Add AWS Cloud Account to Prisma Cloud

Before you begin.
If you would like Prisma Cloud to ingest VPC flow logs and any other integrations, such as Amazon GuardDuty, Amazon S3, or AWS Inspector, you must enable these services on the AWS management console. The Cloud Formation template (CFT) enables the ingestion of configuration data, Amazon S3 flow logs, AWS CloudTrail logs, and Amazon EventBridge (audit events) only. You can configure VPC flow logs and any other integrations, such as Amazon GuardDuty or AWS Inspector after onboarding the account.
Prisma Cloud does not support shared VPCs.
Decide whether you want to manually create the roles to authorize permissions for Prisma Cloud.

The onboarding flow automates the process of creating the Prisma Cloud role and adding the permissions required to remediate (monitor and/or protect) your AWS account. If you want to create these roles manually instead, see Set Up the Prisma Cloud Role for AWS—Manual.

Create a CloudWatch log group.

The CloudWatch log group defines where the log streams are recorded.

Select

Services

CloudWatch

Logs

Create log group

.

Enter a name for the log group and click

Create

.



Enable flow logs.

Select

Services

VPC

Your VPCs

.

Select the VPC to enable flow logs for and select

Actions

Create flow log

.

Set the

Filter

to

Accept

or

All

.

Setting the filter to

All

enables Prisma Cloud to retrieve accepted and rejected traffic from the flow logs. Setting the filter to

Accept

retrieves Accepted traffic only. If you set the filter to

Reject

, Prisma Cloud will not retrieve any flow log data.

Verify that the

Destination

is configured to

Send to CloudWatch Logs

.

Select the

Destination log group

you created above.

Create a new IAM Role or use an existing one to publish flow logs to the CloudWatch Log group.

If you are using an existing IAM role to publish logs to the CloudWatch log group, you must edit the IAM role to include the following permissions.

{
   "Statement":[
      {
         "Action":[
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:DescribeLogGroups",
            "logs:DescribeLogStreams",
            "logs:PutLogEvents"
         ],
         "Effect":"Allow",
         "Resource":"*"
      }
   ]
}

You will also need to Set Up the Prisma Cloud Role for AWS—Manual so that the IAM role can access the CloudWatch Log group.


Access Prisma Cloud and select
Settings
Cloud Accounts
Add Cloud Account
.
Select
AWS
as the
Cloud to Secure
.
Select
Account
as the
Onboard Type
.
Enter a
Cloud Account Name
and
Account ID
and click
Next
.
A cloud account name is auto-populated for you. Replace it with a cloud account name that uniquely identifies your AWS account on Prisma Cloud. A unique account ID is used to enable the trust relationship in the roles trust policy, which you will require later in the onboarding process.

Select the
Security Capabilities and Permissions
that you want to enable and click
Next
. Based on your selection, Prisma Cloud dynamically generates a CFT that includes the associated permissions for the Prisma Cloud role.
By default,
Agentless Workload Scanning
and
Serverless Function Scanning
are enabled.
Workload Discovery
is also automatically enabled to help you find all cloud-native services being used on your AWS cloud account to help mitigate exposure.

Enable and add permissions for
Agentless Workload Scanning
to scan hosts and containers for vulnerabilities and compliance risks without having to install a defender. Scans start automatically once you onboard your account. You can also update scanning configuration for agentless scans.
Enable and add permissions for
Serverless Function Scanning
to scan cloud provider functions such as, AWS Lambda, Azure, and Google functions for vulnerabilities and compliance. Scans start automatically once you onboard your account.
Add permissions for
Agent-Based Workload Protection
. The permissions allow for automated deployment of defenders to provide protection to secure cloud VMs, containers, and Kubernetes orchestrators. Registry scanning, Kubernetes audits, and other features required by defenders are also enabled.
Enable Data Security to scan your resources to prevent data leaks. This feature is not enabled by default. After you onboard your account, further configuration is required to enable data security scans.
Enable
Remediation
to address policy violations reported for remediable configuration policies on Prisma Cloud. This feature is not enabled by default. After you enable it, the Prisma Cloud role gets read-write access permissions to your AWS cloud account to successfully execute remediation commands.
After you onboard your AWS account on Prisma Cloud, the account is automatically available in Compute and enabled for
Workload Discovery
and
Serverless Function
scans. You can also review the permissions required for individual security capabilities.
Click
Create IAM Role
only if your role has permissions to log in to your AWS management console in order to create a stack, else
Download IAM Role CFT
. Depending on your selection, click the
here
link under each to follow the steps to generate
IAM Role ARN
.
To automate the process of creating the Prisma Cloud role that is trusted and has the permissions required to retrieve data on your AWS deployment, Prisma Cloud uses a CFT. The CFT enables the ingestion of configuration data, Amazon S3 flow logs, and AWS CloudTrail logs (audit events) only, and it does not support the ability to enable VPC flow logs for your AWS account.
Make sure that you are already logged in to your AWS management console before you click
Create IAM Role
. Prisma Cloud creates a dynamic link that opens the
Quick create stack
page in your AWS management console based on the
Security Capabilities and Permissions
you selected. The details are uploaded automatically and you do not need to enter them manually in order to create the stack. Make sure you complete the onboarding process within 1 hour, else the link will expire, in which case you will have to click
Create IAM Role
again. If you have installed browser plugins and have pop-ups blocked, first allow pop-up and then click
Create IAM Role
to continue the process.
Once you
Download IAM Role CFT
, it is valid for 30 days. Even if you close the dialog before completing the onboarding process, you can onboard again within 30 days again using the same Account ID and Role ARN created with the previously downloaded CFT.
Paste the
IAM Role ARN
and click
Next
.

Select one or more account groups and click
Next
.
You must assign each cloud account to an account group and Create an Alert Rule for Run-Time Checks to associate with that account group to generate alerts when a policy violation occurs.

Review the onboarding
Status
of your AWS account on Prisma Cloud and click
Save
.
The status check verifies that audit events are available in at least one region on AWS CloudTrail.

After you sucessfully onboard your AWS account on Prisma Cloud, the account is automatically available in Compute and enabled for
Workload Discovery
and
Serverless function scans
. For
Agentless scans
, you have to complete the configuration to trigger the scan.
Prisma Cloud checks whether Compute permissions are enabled only if you have one or more compute workloads deployed on the AWS cloud accounts that are onboarded. The cloud status transitions from green to amber only when you have compute workloads deployed and the additional permissions are not enabled for remediation.
If you have services that are not enabled on your AWS account, the status screen provides you some details.
You can enable monitoring of VPC flow logs data to be published to S3 buckets in a Logging Account that you need to onboard. See Configure Flow Logs.