Manually Set Up Prisma Cloud Role for AWS Accounts
Table of Contents
Manually Set Up Prisma Cloud Role for AWS Accounts
To monitor your AWS account, create the roles (manually) and authorize the permissions for Prisma Cloud.
If you do not want to use the guided onboarding flow that automates the process of creating the roles required for Prisma Cloud to secure your accounts on AWS, you must create the roles manually. In order to monitor your AWS account, you must create a role that grants Prisma Cloud access to your flow logs and read-only access (to retrieve and view the traffic log data) or a limited read-write access (to retrieve traffic log data and remediate incidents). To authorize permission, you must copy the policies from the relevant template and attach it to the role. Event logs associated with the monitored cloud account are automatically retrieved on Prisma Cloud.
- Download CFT template from Prisma Cloud.
- See Onboard Your AWS Account and follow the steps toDownload IAM Role CFT.
- Search for theExternalIDfield within the template.
- Copy theExternalIDvalue, which you will need to paste in the AWS console as described in the next Step.
- Log in to the AWS management console to create a role for Prisma Cloud.Refer to the AWS documentation for instructions. Create the role in the same region as your AWS account, and use the following values and options when creating the role:
- Type of trusted entity:Another AWS Accountand enter theAccount ID:188619942792
- SelectRequire external IDand paste theExternalIDvalue that you copied in Step 1 above.
- Do not enable MFA. Verify thatRequire MFAis not selected.
- ClickNextand add the AWS Managed Policy forSecurity Audit.
Add a role name and create the role. In this workflow, later, you will create the granular policies and edit the role to attach the additional policies.
- Get the granular permissions from the AWS CFT for your AWS environment.The Prisma Cloud S3 bucket has read-only templates and read-and-write templates for the public AWS, AWS GovCloud, and AWS China environments.
- Download the template you need.If you have onboarded your AWS accounts on Prisma Cloud after December 8, 2022, you do not need to download the static CFTs from theLinks to Legacy CFTsbelow. For backward compatibility, Prisma Cloud will support onboarding using static CFTs until further notice.
- Identify the permissions you need to copy.To create the policy manually, you will need to add the required permissions inline using the JSON editor. From the read-only template you can get the granular permissions for thePrismaCloud-IAM-ReadOnly-Policy, and the read-write template lists the granular permissions for thePrismaCloud-IAM-ReadOnly-Policyand thePrismaCloud-IAM-Remediation-Policy.For AWS accounts you onboard to Prisma Cloud, if you do not use the host, serverless functions, and container capabilities enabled with Prisma Cloud Compute, you do not need the permissions associated with these roles:
- PrismaCloud-ReadOnly-Policy-Computerole—CFT used for Monitor mode, includes additional permissions associated with this new role to enable monitoring of resources that are onboarded for Prisma Cloud Compute.
- PrismaCloud-Remediation-Policy-Computerole—CFT used for Monitor & Protect mode, includes additional permissions associated with this new role to enable read-write access for monitoring and remediating resources that are onboarded for Prisma Cloud Compute.
- Open the appropriate template using a text editor.
- Find the policies you need and copy it to your clipboard.Copy the details for one or both permissions, and make sure to include the open and close brackets for valid syntax, as shown below.
- Create the policy that defines the permissions for the Prisma Cloud role.Both the read-only role and the read-write roles require the AWS Managed PolicySecurityAudit Policy. In addition, you will need to enable granular permissions for thePrismaCloud-IAM-ReadOnly-Policyfor the read-only role, or for the read-write role add thePrismaCloud-IAM-ReadOnly-Policyand the limited permissions forPrismaCloud-IAM-Remediation-Policy.
- SelectIAMon the AWS Management Console.
- In the navigation pane on the left, choose .
- Select theJSONtab.Paste the JSON policies that you copied from the template within the square brackets for Statement.
If you are enabling read and read-write permissions, make sure to append the read-write permissions within the same Action statement.
- Review and create the policy.
- Edit the role you created previously and attach the policy to the role.
- Required only if you want to use the same role to access your CloudWatch log groupUpdate the trust policy to allow access to the CloudWatch log group.Edit theTrust Relationshipsto add the permissions listed below. This allow you to ensure that your role has a trust relationship for the flow logs service to assume the role and publish logs to the CloudWatch log group.{ "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": "sts:AssumeRole" }Copy theRole ARN.
Resume with the account onboarding flow in Onboard Your AWS AccountLinks to Legacy CFTsIf you have onboarded your AWS accounts on Prisma Cloud after December 8, 2022, you cannot download the static CloudFormation templates (CFTs) based on the list below. You must download the template from the Prisma Cloud console.For backward compatibility, Prisma Cloud provides these static CFTs until further notice.- View the legacy templates.RoleS3 Template URLAWS Public Cloud—AWS account and AWS Organization, master accountRead-Onlyhttps://s3.amazonaws.com/redlock-public/cft/rl-read-only.templateRead-Write (Limited)https://s3.amazonaws.com/redlock-public/cft/rl-read-and-write.templateFor member accounts within AWS OrganizationsRead-Onlyhttps://s3.amazonaws.com/redlock-public/cft/rl-read-only-member.templateFor member accounts within AWS OrganizationsRead-Write (Limited)https://s3.amazonaws.com/redlock-public/cft/rl-read-and-write-member.templateUse this template if you plan to enable Prisma Cloud Data SecurityRead-Onlyhttps://redlock-public.s3.amazonaws.com/cft/rl-dlp-read-only.templateUse this template if you plan to enable Prisma Cloud Data SecurityRead-Write (Limited)https://redlock-public.s3.amazonaws.com/cft/rl-dlp-read-and-write.templateAWS GovCloudRead-Onlyhttps://s3.amazonaws.com/redlock-public/cft/redlock-govcloud-read-only.templateRead-Write (Limited)https://s3.amazonaws.com/redlock-public/cft/redlock-govcloud-read-and-write.templateAWS ChinaRead-Onlyhttps://s3.amazonaws.com/redlock-public/cft/rl-cn-read-only.templateRead-Write (Limited)https://s3.amazonaws.com/redlock-public/cft/rl-cn-read-and-write.template