Container environments tend to utilize many third party services across multiple cloud providers. To improve accessibility and reusability, Prisma Cloud manages all credentials in a central encrypted store. Credentials are used when setting up the following integrations:
- Scanning (container registries, serverless functions, etc).
- Alerting in third party services (email, Slack, ServiceNow, etc).
- Deploying and managing Defender DaemonSets from the Console UI.
- Injecting secrets from secret stores into containers at runtime.
The credential store can be found under
Manage > Authentication > Credentials Store. Credentials cannot be deleted if they are currently in use. To see all the places where a credentials is being used, click on an entry in the credentials store table, and review the
If a credential is being used by an integration, and you edit its parameters (e.g. username, password, etc), the new values are automatically propagated to the right places in the product. You don’t need to delete and set up the integration again to refresh a credential’s values.
Prisma Cloud lets you authenticate with AWS the following ways:
- IAM users (access keys).
- IAM roles.
- Security Token Service (STS) (Recommended when using IAM users).
AWS IAM users
An IAM user is an identity that you create in AWS. It represents a person or service that uses the IAM user to interact with AWS.
Access keys are long-term credentials for IAM users. Access keys consist of two parts: an access key ID and a secret access key. Like a username and password, you must use both the access key ID and secret access key together to authenticate requests with AWS.
The credentials store in Prisma Cloud lets you save access keys. When creating a new credential, select the
Access Keysubtype, and then enter an access key ID and secret access key.
As per AWS best practices, it is recommended to rotate your keys every 90 days. Prisma Cloud will raise an Alert if the age of the credentials added is >90 days. If you use this option, ensure to rotate your keys at least every 90 days.
AWS IAM roles
In many cases, you can take advantage of IAM roles and their temporary security credentials rather than the long-term credentials associated with IAM users.
IAM roles are similar to IAM users. Both are identities with permission policies. The permission policy determines what an identity can (and cannot) do in AWS. However, roles don’t have any associated credentials (e.g. access keys). Instead of being uniquely associated with one person, roles are assumable by anyone who needs them. IAM users can assume a role to temporarily acquire the permissions needed to carry out a specific task.
IAM roles solve the problem of how to securely manage and distribute credentials. For example, how do you distribute credentials to new EC2 instances created by an auto scaling group? How do you rotate credentials on EC2 instances in a cluster? Instead of creating and distributing credentials, you can delegate permission to call the AWS API as follows:
- Create an IAM role.
- Specify the AWS service (e.g. EC2) that can assume the role.
- Specify the API actions and resources Prisma Cloud can use after assuming the role.