Update an Onboarded AWS Account

Update the protection mode and the account groups that are secured with Prisma Cloud.
After you add your cloud account to Prisma Cloud, you may need to update the PrismaCloud stack to provide additional permissions for new policies that are frequently added to help you monitor your cloud account and ensure that have a good security posture. When you update the CFT stack, Prisma Cloud can ingest data on new services that are supported. These CFTs are available directly from the Prisma Cloud administrative console and are also accessible from the S3 bucket.
Role
S3 Template URL
AWS Public Cloud
Read-Only
https://s3.amazonaws.com/redlock-public/cft/rl-read-only.template
Read-Write (Limited)
https://s3.amazonaws.com/redlock-public/cft/rl-read-and-write.template
AWS GovCloud
Read-Only
https://s3.amazonaws.com/redlock-public/cft/redlock-govcloud-read-only.template
Read-Write (Limited)
https://s3.amazonaws.com/redlock-public/cft/redlock-govcloud-read-and-write.template
In addition to updating the CFT stack for enabling permissions for new services, you can use this workflow to update the account groups that are secured with Prisma Cloud or to change the protection mode from Monitor to Monitor & Protect or the reverse way.
  1. Log in to the Prisma Cloud administrative console.
  2. Select the AWS cloud account you want to modify.
    Select
    Settings
    Cloud Accounts
    and click on the name of the cloud account to manage from the list of cloud accounts.
  3. (Optional)
    Change the account groups you want to monitor.
  4. (To change permissions for the Prisma Cloud role)
    Update the Prisma Cloud App using the CloudFormation template (CFT).
    1. Click the link to download the latest template and follow the instructions to update the stack.
    2. Update the stack either using the AWS console or using the AWS CLI.
      • Log in to AWS console.
      • Select
        Services
        CloudFormation
        Stacks
        .
      • Select the
        PrismaCloudApp
        stack to update and select
        Update
        .
        Select
        Replace current template
        and
        Upload a template file
        you downloaded earlier; you can optionally provide the Amazon S3 URL listed in the table above.
        add-aws-update-stack.png
        If you decide to create a new stack instead of updating the existing stack, you must copy the ExternalID and PrismaCloudRoleARN values from the CFT outputs.
      • Configure stack options.
      • Click
        Next
        and verify the settings.
      • Preview your changes
        to the CloudFormation template for the role you updated.
      • Update
        your CFT.
        If you created a new stack, you must log in to the Prisma Cloud administrative console and select your cloud account on
        Settings
        Cloud Accounts
        to enter the ExternalID and PrismaCloudRoleARN values from the CFT outputs.
        add-aws-modify-account.png
      • Check the Status to verify that Prisma Cloud can successfully retrieve information on your cloud resources.
      • Use AWS Command Line Interface to deploy the updated Prisma Cloud App stack.
      • Using the AWS CLI tool, enter the following command to retrieve the latest CloudFormation template.
        Role
        CLI Command
        AWS Public cloud
        Read-Only
        wget https://s3.amazonaws.com/redlock-public/cft/rl-read-only.template --quiet -O /tmp/rl-read-only.template
        Read-Write (Limited)
        wget https://s3.amazonaws.com/redlock-public/cft/rl-read-and-write.template --quiet -O /tmp/rl-read-and-write.template
        AWS GovCloud
        Read-Only
        wget https://s3.amazonaws.com/redlock-public/cft/redlock-govcloud-read-only.template --quiet -O /tmp/rl-read-only.template
        Read-Write (Limited)
        wget https://s3.amazonaws.com/redlock-public/cft/redlock-govcloud-read-and-write.template --quiet -O /tmp/rl-read-and-write.template
      • Enter the following command to deploy the updated CloudFormation template.
        Replace with the correct name for the CloudFormation template, current stack name, role ARN, and External ID to overwrite the current stack or enter new values to create a new stack.
        • Read-Only
          aws cloudformation deploy --template-file /tmp/<RedLock-cloudformation-template-name> --stack-name <Stack Name> --parameter-overrides RedlockRoleARN=<Role ARN> ExternalID=<xxxxxxxxxx> --capabilities CAPABILITY_NAMED_IAM
        • Read-Write (Limited)
          aws cloudformation deploy --template-file /tmp/<RedLock-cloudformation-template-name> --stack-name <Stack Name> --parameter-overrides RedlockRoleARN=<Role ARN> ExternalID=<xxxxxxxxxx> --capabilities CAPABILITY_NAMED_IAM

Recommended For You