1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Configure External Integrations on Prisma Cloud
    6. Integrate Prisma Cloud with Amazon SQS

    Integrate Prisma Cloud with Amazon SQS

    Learn how to integrate Prisma™ Cloud with Amazon Simple Queue Service (SQS).
    If you use Amazon Simple Queue Service (SQS) to enable custom workflows for alerts, Prisma™ Cloud integrates with Amazon SQS. When you set up the integration, as soon as an alert is generated, the alert payload is sent to Amazon SQS.
    The integration gives you the flexibility to send alerts to a queue in the same AWS account that you may have onboarded to Prisma Cloud or to a queue in a different AWS account. If you want to send alerts to an SQS in a different AWS account, you must provide the relevant IAM credentials—Access Key or IAM Role.
    1. Configure Amazon SQS to receive Prisma Cloud alerts.
      1. Log in to the Amazon console with the necessary credentials to create and configure the SQS.
      2. Click
        Simple Queue Services
         (under
        Application Integration
        ).
      3. Create New Queue
         or use an existing queue.
      4. Enter a Queue Name and choose a Queue Type—
        Standard
         or
        FIFO
        .
      5. Click
        Configure Queue
        .
        For the attributes specific to the Queue, use either the AWS default selection or set them per your company policies.
        Use SSE
         to keep all messages in the Queue encrypted, and select the default AWS KMS Customer Master Key (CMK) or enter your CMK ARN.
      6. Create Queue
        .
        This creates and displays your SQS Queue
      7. Click the Queue that you created and view the
        Details
         and copy the
        URL
         for this queue.
        You provide this value in Prisma Cloud to integrate Prisma Cloud notifications in to this Queue.
    2. If you are using a Customer Managed Key to encrypt queues in Amazon SQS, you must configure the Prisma Cloud Role with explicit permission to read the key.
      1. On the Amazon console, select
        KMS
        Customer Managed Keys
         and
        Create Key
        .
        Refer to the AWS documentation for details on creating keys.
      2. Enter an Alias and Description, and add any required
        Tags
         and click
        Next
        .
      3. Select the IAM users and roles who can use this key through the
        KMS
         API and click
        Next
        .
      4. Select the IAM users and roles who can use this key to encrypt and decrypt the data.
      5. Review the key policy and click
        Finish
        .
    3. Enable read-access permissions to Amazon SQS on the IAM Role policy.
      The Prisma Cloud IAM Role policy you use to onboard your AWS setup needs these permissions: 
      "sqs:GetQueueAttributes", "sqs:ListQueues","sqs:SendMessage", "sqs:SendMessageBatch", "tag:GetResources","iam:GetRole
      If you have configured Server-Side Encryption (SSE) for SQS, you must also include the
      kms:GenerateDataKey
       IAM permission.
      If you used the CFT templates to onboard your AWS account and the SQS queue belongs to the same cloud account, Prisma Cloud IAM Role policy already has the permissions required for Amazon SQS. If the SQS belongs to a different cloud account, you must provide the relevant IAM credentials—Access Key or IAM Role—when you enable the SQS integration in the next step.
    4. Set up Amazon SQS integration in Prisma Cloud.
      1. Log in to Prisma Cloud.
      2. Select
        Settings
        Integrations
        .
      3. Set the
        Integration Type
         to
        Amazon SQS
        .
      4. Enter a
        Name
         and
        Description
         for the integration.
      5. Enter the
        Queue URL
         that you copied when you configured Prisma Cloud in Amazon SQS.
        The queue URL format on AWS China should be https://sqs.<China region api identifier>.amazonaws.com.cn/<account id>/<queue name>.
      6. (
        Optional
        ) Select
        More Options
         to provide IAM credentials associated with a different AWS account.
        By default, Prisma Cloud accesses the SQS queue using the same credentials with which you onboarded the AWS account to Prisma Cloud. If your queue is in a different account or if you want to authorize access using a separate set of IAM security credentials, you can pick of the following options.
        Select the
        IAM Access Key
         and enter the Access Key and Secret Key, or
        IAM Role
         and enter the External ID and Role ARN.
        The External ID associated with the IAM role must be a UUID in a 128-bit format, and not any random string. For your convenience, the External ID is automatically generated on the Prisma Cloud web console when you click
        Generate
        . You must manually create one if you’re using the Prisma Cloud API.
        Any existing integrations will continue to work. If you modify an existing Amazon SQS integration, you must replace the External ID to complete the validation check and save your changes.
        This IAM permissions for both options must include
        sqs:SendMessage
         and
        sqs:SendMessageBatch
        . Additionally, the
        kms:GenerateDataKey
         is required if you have configured Server-Side Encryption (SSE) for SQS.
      7. Click
        Next
         and then
        Test
        .
        You should receive a success message.
      8. Click
        Save
        .
        After you set up the integration successfully, if the SQS URL is unresponsive, the status red (
        Settings
        Integrations
        ) and green when the issue is resolved.
    5. Create an Alert Rule for Run-Time Checks or modify an existing rule to enable the Amazon SQS Integration.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo