1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Connect Your Cloud Platform to Prisma Cloud
    6. Onboard Amazon Web Services
    7. Configure Audit Logs

    Configure Audit Logs

    Prisma Cloud by default uses the Amazon CloudTrail service to fetch the change events (ingest the audit logs). You can configure near real-time visibility in Prisma Cloud to ingest the audit logs using Amazon EventBridge on your onboarded AWS accounts, which enables Prisma Cloud to move from a pull to a push method that triggers ingestion only when changes are made on the resources.
    Prisma Cloud config ingestion leverages EventBridge and event-assisted ingestion to reduce the time to alert for any misconfigurations or policy violations as well as reduce the number of API calls. It makes the API call only if resource configuration has changed.
    • If you delete or disable your account, the associated EventBridge rules are correspondingly deleted or disabled in your AWS accounts and Prisma Cloud will not ingest audit logs or process audit logs policies.
    • Ingesting audit logs using EventBridge is only applicable for the management account enabled regions for all the member accounts that are part of the organization. If you individually disable a member account, specific rules for that member account are disabled.
    • When you run the CFT, Prisma Cloud creates rules in all accounts (including member) in only those regions where the management account is enabled.
    • If you delete EventBridge rules from your AWS accounts, Prisma Cloud will not ingest audit logs and will not process audit logs policies. There will also be a significant delay in processing config policies and generating the corresponding alerts.
    • If an AWS region does not support EventBridge, Prisma Cloud cannot support event-assisted ingestion for that region.
    1. After you Onboard Your AWS Account or Onboard Your AWS Organization, select
      Settings
      Cloud Accounts
      .
      The steps to configure EventBridge are the same for your cloud account and organization. When you configure it for organization, make sure to run the CFT in the management account.
    2. Click the
      View
       ( ) icon next to the AWS account or organization for which you want to ingest the audit logs using EventBridge.
    3. Click
      Misconfigurations
      .
    4. Click
      Configure
       under
      Near Real-Time Visibility
      .
    5. Configure Details
      .
      1. Click
        Download EventBridge CFT
        .
        When you run the CFT Prisma Cloud creates rules for all accounts (including member accounts) in only those regions where the management account is enabled.
        If an error message displays when you click
        Download EventBridge CFT
        , you need to first
        Download IAM Role CFT
         and complete the required steps in your AWS console before continuing with EventBridge configuration.
      2. Log in to your AWS account and follow the steps to create a stack, select
        I acknowledge that AWS CloudFormation might create IAM resources with custom names
        , and click
        Create Stack
        .
      3. Wait for status to display CREATE_COMPLETE.
    6. Return to your Prisma Cloud console.
    7. Click
      Next
      .
    8. Review Status
      .
      Review the status of the configuration. Once the template is run successfully on your account, a
      Successful
       message is displayed for each region and Prisma Cloud starts to ingest audit logs from Amazon EventBridge.
    9. Click
      Save
      .
      The corresponding EventBridge Rules are displayed in AWS.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo