Add AWS Cloud Account to Prisma Cloud
Add an AWS cloud account to Prisma™ Cloud to monitor and analyze your resources deployed on AWS. Use the following workflow to add your AWS public, AWS China, or AWS GovCloud accounts to Prisma™ Cloud. To add AWS Organizations on Prisma Cloud, see Add an AWS Organization on Prisma Cloud. To onboard your AWS account as an Organization type that you had previously onboarded as an Account type, see Update an Onboarded AWS Account to AWS Organization.
- Before you begin.If you would like Prisma Cloud to ingest VPC flow logs and any other integrations, such as Amazon GuardDuty, Amazon S3, or AWS Inspector, you must enable these services on the AWS management console. The Cloud Formation template (CFT) enables the ingestion of configuration data, Amazon S3 flow logs, AWS CloudTrail logs, and Amazon EventBridge (audit events) only. You can configure VPC flow logs and any other integrations, such as Amazon GuardDuty or AWS Inspector after onboarding the account.Prisma Cloud does not support shared VPCs.
- Decide whether you want to manually create the roles to authorize permissions for Prisma Cloud.The onboarding flow automates the process of creating the Prisma Cloud role and adding the permissions required to remediate (monitor and/or protect) your AWS account. If you want to create these roles manually instead, see Set Up the Prisma Cloud Role for AWS—Manual.
- Create a CloudWatch log group.The CloudWatch log group defines where the log streams are recorded.
- Select.ServicesCloudWatchLogsCreate log group
- Enter a name for the log group and clickCreate.
- Enable flow logs.
- Select.ServicesVPCYour VPCs
- Select the VPC to enable flow logs for and select.ActionsCreate flow log
- Set theFiltertoAcceptorAll.Setting the filter toAllenables Prisma Cloud to retrieve accepted and rejected traffic from the flow logs. Setting the filter toAcceptretrieves Accepted traffic only. If you set the filter toReject, Prisma Cloud will not retrieve any flow log data.
- Verify that theDestinationis configured toSend to CloudWatch Logs.
- Select theDestination log groupyou created above.
- Create a new IAM Role or use an existing one to publish flow logs to the CloudWatch Log group.If you are using an existing IAM role to publish logs to the CloudWatch log group, you must edit the IAM role to include the following permissions.{ "Statement":[ { "Action":[ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect":"Allow", "Resource":"*" } ] }You will also need to Set Up the Prisma Cloud Role for AWS—Manual so that the IAM role can access the CloudWatch Log group.
- Access Prisma Cloud and select.SettingsCloud AccountsAdd Cloud Account
- SelectAWSas theCloud to Secure.
- SelectAccountas theOnboard Type.
- Enter aCloud Account NameandAccount IDand clickNext.A cloud account name is auto-populated for you. Replace it with a cloud account name that uniquely identifies your AWS account on Prisma Cloud. A unique account ID is used to enable the trust relationship in the roles trust policy, which you will require later in the onboarding process.
- Select theSecurity Capabilities and Permissionsthat you want to enable and clickNext. Based on your selection, Prisma Cloud dynamically generates a CFT that includes the associated permissions for the Prisma Cloud role.By default,Agentless Workload ScanningandServerless Function Scanningare enabled.Workload Discoveryis also automatically enabled to help you find all cloud-native services being used on your AWS cloud account to help mitigate exposure.
- Enable and add permissions forAgentless Workload Scanningto scan hosts and containers for vulnerabilities and compliance risks without having to install a defender. Scans start automatically once you onboard your account. You can also update scanning configuration for agentless scans.
- Enable and add permissions forServerless Function Scanningto scan cloud provider functions such as, AWS Lambda, Azure, and Google functions for vulnerabilities and compliance. Scans start automatically once you onboard your account.
- Add permissions forAgent-Based Workload Protection. The permissions allow for automated deployment of defenders to provide protection to secure cloud VMs, containers, and Kubernetes orchestrators. Registry scanning, Kubernetes audits, and other features required by defenders are also enabled.
- Enable Data Security to scan your resources to prevent data leaks. This feature is not enabled by default. After you onboard your account, further configuration is required to enable data security scans.
- EnableRemediationto address policy violations reported for remediable configuration policies on Prisma Cloud. This feature is not enabled by default. After you enable it, the Prisma Cloud role gets read-write access permissions to your AWS cloud account to successfully execute remediation commands.After you onboard your AWS account on Prisma Cloud, the account is automatically available in Compute and enabled forWorkload DiscoveryandServerless Functionscans. You can also review the permissions required for individual security capabilities.
- ClickCreate IAM Roleonly if your role has permissions to log in to your AWS management console in order to create a stack, elseDownload IAM Role CFT. Depending on your selection, click theherelink under each to follow the steps to generateIAM Role ARN.To automate the process of creating the Prisma Cloud role that is trusted and has the permissions required to retrieve data on your AWS deployment, Prisma Cloud uses a CFT. The CFT enables the ingestion of configuration data, Amazon S3 flow logs, and AWS CloudTrail logs (audit events) only, and it does not support the ability to enable VPC flow logs for your AWS account.Make sure that you are already logged in to your AWS management console before you clickCreate IAM Role. Prisma Cloud creates a dynamic link that opens theQuick create stackpage in your AWS management console based on theSecurity Capabilities and Permissionsyou selected. The details are uploaded automatically and you do not need to enter them manually in order to create the stack. Make sure you complete the onboarding process within 1 hour, else the link will expire, in which case you will have to clickCreate IAM Roleagain. If you have installed browser plugins and have pop-ups blocked, first allow pop-up and then clickCreate IAM Roleto continue the process.Once youDownload IAM Role CFT, it is valid for 30 days. Even if you close the dialog before completing the onboarding process, you can onboard again within 30 days again using the same Account ID and Role ARN created with the previously downloaded CFT.
- Paste theIAM Role ARNand clickNext.
- Select one or more account groups and clickNext.You must assign each cloud account to an account group and Create an Alert Rule for Run-Time Checks to associate with that account group to generate alerts when a policy violation occurs.
- Review the onboardingStatusof your AWS account on Prisma Cloud and clickSave.The status check verifies that audit events are available in at least one region on AWS CloudTrail.After you sucessfully onboard your AWS account on Prisma Cloud, the account is automatically available in Compute and enabled forWorkload DiscoveryandServerless function scans. ForAgentless scans, you have to complete the configuration to trigger the scan.
- Prisma Cloud checks whether Compute permissions are enabled only if you have one or more compute workloads deployed on the AWS cloud accounts that are onboarded. The cloud status transitions from green to amber only when you have compute workloads deployed and the additional permissions are not enabled for remediation.
- If you have services that are not enabled on your AWS account, the status screen provides you some details.
- You can enable monitoring of VPC flow logs data to be published to S3 buckets in a Logging Account that you need to onboard. See Configure Flow Logs.
Update an Onboarded AWS Account to AWS OrganizationIf you had previously onboarded an individual AWS account as typeAccountand now you want to onboard the same account as typeOrganization, you can do so without losing any changes to the onboarded account and assigned account groups.- On theCloud Accountspage, identify the account which you want to update fromAccounttoOrganizationtype.
- Select.Add Cloud AccountAWS
- Enter anAccount Nameand selectOrganizationas theOnboard Type.You can enter the sameAccount Nameas the one you had entered while onboarding as Account type or enter a different name.
- See Steps 7-9 above to select theSecurity Capabilities and Permissionsthat you want to enable and toConfigure Accountand clickNext.
- SelectAllmember accounts and clickNext.
- Make sure you assign the sameAccount Groupsthat you had assigned to the account when you had onboarded this as type Account.
- ClickNext.
- Review the onboardingStatusof your AWS organization on Prisma Cloud and clickSave.
- After successfully onboarding the account, you will see it on theCloud Accountspage.
- ClickEditto verify that the account was onboarded as typeOrganization.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.