [
"firehose:putRecordBatch"
],
"Resource": [
"arn:aws:kinesis:region:account:deliveryStream/PaloAltoCloudNGFW*"
],
}
Decryption
(Optional) The cross-account role includes permissions for Cloud NGFW to
retrieve certificates from the Secrets Manager in your AWS account and use it to
decrypt traffic flowing through your NGFW. These permissions use the attribute-based
access control (ABAC) mechanism by specifying a tag for access. These permissions
are optional and you can choose not to configure them when you deploy the template.
