Add Your OCI Tenant to Prisma Cloud

By default, your OCI tenant has a root compartment (tenancy). You need the root compartment’s OCID to onboard your OCI tenant.
You must onboard OCI at the tenant level. Any child compartments will be automatically onboarded.
Each OCI tenant is associated with a Home region. Prisma Cloud is available for visibility and monitoring of your OCI tenants in all the cloud regions supported by OCI.
  1. Add OCI Tenant
    The first step to start monitoring your resources on OCI is to add your OCI tenant to Prisma Cloud.
    1. Access Prisma Cloud and select
      Cloud Accounts
      Add New
    2. Select
      Oracle Cloud Infrastructure
      as the
      Cloud to Protect
    3. Enter a
      Cloud Account Name
      that uniquely identifies your OCI tenant on Prisma Cloud and
  2. Add OCI Tenant Details
    The administrator resources are created only at the tenant-level in OCI. To ingest those resources, you must onboard the OCI tenant in Prisma Cloud by entering the root compartment OCID and home region from the OCI console.
    1. Log in to your OCI console and select
      Identity & Security
    2. Copy the
      of the root compartment.
    3. Return to the Prisma Cloud Onboarding Setup page and paste the OCID in the
      Tenant OCID
    4. Enter the
      Home Region
      where the tenant is created (for example, us-phoenix-1).
    5. On clicking
      and following the steps listed under
      Steps to get User OCID
      , a new user, group, and policy that correspond to OCI Identity User Name, Group Name, and Policy Name will be created.
      You can use an existing user with the correct privileges, an existing group, and an existing policy with the correct policy statements. However, it is recommended to create a new user, group, and policy as listed in Step 3.
  3. Create a User to Enable Access
    Use the Terraform template to generate a new user OCID. The User Name, Group Name, and Policy Name must be unique and should not be present in your OCI tenant.
    To onboard the Oracle Cloud account, a public key is required to access to the OCI API. This public key is embedded in the Terraform template, and the public key changes each time you download the template. Hence, make sure that you use the latest Terraform file that you downloaded when creating a stack.
    1. Download Terraform Template
      to download the template to your local machine.
      OCI has a limit of 50 policy statements. With the addition of new APIs, Prisma Cloud will have 56 policy statements in the Terraform file. To successfully ingest the new OCI APIs, request a service limit increase on the policy statements before you run the Terraform file.
      This change affects monthly or annual universal credits OCI accounts and pay-as-you-go or promo OCI accounts.
    2. Follow these steps to generate
      User OCID
      1. Log in to your OCI tenant console.
      2. Select the Home Region you entered in
        Add OCI Tenant Details
      3. Navigate to
        Developer Services
        Resource Manager
        and select
        Create Stack
      4. Select
        My Configuration
        to upload the Terraform configuration files.
      5. Under
        Stack Configuration
        , upload the ‘’.zip file that you had previously downloaded to your local machine.
      6. Enter a stack name, for example PrismaCloudApp, select the
        compartment if it is not already selected, and click
      7. Review the Configure Variables information and
      8. Review the Stack information and
        the stack.
      9. From the
        Terraform Actions
        drop-down, select
        for the stack you have created with Terraform.
        On clicking
        , the file gets executed and the User OCID is generated.
      10. From the current Job details, navigate to
        and copy the user_ocid
    3. Return to the Prisma Cloud Onboarding Setup page and paste the
      User OCID
      value in the User OCID text field and click
  4. Account Group Selection
    Select the Account Groups to associate with your OCI tenant and click
    You must assign each cloud account to an account group, and Create an Alert Rule for Run-Time Checks to associate the account group with it to generate alerts when a policy violation occurs.
  5. Cloud Account Status
    After you provide the details of your OCI tenant, the status page displays the number of compartments that exist under that particular tenant. Along with the root tenant, Prisma Cloud also ingests the child compartment(s).
    1. Check your
      On successful configuration, the Status displays a green checkmark for
    2. Verify the onboarding Status of your OCI tenant on Prisma Cloud and click
    3. On successful onboarding,
      the window or Add Another Cloud Account.
  6. Verify Your OCI Tenant
    Review the status and take necessary actions to resolve any issues encountered during the onboarding process by navigating to the
    Settings > Cloud Accounts
    page. Your onboarded OCI tenants are displayed on the page.
    Verify that all Compartments are displayed in the list by clicking the Cloud name link.
  7. Next Steps
    1. It can take up to an hour for the ingestion to complete after which you can view the resources in Prisma Cloud, review, and act on the alerts generated.
    2. Configure Alert Rule to include OCI policies.
    3. If you do not want to ingest data from any of the child compartments:
      1. Navigate to
        Cloud Accounts
      2. Click the
        of the tenant you have onboarded.
      3. The tenant is also displayed as 1 compartment. Select the child compartments you want to disable.
    4. Depending on your password policy, you can choose to rotate your user’s keys:
      1. Navigate to
        Cloud Accounts
      2. Click the Edit icon for the tenant for which you want to rotate the keys.
      3. Select
        Rotate Keys
      4. Click
        Download Terraform Template
        and follow the steps listed in
        Create a User to Enable Access
        to regenerate the User OCID.
    5. On the Prisma Cloud
      , you can filter by OCI
      Cloud Accounts
      . Prisma Cloud supports only configuration ingestion for OCI tenants and displays only the relevant configuration ingestion data.
    6. Start using the Prisma Cloud Asset Inventory for visibility. Set the
      Cloud Type
      filter as OCI to view the data for the supported services. You can also filter the data based on the OCI
      Cloud Region
      Cloud Service
    7. To verify if the configuration logs for your OCI-related resources have been analyzed, you can run a query on the
    8. Review the Prisma Cloud default
      for OCI. Set the
      Cloud Type
      filter as
      and view all the Configuration policies that are available to detect any misconfiguration in your infrastructure.
  8. Update an Onboarded OCI Account
    To update the permissions of an already onboarded OCI account in order to ingest new APIs or to ingest additional attributes in the OCI API:
    1. Navigate to
      Cloud Accounts
    2. Click the Edit icon for the tenant you want to update.
    3. In the edit flow, without selecting the
      Rotate Keys
      checkbox (by default, it is always unchecked), download the updated Terraform template.
    4. Log in to your OCI tenant console, upload the updated Terraform template, and click
    5. From the Job details, navigate to
      , copy user_ocid and add it on Prisma Cloud.
    This will update the policy with the newly added policy statements.

Recommended For You