Add AWS Cloud Account to Prisma Cloud

Add an AWS cloud account to Prisma™ Cloud to monitor and analyze your resources deployed on AWS. Use the following workflow to add your AWS public, AWS China, or AWS GovCloud accounts to Prisma™ Cloud. To add AWS Organizations on Prisma Cloud, see Add an AWS Organization on Prisma Cloud. To onboard your AWS account as an Organization type that you had previously onboarded as an Account type, see Update an Onboarded AWS Account to AWS Organization.
  1. Before you begin.
    If you would like Prisma Cloud to ingest VPC flow logs and any other integrations, such as Amazon GuardDuty, Amazon S3, or AWS Inspector, you must enable these services on the AWS management console. The Cloud Formation template (CFT) enables the ingestion of configuration data, Amazon S3 flow logs, AWS CloudTrail logs, and Amazon EventBridge (audit events) only. You can configure VPC flow logs and any other integrations, such as Amazon GuardDuty or AWS Inspector after onboarding the account.
    Prisma Cloud does not support shared VPCs.
    1. Decide whether you want to manually create the roles to authorize permissions for Prisma Cloud.
      The onboarding flow automates the process of creating the Prisma Cloud role and adding the permissions required to remediate (monitor and/or protect) your AWS account. If you want to create these roles manually instead, see Set Up the Prisma Cloud Role for AWS—Manual.
    2. Create a CloudWatch log group.
      The CloudWatch log group defines where the log streams are recorded.
      1. Select
        Services
        CloudWatch
        Logs
        Create log group
        .
      2. Enter a name for the log group and click
        Create
        .
    3. Enable flow logs.
      1. Select
        Services
        VPC
        Your VPCs
        .
      2. Select the VPC to enable flow logs for and select
        Actions
        Create flow log
        .
      3. Set the
        Filter
        to
        Accept
        or
        All
        .
        Setting the filter to
        All
        enables Prisma Cloud to retrieve accepted and rejected traffic from the flow logs. Setting the filter to
        Accept
        retrieves Accepted traffic only. If you set the filter to
        Reject
        , Prisma Cloud will not retrieve any flow log data.
      4. Verify that the
        Destination
        is configured to
        Send to CloudWatch Logs
        .
      5. Select the
        Destination log group
        you created above.
      6. Create a new IAM Role or use an existing one to publish flow logs to the CloudWatch Log group.
        If you are using an existing IAM role to publish logs to the CloudWatch log group, you must edit the IAM role to include the following permissions.
        { "Statement":[ { "Action":[ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect":"Allow", "Resource":"*" } ] }
        You will also need to Set Up the Prisma Cloud Role for AWS—Manual so that the IAM role can access the CloudWatch Log group.
  2. Access Prisma Cloud and select
    Settings
    Cloud Accounts
    Add Cloud Account
    .
  3. Select
    AWS
    as the
    Cloud to Secure
    .
  4. Select
    Account
    as the
    Onboard Type
    .
  5. Enter a
    Cloud Account Name
    and
    Account ID
    and click
    Next
    .
    A cloud account name is auto-populated for you. Replace it with a cloud account name that uniquely identifies your AWS account on Prisma Cloud. A unique account ID is used to enable the trust relationship in the roles trust policy, which you will require later in the onboarding process.
  6. Select the
    Security Capabilities and Permissions
    that you want to enable and click
    Next
    . Based on your selection, Prisma Cloud dynamically generates a CFT that includes the associated permissions for the Prisma Cloud role.
    By default,
    Agentless Workload Scanning
    and
    Serverless Function Scanning
    are enabled.
    Workload Discovery
    is also automatically enabled to help you find all cloud-native services being used on your AWS cloud account to help mitigate exposure.
    • Enable and add permissions for
      Agentless Workload Scanning
      to scan hosts and containers for vulnerabilities and compliance risks without having to install a defender. Scans start automatically once you onboard your account. You can also update scanning configuration for agentless scans.
    • Enable and add permissions for
      Serverless Function Scanning
      to scan cloud provider functions such as, AWS Lambda, Azure, and Google functions for vulnerabilities and compliance. Scans start automatically once you onboard your account.
    • Add permissions for
      Agent-Based Workload Protection
      . The permissions allow for automated deployment of defenders to provide protection to secure cloud VMs, containers, and Kubernetes orchestrators. Registry scanning, Kubernetes audits, and other features required by defenders are also enabled.
    • Enable Data Security to scan your resources to prevent data leaks. This feature is not enabled by default. After you onboard your account, further configuration is required to enable data security scans.
    • Enable
      Remediation
      to address policy violations reported for remediable configuration policies on Prisma Cloud. This feature is not enabled by default. After you enable it, the Prisma Cloud role gets read-write access permissions to your AWS cloud account to successfully execute remediation commands.
      After you onboard your AWS account on Prisma Cloud, the account is automatically available in Compute and enabled for
      Workload Discovery
      and
      Serverless Function
      scans. You can also review the permissions required for individual security capabilities.
  7. Click
    Create IAM Role
    only if your role has permissions to log in to your AWS management console in order to create a stack, else
    Download IAM Role CFT
    . Depending on your selection, click the
    here
    link under each to follow the steps to generate
    IAM Role ARN
    .
    To automate the process of creating the Prisma Cloud role that is trusted and has the permissions required to retrieve data on your AWS deployment, Prisma Cloud uses a CFT. The CFT enables the ingestion of configuration data, Amazon S3 flow logs, and AWS CloudTrail logs (audit events) only, and it does not support the ability to enable VPC flow logs for your AWS account.
    Make sure that you are already logged in to your AWS management console before you click
    Create IAM Role
    . Prisma Cloud creates a dynamic link that opens the
    Quick create stack
    page in your AWS management console based on the
    Security Capabilities and Permissions
    you selected. The details are uploaded automatically and you do not need to enter them manually in order to create the stack. Make sure you complete the onboarding process within 1 hour, else the link will expire, in which case you will have to click
    Create IAM Role
    again. If you have installed browser plugins and have pop-ups blocked, first allow pop-up and then click
    Create IAM Role
    to continue the process.
    Once you
    Download IAM Role CFT
    , it is valid for 30 days. Even if you close the dialog before completing the onboarding process, you can onboard again within 30 days again using the same Account ID and Role ARN created with the previously downloaded CFT.
  8. Paste the
    IAM Role ARN
    and click
    Next
    .
  9. Select one or more account groups and click
    Next
    .
    You must assign each cloud account to an account group and Create an Alert Rule for Run-Time Checks to associate with that account group to generate alerts when a policy violation occurs.
  10. Review the onboarding
    Status
    of your AWS account on Prisma Cloud and click
    Save
    .
    The status check verifies that audit events are available in at least one region on AWS CloudTrail.
    After you sucessfully onboard your AWS account on Prisma Cloud, the account is automatically available in Compute and enabled for
    Workload Discovery
    and
    Serverless function scans
    . For
    Agentless scans
    , you have to complete the configuration to trigger the scan.
    • Prisma Cloud checks whether Compute permissions are enabled only if you have one or more compute workloads deployed on the AWS cloud accounts that are onboarded. The cloud status transitions from green to amber only when you have compute workloads deployed and the additional permissions are not enabled for remediation.
    • If you have services that are not enabled on your AWS account, the status screen provides you some details.
    • You can enable monitoring of VPC flow logs data to be published to S3 buckets in a Logging Account that you need to onboard. See Configure Flow Logs.

Update an Onboarded AWS Account to AWS Organization

If you had previously onboarded an individual AWS account as type
Account
and now you want to onboard the same account as type
Organization
, you can do so without losing any changes to the onboarded account and assigned account groups.
  1. On the
    Cloud Accounts
    page, identify the account which you want to update from
    Account
    to
    Organization
    type.
  2. Select
    Add Cloud Account
    AWS
    .
  3. Enter an
    Account Name
    and select
    Organization
    as the
    Onboard Type
    .
    You can enter the same
    Account Name
    as the one you had entered while onboarding as Account type or enter a different name.
  4. See Steps 7-9 above to select the
    Security Capabilities and Permissions
    that you want to enable and to
    Configure Account
    and click
    Next
    .
  5. Select
    All
    member accounts and click
    Next
    .
  6. Make sure you assign the same
    Account Groups
    that you had assigned to the account when you had onboarded this as type Account.
  7. Click
    Next
    .
  8. Review the onboarding
    Status
    of your AWS organization on Prisma Cloud and click
    Save
    .
  9. After successfully onboarding the account, you will see it on the
    Cloud Accounts
    page.
  10. Click
    Edit
    to verify that the account was onboarded as type
    Organization
    .

Recommended For You