1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Connect Your Cloud Platform to Prisma Cloud
    6. Onboard Your AWS Account
    7. Update an Onboarded AWS Account

    Update an Onboarded AWS Account

    Update the protection mode and the account groups that are secured with Prisma Cloud.
    After you add your cloud account to Prisma Cloud, you may need to update the Prisma Cloud stack to provide additional permissions for new policies that are frequently added to help you monitor your cloud account and ensure that have a good security posture. When you update the CFT stack, Prisma Cloud can ingest data on new services that are supported. These CFTs are available directly from the Prisma Cloud administrative console and are also accessible from the S3 bucket. For instruction on updating your AWS Organization, see Add an AWS Organization to Prisma Cloud.
    Role
    S3 Template URL
    AWS Public Cloud
    —AWS account and AWS Organization, master account
    Read-Only
    https://s3.amazonaws.com/redlock-public/cft/rl-read-only.template
    Read-Write (Limited)
    https://s3.amazonaws.com/redlock-public/cft/rl-read-and-write.template
    For member accounts within AWS Organizations
     Read-Only
    https://s3.amazonaws.com/redlock-public/cft/rl-read-only-member.template
    For member accounts within AWS Organizations
     Read-Write (Limited)
    https://s3.amazonaws.com/redlock-public/cft/rl-read-and-write-member.template
    Use this template if you plan to enable Prisma Cloud Data Security
     Read-Only 
    https://redlock-public.s3.amazonaws.com/cft/rl-dlp-read-only.template
    Use this template if you plan to enable Prisma Cloud Data Security
     Read-Write (Limited)
    https://redlock-public.s3.amazonaws.com/cft/rl-dlp-read-and-write.template
    AWS GovCloud
    Read-Only
    https://s3.amazonaws.com/redlock-public/cft/redlock-govcloud-read-only.template
    Read-Write (Limited)
    https://s3.amazonaws.com/redlock-public/cft/redlock-govcloud-read-and-write.template
    AWS China
    Read-Only
    https://s3.amazonaws.com/redlock-public/cft/rl-cn-read-only.template
    Read-Write (Limited)
    https://s3.amazonaws.com/redlock-public/cft/rl-cn-read-and-write.template
    In addition to updating the CFT stack for enabling permissions for new services, you can use this workflow to update the account groups that are secured with Prisma Cloud or to change the protection mode from Monitor to Monitor & Protect or the reverse way.
    1. Log in to the Prisma Cloud administrative console.
    2. Select the AWS cloud account you want to modify.
      Select
      Settings
      Cloud Accounts
       and click on the name of the cloud account to manage from the list of cloud accounts.
    3. (Optional)
       Change the account groups you want to monitor.
    4. (To change permissions for the Prisma Cloud role)
       Update the Prisma Cloud App using the CloudFormation template (CFT).
      1. Click the link to download the latest template and follow the instructions to update the stack.
      2. Update the stack either using the AWS console or using the AWS CLI.
        • Log in to AWS console.
        • Select
          Services
          CloudFormation
          Stacks
          .
        • Select the
          PrismaCloudApp
           stack to update and select
          Update
          .
          Select
          Replace current template
           and
          Upload a template file
           you downloaded earlier; you can optionally provide the Amazon S3 URL listed in the table above.
          If you decide to create a new stack instead of updating the existing stack, you must copy the ExternalID and PrismaCloudRoleARN values from the CFT outputs.
        • Configure stack options.
        • Click
          Next
           and verify the settings.
        • Preview your changes
           to the CloudFormation template for the role you updated.
        • Update
           your CFT.
          If you created a new stack, you must log in to the Prisma Cloud administrative console and select your cloud account on
          Settings
          Cloud Accounts
           to enter the ExternalID and PrismaCloudRoleARN values from the CFT outputs.
        • Check the Status to verify that Prisma Cloud can successfully retrieve information on your cloud resources.
        • Use AWS Command Line Interface to deploy the updated Prisma Cloud App stack.
        • Using the AWS CLI tool, enter the following command to retrieve the latest CloudFormation template.
          Role
          CLI Command
          AWS Public cloud
          Read-Only
          wget https://s3.amazonaws.com/redlock-public/cft/rl-read-only.template --quiet -O /tmp/rl-read-only.template
          Read-Write (Limited)
          wget https://s3.amazonaws.com/redlock-public/cft/rl-read-and-write.template --quiet -O /tmp/rl-read-and-write.template
          AWS GovCloud
          Read-Only
          wget https://s3.amazonaws.com/redlock-public/cft/redlock-govcloud-read-only.template --quiet -O /tmp/rl-read-only.template
          Read-Write (Limited)
          wget https://s3.amazonaws.com/redlock-public/cft/redlock-govcloud-read-and-write.template --quiet -O /tmp/rl-read-and-write.template
          AWS China
          Read-Only
          wget https://s3.amazonaws.com/redlock-public/cft/rl-cn-read-only.template --quiet -O /tmp/rl-cn-read-only.template
          Read-Write (Limited)
          wget https://s3.amazonaws.com/redlock-public/cft/rl-cn-read-and-write.template --quiet -O /tmp/rl-cn-read-and-write.template
        • Enter the following command to deploy the updated CloudFormation template.
          Replace with the correct name for the CloudFormation template, current stack name, role ARN, and External ID to overwrite the current stack or enter new values to create a new stack.
          • Read-Only
            aws cloudformation deploy --template-file /tmp/<RedLock-cloudformation-template-name> --stack-name <Stack Name> --parameter-overrides RedlockRoleARN=<Role ARN> ExternalID=<xxxxxxxxxx> --capabilities CAPABILITY_NAMED_IAM
          • Read-Write (Limited)
            aws cloudformation deploy --template-file /tmp/<RedLock-cloudformation-template-name> --stack-name <Stack Name> --parameter-overrides RedlockRoleARN=<Role ARN> ExternalID=<xxxxxxxxxx> --capabilities CAPABILITY_NAMED_IAM

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo