Permissions by feature

When you set up Prisma Cloud Compute to secure your cloud workloads, you’ll need to ensure you’ve granted Prisma Cloud the right permissions. The following tables list the permissions required for each of Compute’s protection capabilities.

AWS

Feature
Protection Mode
Permissions
Condition
Prisma Cloud Templates Status
Role/Policy
Registry Scan
Monitor AND Monitor & Protect
Update both read-only & read-write templates
ecr:GetAuthorizationToken
V
PrismaCloud-ReadOnly-Policy-Compute
ecr:BatchCheckLayerAvailability
V
PrismaCloud-ReadOnly-Policy-Compute
ecr:GetDownloadUrlForLayer
V
PrismaCloud-ReadOnly-Policy-Compute
ecr:GetRepositoryPolicy
V
arn:aws:iam::aws:policy/SecurityAudit
ecr:DescribeRepositories
V
arn:aws:iam::aws:policy/SecurityAudit
ecr:ListImages
V
arn:aws:iam::aws:policy/SecurityAudit
ecr:DescribeImages
V
arn:aws:iam::aws:policy/SecurityAudit
ecr:BatchGetImage
V
PrismaCloud-ReadOnly-Policy-Compute
ecr:GetLifecyclePolicy
V
arn:aws:iam::aws:policy/SecurityAudit
ecr:GetLifecyclePolicyPreview
V
PrismaCloud-ReadOnly-Policy-Compute
ecr:ListTagsForResource
V
arn:aws:iam::aws:policy/SecurityAudit
ecr:DescribeImageScanFindings
V
arn:aws:iam::aws:policy/SecurityAudit
Serverless Scan
Monitor AND Monitor & Protect
Update both read-only & read-write templates
lambda:ListFunctions
V
arn:aws:iam::aws:policy/SecurityAudit
lambda:GetFunction
V
PrismaCloud-ReadOnly-Policy-Compute
iam:GetPolicy
V
arn:aws:iam::aws:policy/SecurityAudit
iam:GetPolicyVersion
V
arn:aws:iam::aws:policy/SecurityAudit
iam:GetRole
V
arn:aws:iam::aws:policy/SecurityAudit
iam:GetRolePolicy
V
arn:aws:iam::aws:policy/SecurityAudit
iam:ListAttachedRolePolicies
V
arn:aws:iam::aws:policy/SecurityAudit
iam:ListRolePolicies
V
arn:aws:iam::aws:policy/SecurityAudit
lambda:GetLayerVersion
V
PrismaCloud-ReadOnly-Policy-Compute
kms:Decrypt
V
PrismaCloud-ReadOnly-Policy-Compute
Serverless Auto Defend
Monitor & Protect ONLY
Update read-write templates ONLY
lambda:PublishLayerVersion
V
PrismaCloud-Remediation-Compute-Policy-ServerlessAutoDefend
lambda:UpdateFunctionConfiguration
V
PrismaCloud-IAM-Remediation-Policy
lambda:GetLayerVersion
V
PrismaCloud-ReadOnly-Policy-Compute
lambda:GetFunctionConfiguration
V
arn:aws:iam::aws:policy/SecurityAudit
iam:SimulatePrincipalPolicy
V
arn:aws:iam::aws:policy/SecurityAudit
lambda:GetFunction
V
PrismaCloud-ReadOnly-Policy-Compute
lambda:ListFunctions
V
arn:aws:iam::aws:policy/SecurityAudit
iam:GetPolicyVersion
V
arn:aws:iam::aws:policy/SecurityAudit
iam:GetRole
V
arn:aws:iam::aws:policy/SecurityAudit
iam:ListRolePolicies
V
arn:aws:iam::aws:policy/SecurityAudit
iam:ListAttachedRolePolicies
V
arn:aws:iam::aws:policy/SecurityAudit
iam:GetRolePolicy
V
arn:aws:iam::aws:policy/SecurityAudit
iam:GetPolicy
V
arn:aws:iam::aws:policy/SecurityAudit
lambda:ListLayerVersions
V
arn:aws:iam::aws:policy/SecurityAudit
lambda:ListLayers
V
arn:aws:iam::aws:policy/SecurityAudit
lambda:DeleteLayerVersion
V
PrismaCloud-Remediation-Compute-Policy-ServerlessAutoDefend
kms:Decrypt
V
PrismaCloud-ReadOnly-Policy-Compute
kms:Encrypt
V
PrismaCloud-Remediation-Compute-Policy-AgentlessScanning
kms:CreateGrant
V
PrismaCloud-Remediation-Compute-Policy-AgentlessScanning
Serverless Radar
Monitor & Protect ONLY
Update read-write templates ONLY
cloudwatch:DescribeAlarms
V
arn:aws:iam::aws:policy/SecurityAudit
iam:GetPolicyVersion
V
arn:aws:iam::aws:policy/SecurityAudit
iam:GetRole
V
arn:aws:iam::aws:policy/SecurityAudit
iam:GetPolicy
V
arn:aws:iam::aws:policy/SecurityAudit
iam:GetRolePolicy
V
arn:aws:iam::aws:policy/SecurityAudit
iam:ListRolePolicies
V
arn:aws:iam::aws:policy/SecurityAudit
iam:ListAttachedRolePolicies
V
arn:aws:iam::aws:policy/SecurityAudit
lambda:ListFunctions
V
arn:aws:iam::aws:policy/SecurityAudit
lambda:GetFunction
V
PrismaCloud-ReadOnly-Policy-Compute
lambda:ListAliases
V
arn:aws:iam::aws:policy/SecurityAudit
lambda:ListEventSourceMappings
V
arn:aws:iam::aws:policy/SecurityAudit
lambda:GetPolicy
V
arn:aws:iam::aws:policy/SecurityAudit
kms:Decrypt
V
PrismaCloud-ReadOnly-Policy-Compute
logs:DescribeSubscriptionFilters
V
arn:aws:iam::aws:policy/SecurityAudit
s3:GetBucketNotification
V
arn:aws:iam::aws:policy/SecurityAudit
elasticloadbalancing:DescribeListeners
V
arn:aws:iam::aws:policy/SecurityAudit
elasticloadbalancing:DescribeTargetGroups
V
arn:aws:iam::aws:policy/SecurityAudit
elasticloadbalancing:DescribeListenerCertificates
V
arn:aws:iam::aws:policy/SecurityAudit
elasticloadbalancing:DescribeRules
V
arn:aws:iam::aws:policy/SecurityAudit
cloudfront:ListDistributions
V
arn:aws:iam::aws:policy/SecurityAudit
events:ListRules
V
arn:aws:iam::aws:policy/SecurityAudit
apigateway:GET
V
arn:aws:iam::aws:policy/SecurityAudit
VM Tags Discovery
Monitor AND Monitor & Protect
Update both read-only & read-write templates
ec2:DescribeTags
V
arn:aws:iam::aws:policy/SecurityAudit
VM Images Scan
Monitor & Protect ONLY
Update read-write templates ONLY
ec2:CreateSecurityGroup
V
PrismaCloud-Remediation-Compute-Policy-AMIScan
ec2:DescribeSecurityGroups