Update an Onboarded AWS Organization
In addition to updating the CFT stack for enabling permissions for new services, you can use this workflow to update the account groups that are secured with Prisma Cloud, update the security capabilities and permissions, and redeploy the Prisma Cloud role in member accounts. You can opt to onboard all member accounts under Organizations hierarchy, or selectively add the OUs whose member accounts you want to onboard on Prisma Cloud.
- Edit the AWS organization you previously onboarded.
- Log in to the Prisma Cloud administrative console.
- Select and click theEditicon for the AWS organization from the list of cloud accounts.
- In theEdit Cloud Accountwindow, navigate toConfigure Account, andDownload IAM Role CFT.
- Provision the Prisma Cloud role on the AWS master account.
- Log in to your master account on the AWS management console.
- Select .
- SelectPrismaCloudAppstack and clickUpdate Stack.
- Replace the existing template with the template (CFT) you downloaded in Step 1.
- ClickNextto review the configuration.
Make sure that you have entered the correct OrganizationalUnitIds. Provide the organizational root OU ID (prefix r-) to run it for all the accounts under the Organization or provide a comma-separated list of OU IDs (prefix ou-). - SelectI acknowledge that AWS CloudFormation might create IAM resources with custom names.
- ClickSubmit.
- Paste theIAM Role ARNin your Prisma Cloud console.
- Select theMember Accountsyou want to add to Prisma Cloud.You can selectively assign AWS member accounts to different account groups on Prisma Cloud.
- Select the subsets to include or exclude. Depending on the OUs you select, Prisma Cloud fetches and onboards the member accounts under each OU.You can choose:
- All(default) to monitor current and future OUs and member accounts included within the organization hierarchy.
- Include a subsetto only monitor selected OUs and member accounts.
- Exclude a subsetto monitor all current and future OUs and member accounts except the selected OUs and member accounts.Select the relevant tab and choose the member accounts to include or exclude. When you select an OU, all existing member accounts within that OU are onboarded to Prisma Cloud. The periodic sync also checks for any new OUs and member accounts that you subsequently add on AWS and adds them to Prisma Cloud.For example, if there are 10 member accounts under an OU, Prisma Cloud starts monitoring those 10 accounts as soon as you save the setup. Later, if you add additional member accounts to this OU, those will be automatically onboarded and Prisma Cloud will start monitoring those accounts also within 24 hours. Similarly, if you delete a member account, after 24 hours it will be removed completely from Prisma Cloud.You cannot selectRootto be included or excluded from onboarding, you can either select all or a specific OU or member account.
- Load more in Rootto view more OUs and member accounts. By default, Prisma Cloud initially displays 20 OUs and 40 member accounts.
- Resolve any missing permissions or errors.AWarningdisplays if the OU or member account does not have adequate permissions.
- During initial onboarding, you must assign all the member cloud accounts with the organization hierarchy to one account group.
- Review Statusof your AWS organization on Prisma Cloud.The status check verifies that the newly selected capabilities are enabled.
- ClickSave and Close.
