AWS Account(s) Linkage
Focus
Focus
Cloud NGFW for AWS

AWS Account(s) Linkage

Table of Contents

AWS Account(s) Linkage

Learn about how to link your AWS account.
Where Can I Use This?What Do I Need?
  • Cloud NGFW for AWS
  • Cloud NGFW subscription
  • Palo Alto Networks Customer Support Account (CSP)
  • AWS Marketplace account
  • User role (either tenant or administrator)
A Cloud NGFW for AWS tenant is the central management entity that connects Palo Alto Networks’ Next-Generation Firewall (NGFW) service with your AWS environment. This linkage involves different types of AWS accounts—subscribed, onboarded, and allowlisted—each serving a specific purpose in managing access, billing, and service control.

Types of AWS Account Linkages

FunctionsDescription
Subscribed AccountsAWS accounts that have completed the Cloud NGFW for AWS subscription via AWS Marketplace. These accounts are billing-enabled, allowing Cloud NGFW to send metering records to the AWS Marketplace metering service via the billing link established with these account(s).
Onboarded AccountsAWS accounts that are explicitly delegated to Palo Alto Networks using an IAM role. This allows the Cloud NGFW service to access AWS resources in the AWS account for storing logs in CloudWatch log groups, or Kinesis Firehose, for accessing decryption certificates in AWS Secrets Manager, for harvesting resource tags, and optionally creating and deleting NGFW endpoints.
Allowlisted Accounts (v2 tenants only)AWS accounts that have explicit access permissions granted to create VPC endpoints for a specific Cloud NGFW resource. These accounts may or may not be previously onboarded or subscribed.

Subscribed Accounts

When you get started from an AWS member account or AWS Firewall Manager account, you subscribe from your AWS Marketplace console to create a new Cloud NGFW tenant with your AWS account. You can also log in to an additional AWS account and again subscribe from your AWS Marketplace console to add an AWS account to an existing Cloud NGFW tenant.
This action establishes a billing link between the Cloud NGFW tenant and your AWS account. enabling metering records to be sent from Cloud NGFW to the AWS Marketplace Metering Service. Your Cloud NGFW resources remain intact during this transition.
When you subscribe from multiple AWS accounts to the same Cloud NGFW tenant, the Cloud NGFW tenant centralizes billing using the subscribed AWS accounts. If the first account unsubscribes, the Cloud NGFW platform dynamically selects the second subscribed account for sending metering and overage records.
For more information, see

Onboarded Accounts

You can also onboard up to 200 AWS accounts to the tenant by establishing cross-account access using AWS IAM roles that allow Cloud NGFW to access AWS resources (for storing logs in CloudWatch log groups, or Kinesis Firehose, for accessing decryption certificates in AWS Secrets Manager, harvesting resource tags, and optionally creating and managing NGFW endpoints) in the AWS account.
Each onboarded account must provide specific IAM roles and permissions to the Cloud NGFW service for granular administration and control. From then on, all administrative actions are governed by AWS IAM policies, ensuring secure and auditable delegation of permissions.

Allowlisted Accounts (v2 tenants only)

When creating a Cloud NGFW resource, you can add one or more of your AWS accounts to its allow-list. From then on, a VPC endpoint service, corresponding to the Cloud NGFW resource, will manifest in your (allow-listed) AWS account(s). You can then create endpoints in your VPC to redirect traffic to the Cloud NGFW resources.