Update an Onboarded AWS Organization

In addition to updating the CFT stack for enabling permissions for new services, you can use this workflow to update the account groups that are secured with Prisma Cloud, update the security capabilities and permissions, and redeploy the Prisma Cloud role in member accounts. You can opt to onboard all member accounts under Organizations hierarchy, or selectively add the OUs whose member accounts you want to onboard on Prisma Cloud.
  1. Edit the AWS organization you previously onboarded.
    1. Log in to the Prisma Cloud administrative console.
    2. Select
      Cloud Accounts
      and click the
      icon for the AWS organization from the list of cloud accounts.
    3. In the
      Edit Cloud Account
      window, navigate to
      Configure Account
      , and
      Download IAM Role CFT
  2. Provision the Prisma Cloud role on the AWS master account.
    1. Log in to your master account on the AWS management console.
    2. Select
    3. Select
      stack and click
      Update Stack
    4. Replace the existing template with the template (CFT) you downloaded in Step 1.
    5. Click
      to review the configuration.
      Make sure that you have entered the correct OrganizationalUnitIds. Provide the organizational root OU ID (prefix r-) to run it for all the accounts under the Organization or provide a comma-separated list of OU IDs (prefix ou-).
    6. Select
      I acknowledge that AWS CloudFormation might create IAM resources with custom names
    7. Click
  3. Paste the
    IAM Role ARN
    in your Prisma Cloud console.
  4. Select the
    Member Accounts
    you want to add to Prisma Cloud.
    You can selectively assign AWS member accounts to different account groups on Prisma Cloud.
    1. Select the subsets to include or exclude. Depending on the OUs you select, Prisma Cloud fetches and onboards the member accounts under each OU.
      You can choose:
      • All
        (default) to monitor current and future OUs and member accounts included within the organization hierarchy.
      • Include a subset
        to only monitor selected OUs and member accounts.
      • Exclude a subset
        to monitor all current and future OUs and member accounts except the selected OUs and member accounts.
        Select the relevant tab and choose the member accounts to include or exclude. When you select an OU, all existing member accounts within that OU are onboarded to Prisma Cloud. The periodic sync also checks for any new OUs and member accounts that you subsequently add on AWS and adds them to Prisma Cloud.
        For example, if there are 10 member accounts under an OU, Prisma Cloud starts monitoring those 10 accounts as soon as you save the setup. Later, if you add additional member accounts to this OU, those will be automatically onboarded and Prisma Cloud will start monitoring those accounts also within 24 hours. Similarly, if you delete a member account, after 24 hours it will be removed completely from Prisma Cloud.
        You cannot select
        to be included or excluded from onboarding, you can either select all or a specific OU or member account.
    2. Load more in Root
      to view more OUs and member accounts. By default, Prisma Cloud initially displays 20 OUs and 40 member accounts.
    3. Resolve any missing permissions or errors.
      displays if the OU or member account does not have adequate permissions.
  5. (
    ) Select a different account group and click
    During initial onboarding, you must assign all the member cloud accounts with the organization hierarchy to one account group.
  6. Review Status
    of your AWS organization on Prisma Cloud.
    The status check verifies that the newly selected capabilities are enabled.
  7. Click
    Save and Close

Recommended For You