Onboard Your AWS Account

Before you begin onboarding your AWS account, decide whether you want to use the automated or manual process to create the roles to authorize permissions for Prisma Cloud.
The below onboarding workflow automates the process of creating the Prisma Cloud role and adding the permissions required to secure your AWS account. If you want to create these roles manually instead, see Manually Set Up Prisma Cloud Role for AWS Accounts.
Log in to your AWS console to create a CloudWatch log group.

The CloudWatch log group defines where the log streams are recorded.

Select

Services

CloudWatch

Logs

Create log group

.

Enter a name for the log group and click

Create

.



Enable flow logs.

Select

Services

VPC

Your VPCs

.

Select the VPC to enable flow logs for and select

Actions

Create flow log

.

Set the

Filter

to

Accept

or

All

.

Setting the filter to

All

enables Prisma Cloud to retrieve accepted and rejected traffic from the flow logs. Setting the filter to

Accept

retrieves Accepted traffic only. If you set the filter to

Reject

, Prisma Cloud will not retrieve any flow log data.

Verify that the

Destination

is configured to

Send to CloudWatch Logs

.

Select the

Destination log group

you created above.

Create a new IAM Role or use an existing one to publish flow logs to the CloudWatch Log group.

If you are using an existing IAM role to publish logs to the CloudWatch log group, you must edit the IAM role to include the following permissions.

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Action":[
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:DescribeLogGroups",
            "logs:DescribeLogStreams",
            "logs:PutLogEvents"
         ],
         "Effect":"Allow",
         "Resource":"*"
      }
   ]
}

You will also need to Manually Set Up Prisma Cloud Role for AWS Accounts so that the IAM role can access the CloudWatch Log group.

Click

Create flow log

.


Access Prisma Cloud and select
Settings
Cloud Accounts
Add Cloud Account
.
Select
Amazon Web Services
as the cloud account you want to onboard and
Get Started
.

Select
Account
under
Scope
.
Select the
Security Capabilities and Permissions
that you want to enable for the AWS account.
The capabilities are grouped in to
Foundational
and
Advanced
. Based on your selection, Prisma Cloud dynamically generates a CFT that includes the associated permissions for the Prisma Cloud role.
The
Foundational
(recommended) capabilities are enabled, by default:
Misconfigurations
grants the permissions required to scan cloud resources and ingest metadata.
Identity Security
grants the permissions required to calculate net effective permissions for identities and manage access.
Enable and add permissions for Agentless Workload Scanning (selected by default) to scan hosts and containers for vulnerabilities and compliance risks without having to install a defender. If you do not want the Agentless Workload Scanning capability, you can deselect the checkbox. Scans start automatically once you onboard your organization. You can also update the scanning configuration for agentless scans.
The
Advanced
(additional) capabilities are:
Threat Detection
(enabled by default) grants the permissions required to detect DNS, Network, and Identity threats.
Enable and add permissions for
Serverless Function Scanning
to scan cloud provider functions such as, AWS Lambda, Azure, and Google functions for vulnerabilities and compliance. Scans start automatically once you onboard your organization. You can also update the scanning configuration for serverless scans.
Add permissions for
Agent-Based Workload Protection
to allow for automated deployment of defenders to provide protection to secure cloud VMs, containers, and Kubernetes orchestrators. Registry scanning, Kubernetes audits, and other features required by defenders are also enabled.
Enable
Data Security
to scan your resources to prevent data leaks. This feature is not enabled by default. After you onboard your account, further steps are required to Configure Data Security scans.
Click
Next
.
Configure Account
.

Enter an
Account ID
and
Cloud Account Name
.
A cloud account name uniquely identifies your AWS account on Prisma Cloud. A unique account ID is used to enable the trust relationship in the roles trust policy, which you will require later in the onboarding process.
Enable
Remediation
(optional) to grant permissions to remediate misconfigured resources from Infrastructure as Code (IaC) templates. After you enable it, the Prisma Cloud role gets read-write access permissions to your AWS organization to successfully execute remediation commands.
Click
Create IAM Role
only if your role has permissions to log in to your AWS management console in order to create a stack, else
Download IAM Role CFT
. Depending on your selection, click
View Steps
under each to follow the steps to generate
IAM Role ARN
.
To automate the process of creating the Prisma Cloud role that is trusted and has the permissions required to retrieve data on your AWS deployment, Prisma Cloud uses a CFT. The CFT enables the ingestion of configuration data, Amazon S3 flow logs, and AWS CloudTrail logs (audit events) only, and it does not support the ability to enable VPC flow logs for your AWS account.
Make sure that you are already logged in to your AWS management console before you click
Create IAM Role
. Prisma Cloud creates a dynamic link that opens the
Quick create stack
page in your AWS management console based on the
Security Capabilities and Permissions
you selected. The details are uploaded automatically and you do not need to enter them manually in order to create the stack. Make sure you complete the onboarding process within 1 hour, else the link will expire, in which case you will have to click
Create IAM Role
again. If you have installed browser plugins and have pop-ups blocked, first allow pop-up and then click
Create IAM Role
to continue the process.
Once you
Download IAM Role CFT
, it is valid for 30 days. Even if you close the dialog before completing the onboarding process, you can onboard again within 30 days again using the same Account ID and Role ARN created with the previously downloaded CFT.
Paste the
IAM Role ARN
.
Select one or more account groups or select
Default Account Group
.
You must assign each cloud account to an account group and create an Alert Rule for run-time checks to associate with that account group to generate alerts when a policy violation occurs.
Click
Next
.
Review Status
.

Verify the
Details
of the AWS Account and the status checks for the
Security Capabilities
you selected while onboarding the account on Prisma Cloud.
Ensure that all the security capabilities you selected display a green
Successful
or
Enabled
( ) checkmark.
For the security capabilities that display a red
Checks Failed
( ) icon, click the corresponding drop-down to view the cause of failure. To resolve the isssue, see Troubleshoot AWS Onboarding Errors.
Click
Save and Close
to complete onboarding or
Save and Onboard Another Account
.
After you sucessfully onboard your AWS account on Prisma Cloud, the account is automatically available in Compute and enabled for
Workload Discovery
and
Serverless function scans
. For
Agentless scans
, you have to complete the configuration to trigger the scan.
You can view the newly onboarded AWS account on the
Cloud Accounts
page.
Prisma Cloud checks whether Compute permissions are enabled only if you have one or more compute workloads deployed on the AWS cloud accounts that are onboarded. The cloud status transitions from green to amber only when you have compute workloads deployed and the additional permissions are not enabled for remediation.
If you have services that are not enabled on your AWS account, the status screen provides you some details.
Configure Flow Logs if you want to enable monitoring of VPC flow logs data to be published to S3 buckets in a Logging Account that you need to onboard.