Add AWS Member Accounts to Prisma Cloud

Add your AWS Organization Units (OUs) and Member Accounts to Prisma Cloud to ingest and monitor your data.
Begin here to add AWS member accounts to Prisma Cloud. If you have added an AWS Organization to Prisma Cloud and you now want to add the AWS Organization Units (OUs) to which the member account belongs, the existing member account is moved under the OU in Prisma Cloud.
When you add your AWS Organization to Prisma Cloud, you can build a flexible structure of OUs and member accounts that are contained in the organization hierarchy and choose to add all, or selectively include or exclude the OUs and member accounts you want to monitor, or monitor and protect using Prisma Cloud.
  1. Onboard your AWS Organization to Prisma Cloud.
  2. Access Prisma Cloud and select
    Settings
    Cloud Accounts
    Add Cloud Account
    .
  3. Select
    AWS
    as the
    Cloud to Protect
    .
  4. Enter a
    Cloud Account Name
    .
    A cloud account name is auto-populated for you. You can replace it with a cloud account name that uniquely identifies your AWS organization on Prisma™ Cloud.
  5. Select the
    Mode
    .
    Decide whether to enable permissions to only monitor (read-only access) or to monitor and protect (read-write access) the resources in your cloud account. Your selection determines which AWS CloudFormation Template (CFT) is used to automate the process of creating the custom role required for Prisma Cloud.
  6. Select
    Organization
    to
    Onboard
    and click
    Next
    to enter additional details.
  7. Enter your
    AWS Master External ID
    and
    AWS Master Role ARN
    .
    All the OUs and member accounts under the Organization hierarchy—current and future—will be monitored by Prisma Cloud. To find your AWS Master ID, log in to the AWS console and select your organization.
  8. Follow the steps listed to
    Configure Member Accounts
    , enter the
    Member External ID
    and
    Member Role Name
    , and click
    Next
    .
  9. Select the
    Member Accounts
    you want to add to Prisma Cloud.
    1. After completing stackset creation on all member accounts in your AWS Organization, select the
      I confirm the stackset has created Prisma roles in AWS member accounts successfully
      checkbox.
      If you do not select the checkbox, you will not be able to select member accounts and only the Management account gets onboarded.
    2. Select the subsets to include or exclude. Depending on the OUs you select, Prisma Cloud fetches and onboards the member accounts under each OU.
      You can choose:
      • All
        (default) to monitor current and future OUs and member accounts included within the organization hierarchy.
      • Include a subset
        to only monitor selected OUs and member accounts.
      • Exclude a subset
        to monitor all current and future OUs and member accounts except the selected OUs and member accounts.
        Select the relevant tab and choose the member accounts to include or exclude. When you select an OU, all existing member accounts within that OU are onboarded to Prisma Cloud. The periodic sync also checks for any new OUs and member accounts that you subsequently add on AWS and adds them to Prisma Cloud. For example, if there are 10 member accounts under an OU, Prisma Cloud starts monitoring those 10 accounts as soon as you save the setup. Later, if you add additional member accounts to this OU, those will be automatically onboarded and Prisma Cloud will start monitoring those accounts also within 24 hours. Similarly, if you delete a member account, after 24 hours it will be removed completely from Prisma Cloud.
        You cannot select
        Root
        to be included or excluded from onboarding, you can either select all or a specific OU or member account.
    3. Load more in Root
      , to view more OUs and member accounts. By default, Prisma Cloud initially displays 20 OUs and 40 member accounts.
    4. Resolve any missing permissions or errors.
      If the OU or member account does not have adequate permissions, the following warning displays.
  10. Select at least one
    Account Group
    and click
    Next
    .
    Based on the options you selected earlier, Prisma Cloud can automatically create account groups and keep it synchronized with the AWS resource hierarchy.
  11. Verify the onboarding
    Status
    of your AWS Organization to Prisma Cloud and click
    Save and Next
    .
    1. Configure Flow Logs under Advanced Settings,
      Save
      and
      Close
      .
    2. Go to
      Cloud Accounts
      , locate your AWS member account and view the status.
    3. Verify the member accounts that are onboarded to Prisma Cloud.
      Select the cloud account name and review the list of member accounts to verify the include/exclude selections you made earlier.

Recommended For You