Add an AWS Organization to Prisma Cloud

If you have consolidated access to AWS services and resources across your company within AWS Organizations, you can onboard the AWS
master account
on Prisma Cloud. When enable the AWS Organizations on the AWS management console and add the root or
master
account that has the role of a payer account that is responsible for paying all charges accrued by the accounts in its organization, all member accounts within the hierarchy are added in one streamlined operation on Prisma Cloud.
Image from AWS documentation
aws-org-structure.png
In this workflow, you first deploy a CloudFormation template in the master account to create the Prisma Cloud role to monitor, or monitor and protect your resources deployed on the master account. And then, you use CloudFormation StackSets to automate the creation of the Prisma Cloud role, which authorizes Prisma Cloud to access each member account. When you then add a new member account to your AWS organization, it is onboarded automatically on Prisma Cloud within a few (up to six) hours.
  • If you want to exclude one or more Organizational Units (OUs) and all the member accounts it includes, you can manually disable individual member accounts on Prisma Cloud after they are onboarded. Alternatively, to onboard a subset of accounts, you can exclude the OUs when deploying the StackSet so that the PrismaCloud role is only created in the OUs for which you want to onboard accounts.
  • If you had previously onboarded your AWS master account as a standalone or individual account, you must re-add the account as an Organization. All your existing data on assets monitored, alerts generated, or account groups created are left unchanged.
    After you onboard your account as an AWS Organization, you cannot roll back. To add the account as a standalone or individual account, you must delete the Organization on Prisma Cloud and use the instructions to Add an AWS Cloud Account on Prisma Cloud.
  • If you had previously onboarded an AWS account that is a member of the AWS Organization that you now add on Prisma Cloud, all your existing data on assets monitored, alerts generated, or account groups created are left unchanged. On Prisma Cloud, the member account will be logically grouped under the AWS Organization.
    When you delete the AWS Organization on Prisma Cloud, you can recover all the existing data related to these accounts if you re-onboarded within 24 hours. After 24 hours, the data is deleted from Prisma Cloud.

Add a New AWS Organization Account on Prisma Cloud

Add your AWS Organization on Prisma Cloud.
  1. Access Prisma Cloud and select
    Settings
    Cloud Accounts
    Add New
    .
  2. Select
    AWS
    as the
    Cloud to Protect
    .
  3. Enter a
    Cloud Account Name
    and onboard
    Organization
    .
    A cloud account name is auto-populated for you. You can replace it with a cloud account name that uniquely identifies your AWS Organization on Prisma™ Cloud.
    add-aws-org-on-prisma-cloud.png
  4. Select the
    Mode
    .
    Decide whether to enable permissions to only monitor (read-only access) or to monitor and protect (read-write access) the resources in your cloud account. Your selection determines which AWS Cloud Formation Template (CFT) is used to automate the process of creating the custom role required for Prisma Cloud.
  5. Set up the Prisma Cloud role on the AWS master account.
    To automate the process of creating the Prisma Cloud role that is trusted and has the permissions required to retrieve data on your AWS deployment, Prisma Cloud uses a CFT. The CFT enables the ingestion of configuration data and AWS CloudTrail logs (audit events) only, and it does not support the ability to enable VPC flow logs for your AWS account or any other integrations, such as Amazon GuardDuty or AWS Inspector.
    1. Open a new tab on your browser and sign in to the AWS master account that you want to add on Prisma Cloud.
    2. Click back to the Prisma Cloud console, and in the onboarding flow, select
      Create Stack
      .
      You will be directed to the AWS CloudFormation stack for your AWS environment, and the following details are automatically filled in for you:
      • Stack Name
        —The default name for the stack is PrismaCloudApp.
      • External ID
        —The Prisma Cloud ID, a randomly generated UUID that is used to enable the trust relationship in the role's trust policy.
      • Prisma Cloud Role Name
        —The name of the role that will be used by Prisma Cloud to authenticate and access the resources in your AWS account.
      add-aws-create-stack-2.png
    3. Accept the IAM acknowledgment for resource creation and select
      Create Stack
      .
      The stack creation is initiated. Wait for the CREATE_COMPLETE status.
      add-aws-create-stack.png
    4. Select
      Outputs
      and copy the value of the
      Prisma CloudARN
      .
      The Prisma Cloud ARN has the External ID and permissions required for enabling authentication between Prisma Cloud and your AWS account.
      add-aws-copy-role-arn.png
    5. Paste the
      Master Role ARN
      and click
      Next
      .
      add-aws-org-configure-master-account.png
  6. Create a StackSet to create the Prisma Cloud role within each member account.
    AWS StackSets enables you to automate the process of creating the Prisma Cloud role across multiple accounts in a single operation.
    1. Download the template file.
      Get the template file:
      • For member accounts with read-only access permissions (Monitor mode)—https://s3.amazonaws.com/redlock-public/cft/rl-read-only-member.template
      • For member accounts with the read-write access permissions (Monitor & Protect mode)—https://s3.amazonaws.com/redlock-public/cft/rl-read-and-write-member.template
    2. On the AWS management console, select
      Services
      CloudFormation
      StackSets
      Create StackSet
      .
      Verify that you are logged in to the AWS master account.
    3. Upload the template file and click
      Next
      , then enter a StackSet Name.
    4. In Parameters, enter the values for PrismaCloudRoleName and ExternalId.
      The PrismaCloudRoleName must include
      Org
      within the string.
    5. Click Next and select
      Service managed permissions
      .
    6. Click Next and select
      Deploy to organization
      under Deployment targets.
      If you do not want to onboard all member accounts, you can select
      Deploy to organization unit OUs
      and deploy the Stackset only to selected OUs only.
      add-aws-org-on-create-stacksets.png
    7. Set Automatic deployment
      Enabled
      , and Account removal behavior
      Delete stacks
      .
    8. In Specify regions, select a region.
    9. In Deployment Options, Maximum concurrent accounts, select
      Percentage
      and set it to
      100
      .
    10. In Deployment Options, Failure tolerance, select
      Percentage
      and set it to
      100
      .
    11. Click Next, and review the configuration.
      add-aws-org-on-create-stacksets-review.png
    12. Select
      I acknowledge that AWS CloudFormation might create IAM resources with custom names
      and
      Submit
      .
      The StackSet creation is initiated. Wait for the SUCCEEDED status. When the process completes, each member account where the role was created is listed under
      Stack instances
      on the AWS management console.
      add-aws-org-on-create-stacksets-verify.png
    13. Select
      Parameters
      and copy the values for PrismaCloudRoleName and ExternalId.
  7. Configure the member account role details on Prisma Cloud.
    Use the details you copied from the previous step to set up the trust relationship and retrieve data from the member accounts.
    1. Paste the
      Member Role Name
      and
      Member External ID
      .
    2. Select
      I confirm the stackset has created Prisma roles in member accounts successfully
      and click
      Next
      .
      If you have a large number of member accounts, it may take a while to create the role in each account and list it for verification. If you want to verify that the role was created in all accounts, do not select the checkbox. You can edit the cloud account settings later and onboard the member accounts. If you do not select the checkbox, only the master account will be onboarded to Prisma Cloud.
  8. Select an account group and click
    Next
    .
    During initial onboarding, you must assign all the member cloud accounts with the AWS Organization hierarchy to an account group. Then, Create an Alert Rule for Run-Time Checks to associate with that account group so that alerts are generated when a policy violation occurs.
    If you would like to selectively assign AWS member accounts to different account groups on Prisma Cloud, you can edit the cloud account settings later.
    add-aws-org-account-group.png
  9. Review the onboarding
    Status
    of your AWS Organization on Prisma Cloud.
    The status check verifies that VPC flow logs are enabled on at least 1 VPC in your master account, and audit events are available in at least one region on AWS CloudTrail. It also displays the number of member accounts that are provisioned with the Prisma Cloud role.
    add-aws-org-status-green-with-member.png
    If you did not select the
    I confirm the stackset has created Prisma roles in member accounts successfully
    checkbox, the status screen displays the onboarding status of the master account but does not list the number of member accounts.
    add-aws-org-status-green-without-member.png

Update an Onboarded AWS Organization

In addition to updating the CFT stack for enabling permissions for new services, you can use this workflow to update the account groups that are secured with Prisma Cloud, change the protection mode from Monitor to Monitor & Protect or the reverse way, and redeploy the Prisma Cloud role in member accounts. You can opt to onboard all member accounts under Organizations hierarchy, or selectively add the OUs whose member accounts you want to onboard on Prisma Cloud.
  1. Provision the Prisma Cloud role on the AWS master account.
    1. Download the template file.
      Get the template file for your needs:
      • For master accounts with the read-only access for Monitor mode—https://s3.amazonaws.com/redlock-public/cft/rl-read-only.template
      • For member accounts with the read-write access for Monitor & Protect mode—https://s3.amazonaws.com/redlock-public/cft/rl-read-and-write.template
    2. Log in to your master account on the AWS management console.
    3. Select
      Services
      CloudFormation
      Stacks
      .
    4. Select
      PrismaCloudApp
      Stack and click
      Update Stack
      .
    5. Replace the existing template with the template you downloaded earlier.
      edit-aws-org-stacksets.png
    6. Click
      Next
      , review the configuration.
    7. Select
      I acknowledge that AWS CloudFormation might create IAM resources with custom names
      and
      Submit
      .
  2. Configure the member accounts.
    1. Log in to your Master Account on the AWS management console.
    2. Select
      Services
      CloudFormation
      StackSets
      .
    3. Select the Prisma stack set and
      Edit StackSet Details
      .
    4. Replace the current template with the downloaded template.
    5. Click Next and enter values for
      PrismaCloudRoleName
      and
      ExternalId
      .
    6. Click
      Next
      and verify
      Service managed permissions
      is selected.
    7. Select
      Deploy To Organizational units (OUs)
      , and Under Organizational units (OUs), select all the OUs that are displayed, or enter the AWS OU ID.
      To enter your Organization Root ID use the format r-[0-9a-z]{4,32}. For example, r-6usb.
      edit-aws-org-stacksets-select-ous.png
    8. In Specify regions, select a region from the drop-down.
    9. In Deployment Options, Maximum concurrent accounts, select
      Percentage
      and set it to
      100
      .
    10. In Deployment Options, Failure tolerance, select
      Percentage
      and set it to
      100
      .
    11. Click
      Next
      , and review the configuration.
    12. Select
      I acknowledge that AWS CloudFormation might create IAM resources with custom names
      and
      Submit
      .
      The StackSet creation is initiated. Wait for the SUCCEEDED status. When the process completes, each member account where the role was created is listed under
      Stack instances
      .
    13. Select
      Parameters
      and copy the values for PrismaCloudRoleName and ExternalId.
  3. Access Prisma Cloud and select the AWS Organization account you want to modify.
    1. Select
      Settings
      Cloud Accounts
      and select the account.
    2. (
      Optional
      ) Select a differentaccount group and click
      Next
      .
      During initial onboarding, you must assign all the member cloud accounts with the organization hierarchy to one account group.
      You cn now edit to selectively assign AWS member accounts to different account groups on Prisma Cloud.
  4. Review the onboarding
    Status
    of your AWS organization on Prisma Cloud.
    The status check verifies that VPC flow logs are enabled on at least 1 VPC in your master account, and audit events are available in at least one region on AWS CloudTrail. It also displays the number of member accounts that are provisioned with the Prisma Cloud role.
    add-aws-org-status-green-with-member.png

Recommended For You