Update an Onboarded AWS Account

After you add your cloud account to Prisma Cloud, you may need to update the Prisma Cloud stack to provide additional permissions for new policies that are frequently added to help you monitor your cloud account and ensure that have a good security posture. When you update the CFT stack, Prisma Cloud can ingest data on new services that are supported. These CFTs are available directly from the Prisma Cloud administrative console.
In addition to updating the CFT stack for enabling permissions for new services, you can use this workflow to update the account groups that are secured with Prisma Cloud or to enable or disable the security capabilities and permissions. If you enable a security capability that you had not enabled during the initial onboarding, make sure you
Download IAM Role CFT
again and complete the required steps in order for the updated permissions to be granted to Prisma Cloud.
For instruction on updating your AWS Organization, see Update an Onboarded AWS Organization.
  1. Log in to the Prisma Cloud administrative console.
  2. Select the AWS cloud account you want to modify.
    Cloud Accounts
    and click the
    icon for the cloud account to manage from the list of cloud accounts.
  3. On
    Edit Cloud Account
    , navigate to
    Configure Account
    , and
    Download IAM Role CFT
  4. (To change permissions for the Prisma Cloud role)
    Update the Prisma Cloud App using the CFT you downloaded in the above step. You can update the stack either using the AWS console or the AWS CLI.
    1. Log in to AWS console.
    2. Select
    3. Select the
      stack to update and select
      Replace current template
      Upload a template file
      you downloaded earlier.
      If you decide to create a new stack instead of updating the existing stack, you must copy the PrismaCloudRoleARN value from the CFT outputs tab.
    4. Configure stack options.
    5. Click
      and verify the settings.
    6. Preview your changes
      to the CloudFormation template for the role you updated.
    7. Update
      your CFT.
      If you created a new stack, you must log in to the Prisma Cloud administrative console, select your cloud account on
      Cloud Accounts
      , click the
      icon, navigate to
      Configure Account
      , and enter the
      value from the AWS CFT output in the
      IAM Role ARN
      If you want to use AWS Command Line Interface to deploy the updated Prisma Cloud App stack. Using the AWS CLI tool, enter the following command to deploy the CFT that you downloaded.
    8. Check the status to verify that Prisma Cloud can successfully retrieve information on your cloud resources.

Recommended For You