Add an AWS Cloud Account on Prisma Cloud

Add an AWS cloud account to Prisma™ Cloud to monitor and analyze your resources deployed on AWs.
Use the following workflow to add your AWS public, AWS China, or AWS GovCloud accounts to Prisma™ Cloud. To add AWS Organizations on Prisma Cloud, see Add an AWS Organization to Prisma Cloud.
If you want to download and review the CloudFormation templates, get the S3 URLs from here:
Role
S3 Template URL
AWS Public Cloud
—AWS account and AWS Organization, master account
Read-Only
https://s3.amazonaws.com/redlock-public/cft/rl-read-only.template
Read-Write (Limited)
https://s3.amazonaws.com/redlock-public/cft/rl-read-and-write.template
For member accounts within AWS Organizations
Read-Only
https://s3.amazonaws.com/redlock-public/cft/rl-read-only-member.template
For member accounts within AWS Organizations
Read-Write (Limited)
https://s3.amazonaws.com/redlock-public/cft/rl-read-and-write-member.template
AWS GovCloud
Read-Only
https://s3.amazonaws.com/redlock-public/cft/redlock-govcloud-read-only.template
Read-Write (Limited)
https://s3.amazonaws.com/redlock-public/cft/redlock-govcloud-read-and-write.template
AWS China
Read-Only
https://s3.amazonaws.com/redlock-public/cft/rl-cn-read-only.template
Read-Write (Limited)
https://s3.amazonaws.com/redlock-public/cft/rl-cn-read-and-write.template
  1. Before you begin.
    If you would like Prisma Cloud to ingest VPC flow logs and any other integrations, such as Amazon GuardDuty or AWS Inspector, you must enable these services on the AWS management console. The CFT enables the ingestion of configuration data and AWS CloudTrail logs (audit events) only. VPC flow logs and any other integrations, such as Amazon GuardDuty or AWS Inspector are retrieved only if you previously enabled these services for the AWS account that you are onboarding.
    1. Decide whether you want to manually create the roles to authorize permissions for Prisma Cloud.
      The onboarding flow automates the process of creating the Prisma Cloud role and adding the permissions required to monitor and/or protect your AWS account. If you want to create these roles manually instead, see Set Up the Prisma Cloud Role for AWS—Manual.
    2. Create a CloudWatch log group.
      The CloudWatch log group defines where the log streams are recorded.
      1. Select
        Services
        CloudWatch
        Logs
        Actions
        Create log group
        .
      2. Enter a name for the log group and click
        Create log group
        .
    3. Enable flow logs.
      1. Select
        Services
        VPC
        Your VPCs
        .
      2. Select the VPC to enable flow logs for and select
        Actions
        Create flow log
        .
      3. Set the
        Filter
        to
        Accept
        or
        All
        .
        Setting the filter to
        All
        enables Prisma Cloud to retrieve accepted and rejected traffic from the flow logs. Setting the filter to
        Accept
        retrieves Accepted traffic only. If you set the filter to
        Reject
        , Prisma Cloud will not retrieve any flow log data.
      4. Verify that the
        Destination
        is configured to
        Send to CloudWatch Logs
        .
        If you set the destination as Amazon S3 bucket, Prisma Cloud will be unable to retrieve the data.
      5. Select the
        Destination log group
        you created above.
      6. Create new or use existing
        IAM role
        to publish flow logs to the CloudWatch log group.
        If you are an existing IAM role to publish logs to the CloudWatch log group, you must edit the IAM role to include the following permissions.
        { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" } ] }
        You will also need to Enable trust relationshipso that the IAM role can access the CloudWatch Log group.
        aws-create-flow-log.png
  2. Access Prisma Cloud and select
    Settings
    Cloud Accounts
    Add New
    .
  3. Select
    AWS
    as the
    Cloud to Protect
    .
  4. Enter a
    Cloud Account Name
    .
    A cloud account name is auto-populated for you. You can replace it with a cloud account name that uniquely identifies your AWS account on Prisma™ Cloud.
    add-aws-on-prisma-cloud.png
  5. Select the
    Mode
    .
    Decide whether to enable permissions to only monitor (read-only access) or to monitor and protect (read-write access) the resources in your cloud account. Your selection determines which AWS Cloud Formation Template (CFT) is used to automate the process of creating the custom role required for Prisma Cloud.
  6. Set up the Prisma Cloud role on AWS.
    To automate the process of creating the Prisma Cloud role that is trusted and has the permissions required to retrieve data on your AWS deployment, Prisma Cloud uses a CFT. The CFT enables the ingestion of configuration data and AWS CloudTrail logs (audit events) only, and it does not support the ability to enable VPC flow logs for your AWS account or any other integrations, such as Amazon GuardDuty or AWS Inspector.
    1. Open a new tab on your browser and sign in to your AWS account for your AWS public cloud or AWS GovCloud deployment that you want to protect using Prisma Cloud.
      To onboard an AWS GovCloud account, you Prisma Cloud instance must be on https:/app.gov.prismacloud.io
    2. Click back to the Prisma Cloud console, and in the onboarding flow, select
      Create Stack
      .
      You will be directed to the AWS CloudFormation stack for your AWS public or AWS GovCloud environment, and the following details are automatically filled in for you:
      • Stack Name
        —The default name for the stack is PrismaCloudApp.
      • External ID
        —The Prisma Cloud ID, a randomly generated UUID that is used to enable the trust relationship in the role's trust policy.
      • Prisma Cloud Role Name
        —The name of the role that will be used by Prisma Cloud to authenticate and access the resources in your AWS account.
      add-aws-create-stack-2.png
    3. Accept the IAM acknowledgment for resource creation and select
      Create Stack
      .
      The stack creation is initiated. Wait for the CREATE_COMPLETE status.
      add-aws-create-stack.png
    4. Select
      Outputs
      and copy the value of the
      Prisma CloudARN
      .
      The Prisma Cloud ARN has the External ID and permissions required for enabling authentication between Prisma Cloud and your AWS account.
      add-aws-copy-role-arn.png
    5. Paste the
      Role ARN
      and click
      Next
      .
      add-aws-configure-account.png
  7. Select one or more account groups and click
    Next
    .
    You must assign each cloud account to an account group and Create an Alert Rule for Run-Time Checks to associate with that account group to generate alerts when a policy violation occurs.
    add-aws-account-groups.png
  8. Review the onboarding
    Status
    of your AWS account on Prisma Cloud.
    The status check verifies that VPC flow logs are enabled on at least 1 VPC in your account, and audit events are available in at least one region on AWS CloudTrail.
    add-aws-status-green.png
    • Prisma Cloud checks whether Compute permissions are enabled only if you have one or more compute workloads deployed on the AWS cloud accounts that are onboarded. And the cloud status transitions from green to amber only when you have compute workloads deployed and the additional permissions are not enabled for monitor, or monitor and protect modes.
    • If you have services that are not enabled on your AWS account, the status screen provides you some details.
      add-aws-status.png

Recommended For You