Update an Onboarded AWS Account
Update the protection mode and the account groups that are secured with Prisma Cloud.
After you add your cloud account to Prisma Cloud, you may need to update the Prisma Cloud stack to provide additional permissions for new policies that are frequently added to help you monitor your cloud account and ensure that have a good security posture. When you update the CFT stack, Prisma Cloud can ingest data on new services that are supported. These CFTs are available directly from the Prisma Cloud administrative console and are also accessible from the S3 bucket. For instruction on updating your AWS Organization, see Add an AWS Organization to Prisma Cloud.
S3 Template URL
AWS Public Cloud—AWS account and AWS Organization, master account
For member accounts within AWS OrganizationsRead-Only
For member accounts within AWS OrganizationsRead-Write (Limited)
Use this template if you plan to enable Prisma Cloud Data SecurityRead-Only
Use this template if you plan to enable Prisma Cloud Data SecurityRead-Write (Limited)
In addition to updating the CFT stack for enabling permissions for new services, you can use this workflow to update the account groups that are secured with Prisma Cloud or to change the protection mode from Monitor to Monitor & Protect or the reverse way.
- Log in to the Prisma Cloud administrative console.
- Select the AWS cloud account you want to modify.Selectand click on the name of the cloud account to manage from the list of cloud accounts.SettingsCloud Accounts
- (Optional)Change the account groups you want to monitor.
- (To change permissions for the Prisma Cloud role)Update the Prisma Cloud App using the CloudFormation template (CFT).
- Click the link to download the latest template and follow the instructions to update the stack.
- Update the stack either using the AWS console or using the AWS CLI.
- Select thePrismaCloudAppstack to update and selectUpdate.SelectReplace current templateandUpload a template fileyou downloaded earlier; you can optionally provide the Amazon S3 URL listed in the table above.If you decide to create a new stack instead of updating the existing stack, you must copy the ExternalID and PrismaCloudRoleARN values from the CFT outputs.
- Configure stack options.
- ClickNextand verify the settings.
- Preview your changesto the CloudFormation template for the role you updated.
- Updateyour CFT.If you created a new stack, you must log in to the Prisma Cloud administrative console and select your cloud account onto enter the ExternalID and PrismaCloudRoleARN values from the CFT outputs.SettingsCloud Accounts
- Check the Status to verify that Prisma Cloud can successfully retrieve information on your cloud resources.
- Using the AWS CLI tool, enter the following command to retrieve the latest CloudFormation template.RoleCLI CommandAWS Public cloudRead-Onlywget https://s3.amazonaws.com/redlock-public/cft/rl-read-only.template --quiet -O /tmp/rl-read-only.templateRead-Write (Limited)wget https://s3.amazonaws.com/redlock-public/cft/rl-read-and-write.template --quiet -O /tmp/rl-read-and-write.templateAWS GovCloudRead-Onlywget https://s3.amazonaws.com/redlock-public/cft/redlock-govcloud-read-only.template --quiet -O /tmp/rl-read-only.templateRead-Write (Limited)wget https://s3.amazonaws.com/redlock-public/cft/redlock-govcloud-read-and-write.template --quiet -O /tmp/rl-read-and-write.templateAWS ChinaRead-Onlywget https://s3.amazonaws.com/redlock-public/cft/rl-cn-read-only.template --quiet -O /tmp/rl-cn-read-only.templateRead-Write (Limited)wget https://s3.amazonaws.com/redlock-public/cft/rl-cn-read-and-write.template --quiet -O /tmp/rl-cn-read-and-write.template
- Enter the following command to deploy the updated CloudFormation template.Replace with the correct name for the CloudFormation template, current stack name, role ARN, and External ID to overwrite the current stack or enter new values to create a new stack.
- Read-Only—aws cloudformation deploy --template-file /tmp/<RedLock-cloudformation-template-name> --stack-name <Stack Name> --parameter-overrides RedlockRoleARN=<Role ARN> ExternalID=<xxxxxxxxxx> --capabilities CAPABILITY_NAMED_IAM
- Read-Write (Limited)—aws cloudformation deploy --template-file /tmp/<RedLock-cloudformation-template-name> --stack-name <Stack Name> --parameter-overrides RedlockRoleARN=<Role ARN> ExternalID=<xxxxxxxxxx> --capabilities CAPABILITY_NAMED_IAM
Recommended For You
Recommended videos not found.