Provide Prisma Cloud Role with Access to Common S3 Bucket

In a scenario where you do not want to store AWS CloudTrail event logs within the same S3 bucket that you are onboarding to Prisma Cloud for Data Security scanning, you can provide Prisma Cloud role with access to a common or shared S3 bucket that stores your AWS CloudTrail event logs.

For example, you want to scan S3 buckets in Monitored account 1 but CloudTrail is written to an S3 bucket in the Logging account. In such a scenario, you do not want to create another CloudTrail bucket in order to use Data Security.

For Prisma Cloud Data Security to get access to the S3 bucket in the Logging account, update the CloudTrail bucket policy to allow access to the onboarded Prisma Cloud role in the Monitored account.
Update the CloudTrail bucket policy as follows:
{    "Sid": "PrismaCloudStorageStatement",    "Effect": "Allow",    "Principal": {         "AWS": "arn:aws:iam::123456789101:role/PrismaCloudReadOnlyRoleWithDLP"    },    "Action": [      "s3:GetBucketLocation",      "s3:GetObject"    ],    "Resource": [       "arn:aws:s3:::bucket-name",       "arn:aws:s3:::bucket-name/*"    ]}
For the Prisma Cloud role to access the objects in the Monitored account, complete the following tasks on the AWS Management Console:
Navigate to the Logging account’s CloudTrail bucket.

Select the

Permissions

tab.

Set

Object Ownership

to

Bucket Owner Preferred

.


After setting it to Bucket Owner Preferred, the Bucket Owner will be the owner of new objects written to this bucket and the Prisma Cloud role in the Monitored account will be able to access this common S3 bucket.
If you have an encrypted CloudTrail bucket, the Prisma Cloud role needs access to the KMS key that was used to encrypt that CloudTrail bucket.