1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Connect Your Cloud Platform to Prisma Cloud
    6. Onboard Amazon Web Services
    7. Troubleshoot AWS Onboarding Errors

    Troubleshoot AWS Onboarding Errors

    Use this troubleshooting guide to find tips to identify, detect, and remediate any issues that may arise during or after the onboarding process.

    Troubleshoot EventBridge Errors

    In cases where you configured EventBridge successfully and created all the rules required for ingestion, however, the rules were accidentally deleted, or you enabled a region in your account that Prisma Cloud already supported,
    Review Status
     will display errors across the regions.
    To resolve this error you need to update the EventBridge CFT as follows:
    1. Click the
      View
       ( ) icon next to the AWS account or organization you want to update.
    2. Click
      Misconfigurations
      .
    3. Click
      Edit
       under
      Near Real-Time Visibility
      .
    4. Click
      Download EventBridge CFT
       and follow the steps in your AWS console to renable the rules.
    5. Return to the Prisma Cloud console.
    6. Review Status
       to ensure a
      Successful
       message displays for each region.
    7. Click
      Save
      .
    8. Click
      Status
       located next to
      Misconfigurations
       and scroll down to the
      Security Capabilities and Permissions
       section to verify the status of
      Audit Logs
      .

    Troubleshoot ExternalId Errors for a Standalone AWS Account

    If you created the AWS IAM role using static S3 templates, onboarded the account on Prisma Cloud with a custom ExternalId, the following error may display under
    Review Status
    :
    Make sure to
    Save
     the account before you follow the steps listed below to resolve the errors.
    Use any one of the following methods to resolve this error:
    1. Method 1
      If you are an AWS Cloud Administrator who does not have access to Prisma Cloud APIs, download and run the CFT template again:
      1. Click the
        Edit
         icon for the onboarded AWS cloud account.
      2. Click
        Configure Account
        .
      3. Download IAM Role CFT
        .
      4. Follow the
        Steps
         to create new stack or update existing stack.
      5. Navigate to
        Review Status
         page to verify the status.
      6. Click
        Save
        .
    2. Method 2
      If you are a Prisma Cloud Administrator who does not have AWS Administrator access, update the externalId used in
      Create IAM Role
       using Update Cloud Account API.
      Example:
      {
curl --location --request PUT 'https://api3.prismacloud.io/cloud/aws/123456789012 \
--header 'Connection: keep-alive' \
--header 'sec-ch-ua: " Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"' \
--header 'x-redlock-auth: <token>' \
--header 'sec-ch-ua-mobile: ?0' \
--header 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json, text/plain, */*' \
--data-raw '{
    "accountId": "123456789012",
    "accountType": "account",
    "enabled": true,
    "externalId": "4fc24939-8fab-4978-a4e1-403095713870",
    "groupIds": [],
    "name": "AWS Account",
    "protectionMode": "MONITOR",
    "roleArn": "arn:aws:iam::123456789012:role/PrismaCloudReadOnlyRole"
}'
}
    3. Method 3
      If you are an AWS Cloud Administrator who does not have access to Prisma Cloud APIs, manually update the Prisma Cloud generated ExternalId in the existing IAM role trust relationship in your AWS console:
      1. Click the
        Edit
         icon for the onboarded AWS cloud account.
      2. Click
        Configure Account
        .
      3. Download IAM Role CFT
        .
      4. Open the downloaded CFT in a text editor, search for sts:ExternalId and
        Copy
         the value.
      5. Copy the updated
        ExternalId
         in
        Trust relationships
         of existing IAM role in AWS.
      6. Wait for 10-15 seconds for the changes to take effect.
      7. Review Status
         to verify the cloud account status is green or amber.
      8. Click
        Save
        .

    Troubleshoot ExternalId Errors for an AWS Organization

    • If you created the AWS IAM role using static s3 templates for Organization management account and member accounts via stackset using separate templates, onboarded the organization on Prisma Cloud with a custom ExternalId, the following error may display under
      Review Status
      :
    • If the member accounts display an incorrect ExternalId or missing Trust relationship for Prisma Cloud in the provided Role:
      • The ExternalId for member role names may be incorrect, or
      • You used an old template while onboarding in Prisma Cloud, and the memberRoleName is not in the correct <masterRoleName>-member format.
    Make sure to
    Save
     the account before you follow the steps listed below to resolve the errors.
    Use any one of the following methods to resolve this error:
    1. Method 1
      If you are an AWS Cloud Administrator who does not have access to Prisma Cloud APIs, download and run the CFT template again:
      1. Click the
        Edit
         icon for the onboarded AWS organization.
      2. Click
        Configure Account
        .
      3. Download IAM Role CFT
        .
      4. Follow the
        Steps
         to create new stack or update existing stack.
      5. Navigate to
        Review Status
         page to verify the status.
      6. Click
        Save
        .
    2. Method 2
      If you are a Prisma Cloud Administrator who does not have AWS Administrator access, update the externalId, memberExternalId, memberRoleName, and roleArn used in
      Create IAM Role
       using Update Cloud Account API:
      • externalId and roleArn - Management account IAM role
      • memberExternalId and memberRoleName - Member accounts IAM role (created using stackset)
        Example:
        {
curl --location --request PUT 'https://api3.prismacloud.io/cloud/aws/123456789012' \
--header 'Connection: keep-alive' \
--header 'sec-ch-ua: " Not;A Brand";v="99", "Google Chrome";v="97", "Chromium";v="97"' \
--header 'x-redlock-auth: <token>' \
--header 'sec-ch-ua-mobile: ?0' \
--header 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json, text/plain, */*' \
--header 'Sec-Fetch-Site: same-site' \
--header 'Sec-Fetch-Mode: cors' \
--header 'Sec-Fetch-Dest: empty' \
--header 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
--data-raw '{
    "accountId": "123456789012'",
    "accountType": "organization",
    "enabled": true,
    "externalId": "a1ea8fe3-85d8-4ed9-93da-02d68670bc61",
    "memberExternalId": "a1ea8fe3-85d8-4ed9-93da-02d68670bc61",
    "memberRoleName": "PrismaCloudOrgMemberReadWriteRole",
    "memberRoleStatus": true,
    "name": "AWS ORG",
    "protectionMode": "MONITOR_AND_PROTECT",
    "roleArn": "arn:aws:iam::123456789012':role/PrismaCloudReadWriteRole"
}'
}
    3. Method 3
      If you are an AWS Cloud Administrator who does not have access to Prisma Cloud APIs, manually update the Prisma Cloud generated ExternalId in the existing IAM role trust relationship in your AWS console:
      1. Click the
        Edit
         icon for the onboarded AWS organization.
      2. Click
        Configure Account
        .
      3. Download IAM Role CFT
        .
      4. Open the downloaded CFT in a text editor, search for sts:ExternalId. There will be one externalId for the Management role and another for member accounts roles. Locate the externalId inside the PrismaCloudRole mapping.
      5. Copy the updated
        ExternalId
         in
        Trust relationships
         of existing Management account IAM role in AWS.
      6. Locate the memberExternalID in the downloaded template.
      7. Copy the updated
        memberExternalId
         in
        Trust relationships
         of all existing member accounts IAM role in AWS.
      8. Wait for 10-15 seconds for the changes to take effect.
      9. Review Status
         to verify the cloud account status is green or amber.
      10. Click
        Save
        .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo