Provide Prisma Cloud Role with Access to Common S3 Bucket
Specify a central or shared S3 bucket that stores your
AWS CloudTrail event logs.
In a scenario where you do not want to store
AWS CloudTrail event logs within the same S3 bucket that you are
onboarding to Prisma Cloud for Data Security scanning, you can provide Prisma
Cloud role with access to a common or shared S3 bucket that stores
your AWS CloudTrail event logs.
For example, you want to scan
S3 buckets in Monitored account 1 but CloudTrail is written to an
S3 bucket in the Logging account. In such a scenario, you do not
want to create another CloudTrail bucket in order to use Data Security.
For Prisma Cloud Data Security to get access to
the S3 bucket in the Logging account, update the CloudTrail bucket
policy to allow access to the onboarded Prisma Cloud role in the Monitored
account.
For the Prisma Cloud role to access the objects in the
Monitored account, complete the following tasks on the AWS Management
Console:
Navigate to the Logging account’s CloudTrail
bucket.
Select the
Permissions
tab.
Set
Object Ownership
to
Bucket Owner Preferred
.
After setting it to Bucket Owner Preferred, the Bucket
Owner will be the owner of new objects written to this bucket and
the Prisma Cloud role in the Monitored account will be able to access
this common S3 bucket.
If you have an encrypted CloudTrail
bucket, the Prisma Cloud role needs access to the KMS key that was
used to encrypt that CloudTrail bucket.
