Add AWS Member Accounts to Prisma Cloud
Add your AWS Organization Units (OUs) and Member Accounts to Prisma Cloud to ingest and monitor your data.
Begin here to add AWS member accounts to Prisma Cloud. If you have added an AWS Organization to Prisma Cloud and you now want to add the AWS Organization Units (OUs) to which the member account belongs, the existing member account is moved under the OU in Prisma Cloud.
When you add your AWS Organization to Prisma Cloud, you can build a flexible structure of OUs and member accounts that are contained in the organization hierarchy and choose to add all, or selectively include or exclude the OUs and member accounts you want to monitor, or monitor and protect using Prisma Cloud.
- Onboard your AWS Organization to Prisma Cloud.
- Access Prisma Cloud and select.SettingsCloud AccountsAdd Cloud Account
- SelectAWSas theCloud to Protect.
- Enter aCloud Account Name.A cloud account name is auto-populated for you. You can replace it with a cloud account name that uniquely identifies your AWS organization on Prisma™ Cloud.
- Select theMode.Decide whether to enable permissions to only monitor (read-only access) or to monitor and protect (read-write access) the resources in your cloud account. Your selection determines which AWS CloudFormation Template (CFT) is used to automate the process of creating the custom role required for Prisma Cloud.
- SelectOrganizationtoOnboardand clickNextto enter additional details.
- Enter yourAWS Master External IDandAWS Master Role ARN.All the OUs and member accounts under the Organization hierarchy—current and future—will be monitored by Prisma Cloud. To find your AWS Master ID, log in to the AWS console and select your organization.
- Follow the steps listed toConfigure Member Accounts, enter theMember External IDandMember Role Name, and clickNext.
- Select theMember Accountsyou want to add to Prisma Cloud.
- After completing stackset creation on all member accounts in your AWS Organization, select theI confirm the stackset has created Prisma roles in AWS member accounts successfullycheckbox.If you do not select the checkbox, you will not be able to select member accounts and only the Management account gets onboarded.
- Select the subsets to include or exclude. Depending on the OUs you select, Prisma Cloud fetches and onboards the member accounts under each OU.You can choose:
- All(default) to monitor current and future OUs and member accounts included within the organization hierarchy.
- Include a subsetto only monitor selected OUs and member accounts.
- Exclude a subsetto monitor all current and future OUs and member accounts except the selected OUs and member accounts.Select the relevant tab and choose the member accounts to include or exclude. When you select an OU, all existing member accounts within that OU are onboarded to Prisma Cloud. The periodic sync also checks for any new OUs and member accounts that you subsequently add on AWS and adds them to Prisma Cloud. For example, if there are 10 member accounts under an OU, Prisma Cloud starts monitoring those 10 accounts as soon as you save the setup. Later, if you add additional member accounts to this OU, those will be automatically onboarded and Prisma Cloud will start monitoring those accounts also within 24 hours. Similarly, if you delete a member account, after 24 hours it will be removed completely from Prisma Cloud.You cannot selectRootto be included or excluded from onboarding, you can either select all or a specific OU or member account.
- Load more in Root, to view more OUs and member accounts. By default, Prisma Cloud initially displays 20 OUs and 40 member accounts.
- Resolve any missing permissions or errors.If the OU or member account does not have adequate permissions, the following warning displays.
- Select at least oneAccount Groupand clickNext.Based on the options you selected earlier, Prisma Cloud can automatically create account groups and keep it synchronized with the AWS resource hierarchy.
- Verify the onboardingStatusof your AWS Organization to Prisma Cloud and clickSave and Next.
- Configure Flow Logs under Advanced Settings,SaveandClose.
- Go toCloud Accounts, locate your AWS member account and view the status.
- Verify the member accounts that are onboarded to Prisma Cloud.Select the cloud account name and review the list of member accounts to verify the include/exclude selections you made earlier.
Recommended For You
Recommended videos not found.