Provide Prisma Cloud Role with Access to Common S3 Bucket
Specify a central or shared S3 bucket that stores your
AWS CloudTrail event logs.
In a scenario where you do not want to store
AWS CloudTrail event logs within the same S3 bucket that you are
onboarding to Prisma Cloud for Data Security scanning, you can provide
Prisma Cloud role with access to a common or shared S3 bucket that
stores your AWS CloudTrail event logs.
For example, you want
to scan S3 buckets in Monitored account 1 but CloudTrail is written
to an S3 bucket in the Logging account. In such a scenario, you
do not want to create another CloudTrail bucket in order to use
For Prisma Cloud Data Security to get access to
the S3 bucket in the Logging account, update the CloudTrail bucket
policy to allow access to the onboarded Prisma Cloud role in the
For the Prisma Cloud role to access the objects in the
Monitored account, complete the following tasks on the AWS Management
Navigate to the Logging account’s CloudTrail
Bucket Owner Preferred
After setting it to Bucket Owner Preferred, the Bucket
Owner will be the owner of new objects written to this bucket and
the Prisma Cloud role in the Monitored account will be able to access
this common S3 bucket.
If you have an encrypted CloudTrail
bucket, the Prisma Cloud role needs access to the KMS key that was
used to encrypt that CloudTrail bucket.