Set Up the Prisma Cloud Role for AWS—Manual
To monitor your AWS account, create the roles (manually)
and authorize the permissions for Prisma Cloud.
If you do not want to use the guided onboarding
flow that automates the process of creating the roles required for
Prisma™ Cloud to monitor or monitor and protect your accounts on
AWS, you must create the roles manually. In order to monitor your
AWS account, you must create a role that grants Prisma Cloud access
to your flow logs and read-only access (to retrieve and view the
traffic log data) or a limited read-write access (to retrieve traffic
log data and remediate incidents). To authorize permission, you
must copy the policies from the relevant template and attach it
to the role. Event logs associated with the monitored cloud account
are automatically retrieved on Prisma Cloud.
- Log in to the AWS Management Console to create a role for Prisma Cloud.Refer to the AWS documentation for instructions. Create the role in the same region as your AWS account, and use the following values and options when creating the role:
- Type of trusted entity:Another AWS Accountand enter the Account ID*:188619942792
- SelectRequire external ID, which is a unique alphanumeric string. You can generate a secure UUIDv4 at https://www.uuidgenerator.net/version4.
- Do not enable MFA. Verify thatRequire MFAis not selected.
- ClickNextand add the AWS Managed Policy for Security Audit.
Then, add a role name and create the role. In this workflow, later, you will create the granular policies and edit the role to attach the additional policies.
- Get the granular permissions from the AWS CloudFormation template for your AWS environment.The Prisma Cloud S3 bucket has read-only templates and read-and-write templates for the public AWS, AWS GovCloud, and AWS China environments.
- Download the template you need.RoleS3 Template URLAWS Public Cloud—AWS account and AWS Organization, master accountRead-Onlyhttps://s3.amazonaws.com/redlock-public/cft/rl-read-only.templateRead-Write (Limited)https://s3.amazonaws.com/redlock-public/cft/rl-read-and-write.templateFor member accounts within AWS OrganizationsRead-Onlyhttps://s3.amazonaws.com/redlock-public/cft/rl-read-only-member.templateFor member accounts within AWS OrganizationsRead-Write (Limited)https://s3.amazonaws.com/redlock-public/cft/rl-read-and-write-member.templateAWS GovCloudRead-Onlyhttps://s3.amazonaws.com/redlock-public/cft/redlock-govcloud-read-only.templateRead-Write (Limited)https://s3.amazonaws.com/redlock-public/cft/redlock-govcloud-read-and-write.templateAWS ChinaRead-Onlyhttps://s3.amazonaws.com/redlock-public/cft/rl-cn-read-only.templateRead-Write (Limited)https://s3.amazonaws.com/redlock-public/cft/rl-cn-read-and-write.template
- Identify the permissions you need to copy.To create the policy manually, you will need to add the required permissions inline using the JSON editor. From the read-only template you can get the granular permissions for thePrismaCloud-IAM-ReadOnly-Policy, and the read-write template lists the granular permissions for thePrismaCloud-IAM-ReadOnly-Policyand thePrismaCloud-IAM-Remediation-Policy.For AWS accounts you onboard to Prisma Cloud, if you do not use the host, serverless functions, and container capabilities enabled with Prisma Cloud Compute, you do not need the permissions associated with these roles:
- PrismaCloud-ReadOnly-Policy-Computerole—CFT used for Monitor mode, includes additional permissions associated with this new role to enable monitoring of resources that are onboarded for Prisma Cloud Compute.
- PrismaCloud-Remediation-Policy-Computerole—CFT used for Monitor & Protect mode, includes additional permissions associated with this new role to enable read-write access for monitoring and remediating resources that are onboarded for Prisma Cloud Compute.
- Open the appropriate template using a text editor.
- Find the policies you need and copy it to your clipboard.Copy the details for one or both permissions, and make sure to include the open and close brackets for valid syntax, as shown below.
- Create the policy that defines the permissions for the Prisma Cloud role.Both the read-only role and the read-write roles require the AWS Managed PolicySecurityAudit Policy. In addition, you will need to enable granular permissions for thePrismaCloud-IAM-ReadOnly-Policyfor the read-only role, or for the read-write role add thePrismaCloud-IAM-ReadOnly-Policyand the limited permissions forPrismaCloud-IAM-Remediation-Policy.
- SelectIAMon the AWS Management Console.
- In the navigation pane on the left, choose .
- Select theJSONtab.Paste the JSON policies that you copied from the template within the square brackets for Statement.
If you are enabling read and read-write permissions, make sure to append the read-write permissions within the same Action statement.
- Review and create the policy.
- Edit the role you created in Step 1 and attach the policy to the role.
- Required only if you want to use the same role to access your CloudWatch log groupUpdate the trust policy to allow access to the CloudWatch log group.Edit theTrust Relationshipsto add the permissions listed below. This allow you to ensure that your role has a trust relationship for the flow logs service to assume the role and publish logs to the CloudWatch log group.{ "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": "sts:AssumeRole" }
- Copy theRole ARN.
- Resume with the account onboarding flow at Paste the Role ARN in Add an AWS Cloud Account on Prisma Cloud
