Onboard Your AWS Organization
If you have consolidated access to AWS services and resources across your company within AWS Organizations, you can onboard the AWS master account on Prisma Cloud. When you enable AWS organizations on the AWS management console and add the root or master account that has the role of a payer account which is responsible for paying all charges accrued by the accounts in its organization, all member accounts within the hierarchy are added in one streamlined operation on Prisma Cloud.
To onboard your AWS Organization on Prisma Cloud, you must first deploy a CFT in the master account to create the Prisma Cloud role to protect your resources deployed on the master account. Then, you use CloudFormation StackSets to automate the creation of the Prisma Cloud role, which authorizes Prisma Cloud to access each member account. When you then add a new member account to your AWS organization, it is onboarded automatically on Prisma Cloud within a few (up to six) hours.
- If you want to exclude one or more Organizational Units (OUs) and all the member accounts it includes, you can manually disable individual member accounts on Prisma Cloud after they are onboarded. Alternatively, to onboard a subset of accounts, you can exclude the OUs when deploying the StackSet so that the Prisma Cloud role is only created in the OUs for which you want to onboard accounts.
- If you had previously onboarded your AWS master account as a standalone or individual account, you must re-add the account as an organization. All your existing data on assets monitored, alerts generated, or account groups created are left unchanged.After you onboard your account as an AWS organization, you cannot roll back. To add the account as a standalone or individual account, you must delete the organization on Prisma Cloud and use the instructions to Onboard Your AWS Account.
- If you had previously onboarded an AWS account that is a member of the AWS organization that you now add on Prisma Cloud, all your existing data on assets monitored, alerts generated, or account groups created are left unchanged. On Prisma Cloud, the member account will be logically grouped under the AWS organization. When you delete the AWS organization on Prisma Cloud, you can recover all the existing data related to these accounts if you re-onboarded within 24 hours. After 24 hours, the data is deleted from Prisma Cloud.
- Access Prisma Cloud and select.SettingsCloud AccountsAdd Cloud Account
- SelectAmazon Web Servicesas the cloud account you want to onboard andGet Started.
- SelectOrganizationunderScopefor better security coverage.
- Select theSecurity Capabilities and Permissionsthat you want to enable for the AWS organization.The capabilities are grouped in toFoundationalandAdvanced. Based on your selection, Prisma Cloud dynamically generates a CFT that includes the associated permissions for the Prisma Cloud role.
- Use theFoundational(recommended) capabilities during the start of your organization’s cloud adoption journey to effectively manage assets in the cloud and on-premises.TheFoundationalcapabilities are enabled, by default:
- Misconfigurationsgrants the permissions required to scan cloud resources and ingest metadata.
- Identity Securitygrants the permissions required to calculate net effective permissions for identities and manage access.
- Enable and add permissions for Agentless Workload Scanning (selected by default) to scan hosts and containers for vulnerabilities and compliance risks without having to install a defender. If you do not want the Agentless Workload Scanning capability, you can deselect the checkbox. Scans start automatically once you onboard your organization. You can also update the scanning configuration for agentless scans.
- Use theAdvanced(additional) capabilities to proactively control your cloud operations and identify and remediate issues before they manifest within your runtime environments.TheAdvancedcapabilities that you can choose to enable are:
- Threat Detection(enabled by default) grants the permissions required to detect DNS, Network, and Identity threats.
- Enable and add permissions forServerless Function Scanningto scan cloud provider functions such as, AWS Lambda, Azure, and Google functions for vulnerabilities and compliance. Scans start automatically once you onboard your organization. You can also update the scanning configuration for serverless scans.
- Add permissions forAgent-Based Workload Protectionto allow for automated deployment of defenders to provide protection to secure cloud VMs, containers, and Kubernetes orchestrators. Registry scanning, Kubernetes audits, and other features required by defenders are also enabled.
- Configure Account.
- EnterAccount ID(Management Account ID) and aCloud Account Namethat uniquely identifies your AWS Organization on Prisma Cloud.
- EnableRemediation(optional) to grant permissions to remediate misconfigured resources from Infrastructure as Code (IaC) templates. After you enable it, the Prisma Cloud role gets read-write access permissions to your AWS organization to successfully execute remediation commands.
- To set up the Prisma Cloud role on the AWS master account,Create IAM RoleorDownload IAM Role CFT.Click the correspondingView Stepsto follow those steps to generate theIAM Role ARN. The Prisma Cloud ARN has the External ID and permissions required for enabling authentication between Prisma Cloud and your AWS organization.Once youDownload IAM Role CFT, it is valid for 30 days. Even if you close the dialog before completing the onboarding process, you can onboard again within 30 days using the same Account ID and Role ARN created with the previously downloaded CFT.After you download the CFT from Prisma Cloud and before you upload and create a stack using that CFT, make sure that you enableTrusted access for AWS Account Managementif you have not previously enabled it:
- Sign in to your AWS Organization management account. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.
- SelectAWS Organizationsfrom the list ofServices.
- ClickServicesfrom the left navigation pane.
- ChooseAWS Account Managementfrom the list of services.
- SelectEnable trusted access.
- ClickServicesagain and chooseCloudFormation StackSetsfrom the list of services.
- SelectEnable trusted access.
- Make sure that you have entered the correct OrganizationalUnitIds from the Organization structure. Provide the organizational root OU ID (prefix r-) to run it for all the accounts under the Organization, else provide a comma-separated list of OU IDs (prefix ou-).
- Paste theIAM Role ARN.
- SelectMember Accounts. Prisma Cloud recommends to selectAllmember accounts.
- Select an Account Group.During initial onboarding, you must assign all the member cloud accounts with the AWS Organization hierarchy to an account group. Then, create an Alert Rule for run-time checks to associate with that account group so that alerts are generated when a policy violation occurs.If you want to selectively assign AWS member accounts to different account groups on Prisma Cloud, you can edit in the cloud account settings later.
- Review Status.Verify theDetailsof the AWS Organization and the status checks for theSecurity Capabilitiesyou selected while onboarding the organization on Prisma Cloud.
- Ensure that all the security capabilities you selected display a greenEnabled( ) icon.
- For the security capabilities that display a redChecks Failed( ) icon, click the corresponding drop-down to view the cause of failure. To resolve the isssue, see Troubleshoot AWS Onboarding Errors.
- ClickSave and Closeto complete onboarding orSave and Onboard Another Account.After you sucessfully onboard your AWS account on Prisma Cloud, the account is automatically available in Compute and enabled forWorkload DiscoveryandServerless function scans. ForAgentless scans, you have to complete the configuration to trigger the scan.You can view the newly onboarded AWS organization on theCloud Accountspage.
Recommended For You
Recommended videos not found.