Set Up the Prisma Cloud Role for AWS—Manual

To monitor your AWS account, create the roles (manually) and authorize the permissions for Prisma Cloud.
If you do not want to use the guided onboarding flow that automates the process of creating the roles required for Prisma™ Cloud to monitor or monitor and protect your accounts on AWS, you must create the roles manually. In order to monitor your AWS account, you must create a role that grants Prisma Cloud access to your flow logs and read-only access (to retrieve and view the traffic log data) or a limited read-write access (to retrieve traffic log data and remediate incidents). To authorize permission, you must copy the policies from the relevant template and attach it to the role. Event logs associated with the monitored cloud account are automatically retrieved on Prisma Cloud.
  1. Log in to the AWS Management Console to create a role for Prisma Cloud.
    Refer to the AWS documentation for instructions. Create the role in the same region as your AWS account, and use the following values and options when creating the role:
    • Type of trusted entity:
      Another AWS Account
      and enter the Account ID*:
      188619942792
    • Select
      Require external ID
      , which is a unique alphanumeric string. You can generate a secure UUIDv4 at https://www.uuidgenerator.net/version4.
    • Do not enable MFA. Verify that
      Require MFA
      is not selected.
      add-aws-manual-role-1.png
    • Click
      Next
      and add the AWS Managed Policy for Security Audit.
      add-aws-manual-policy-2-1.png
      Then, add a role name and create the role. In this workflow, later, you will create the granular policies and edit the role to attach the additional policies.
  2. Get the granular permissions from the AWS CloudFormation template for your AWS environment.
    The Prisma Cloud S3 bucket has read-only templates and read-and-write templates for the public AWS, AWS GovCloud, and AWS China environments.
    1. Download the template you need.
      Role
      S3 Template URL
      AWS Public Cloud
      —AWS account and AWS Organization, master account
      Read-Only
      https://s3.amazonaws.com/redlock-public/cft/rl-read-only.template
      Read-Write (Limited)
      https://s3.amazonaws.com/redlock-public/cft/rl-read-and-write.template
      For member accounts within AWS Organizations
      Read-Only
      https://s3.amazonaws.com/redlock-public/cft/rl-read-only-member.template
      For member accounts within AWS Organizations
      Read-Write (Limited)
      https://s3.amazonaws.com/redlock-public/cft/rl-read-and-write-member.template
      AWS GovCloud
      Read-Only
      https://s3.amazonaws.com/redlock-public/cft/redlock-govcloud-read-only.template
      Read-Write (Limited)
      https://s3.amazonaws.com/redlock-public/cft/redlock-govcloud-read-and-write.template
      AWS China
      Read-Only
      https://s3.amazonaws.com/redlock-public/cft/rl-cn-read-only.template
      Read-Write (Limited)
      https://s3.amazonaws.com/redlock-public/cft/rl-cn-read-and-write.template
    2. Identify the permissions you need to copy.
      To create the policy manually, you will need to add the required permissions inline using the JSON editor. From the read-only template you can get the granular permissions for the
      PrismaCloud-IAM-ReadOnly-Policy
      , and the read-write template lists the granular permissions for the
      PrismaCloud-IAM-ReadOnly-Policy
      and the
      PrismaCloud-IAM-Remediation-Policy
      .
      For AWS accounts you onboard to Prisma Cloud, if you do not use the host, serverless functions, and container capabilities enabled with Prisma Cloud Compute, you do not need the permissions associated with these roles:
      • PrismaCloud-ReadOnly-Policy-Compute
        role—CFT used for Monitor mode, includes additional permissions associated with this new role to enable monitoring of resources that are onboarded for Prisma Cloud Compute.
      • PrismaCloud-Remediation-Policy-Compute
        role—CFT used for Monitor & Protect mode, includes additional permissions associated with this new role to enable read-write access for monitoring and remediating resources that are onboarded for Prisma Cloud Compute.
      1. Open the appropriate template using a text editor.
      2. Find the policies you need and copy it to your clipboard.
        Copy the details for one or both permissions, and make sure to include the open and close brackets for valid syntax, as shown below.
        add-aws-manual-policy-1.png
        add-aws-manual-policy-2.png
  3. Create the policy that defines the permissions for the Prisma Cloud role.
    Both the read-only role and the read-write roles require the AWS Managed Policy
    SecurityAudit Policy
    . In addition, you will need to enable granular permissions for the
    PrismaCloud-IAM-ReadOnly-Policy
    for the read-only role, or for the read-write role add the
    PrismaCloud-IAM-ReadOnly-Policy
    and the limited permissions for
    PrismaCloud-IAM-Remediation-Policy
    .
    1. Select
      IAM
      on the AWS Management Console.
    2. In the navigation pane on the left, choose
      Access Management
      Policies
      Create policy
      .
    3. Select the
      JSON
      tab.
      Paste the JSON policies that you copied from the template within the square brackets for Statement.
      add-aws-manual-policy-3.png
      add-aws-manual-policy-4.png
      If you are enabling read and read-write permissions, make sure to append the read-write permissions within the same Action statement.
      add-aws-manual-policy-5.png
    4. Review and create the policy.
  4. Edit the role you created in Step 1 and attach the policy to the role.
    add-aws-manual-policy-roles.png
  5. Required only if you want to use the same role to access your CloudWatch log group
    Update the trust policy to allow access to the CloudWatch log group.
    Edit the
    Trust Relationships
    to add the permissions listed below. This allow you to ensure that your role has a trust relationship for the flow logs service to assume the role and publish logs to the CloudWatch log group.
    { "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": "sts:AssumeRole" }
  6. Copy the
    Role ARN
    .
    add-aws-manual-policy-role-arn.png
  7. Resume with the account onboarding flow at Paste the Role ARN in Add an AWS Cloud Account on Prisma Cloud

Recommended For You