1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Prisma Cloud Data Security
    6. Enable Prisma Cloud Data Security
    7. Enable Data Security for AWS Account

    Enable Data Security for AWS Account

    Begin here if you want to add your AWS cloud account on Prisma Cloud and start scanning the files stored in your S3 buckets.
    2. Click the
      Edit
       icon next to the AWS account for which you want to enable Data Security.
    3. Select
      Data Security
       under
      Security Capabilities and Permissions
      .
      Data policies on Prisma Cloud do not support automatic remediation; therefore, if you configure Data Security on an AWS account with Remediation enabled you must manually fix issues to address alerts generated from data policies.
    4. Click
      Next
      .
    5. Allow Prisma Cloud to access your bucket.
      If you have configured bucket policy to restrict access, make sure to complete the following tasks on the AWS Management Console:
      1. Copy the Prisma Cloud Role ARN that you added to enable Data Security on Prisma Cloud above.
      2. Edit your bucket policy to include the Prisma Cloud Role ARN.
        The following snippet is an example: Consider a bucket policy that denies access to
        monitored-bucket
         when requesting
        s3:GetObject
         API.
        {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": [
        "arn:aws:s3:::monitored-bucket",
        "arn:aws:s3:::monitored-bucket/*"
      ]
    }
  ]
}
        In order for PrismaCloud to get access to the objects in
        monitored-bucket
         , attach a negation condition to the bucket policy to allow
        PrismaCloudReadOnlyRoleWithDLP
         to access the bucket.
        {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": [
        "arn:aws:s3:::monitored-bucket",
        "arn:aws:s3:::monitored-bucket/*"
      ],
      "Condition": {
        "ArnNotEquals": {
          "aws:PrincipalArn": [
            "arn:aws:iam::<accountID>:role/<PrismaCloudReadOnlyRoleWithDLP>"
          ]
        }
      }
    }
  ]
}
        Without these permissions, Prisma Cloud is denied access to S3 buckets with restricted bucket policies (HTTP 403 error).
    6. Configure Account
      .
      • Download IAM Role CFT
         and follow the
        Steps
         listed.
    7. Click
      Next
      .
    8. Configure Data Security
      .
      Choose to scan all your resources or you can choose to customize what you want to scan.
      • When you select Scan All, Prisma Cloud will Forward scan and Backward scan all eligible objects. The forward scan inspects any new or modified files, and the backward scan is retrospective, which means that it inspects files that exist in the storage bucket. The Supported File Sizes and Types—Prisma Cloud Data Security of files that you want to scan within your storage bucket will determine how many Prisma Cloud credits are used for Data Security.
      • When you select Custom Scan, Prisma Cloud will Forward scan and/or Backward scan eligible objects in selected resources.
    9. Click
      Next
      .
    10. Define Forward Scan
      .
      You can choose to
      Add New
       or
      Select existing
       CloudTrail, SNS Topic, or Buckets for Log Files. The consumption of Prisma Cloud license credits depends on the file size in the selected objects and whether you enable forward and backward scans.
      CloudTrail buckets are not scanned. You can choose buckets with objects containing ELB access logs, S3 access logs, and VPC flow logs for scanning.
    11. Click
      Next
      .
    12. Configure Forward Scan
      .
      1. Download Template
         locally. The template is a .zip file that contains shell script, CFTs, and configuration files.
      2. Login to your Amazon CloudShell account, upload the .zip file you downloaded in the above step, and run the following command that will create a Bucket, SNS Topic, and CloudTrail:
        sh pcds_forward_scan_setup.sh -f config.txt
      3. Wait for the CREATE_COMPLETE status.
      4. Once the above command runs successfully in AWS, click
        Validate Setup
         on Prisma Cloud.
      5. Irrespective of whether the script gets validated or not you can continue to onboard and configure data security for your AWS account. If validation fails, see Troubleshoot Data Security Errors and set up AWS CloudTrail and SNS manually to resolve it.
    13. Click
      Next
      .
    14. (
      Optional
      ) Follow this step only if the objects inside your S3 buckets are encrypted with Customer Managed Keys (CMK).
      The step varies depending on whether the CMK is located within the same AWS account or a different one:
      • When the CMK is in the same AWS account that you’re onboarding, the Prisma Cloud role needs additional permissions to access the key. Add the following statement to the Prisma Cloud role and update the resources array with all the CMK ARNs:
        {
            "Sid": "AllowPrismaCloudToAccessKeys",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": ["arn:aws:kms:ap-south-123456789101:key/3269f3d0-1820-407f-b67e-73acdd9243f4"]
}
      • When the CMK is in a different AWS account than the one that you’re onboarding, you need to first add the following policy statement to all the CMKs that are used for encryption and update the
        Principal AWS
         field with the Prisma Cloud ARN:
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::726893731529:role/PrismaCloudReadOnlyRoleWithDLP"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
}
        PrismaCloudReadOnlyRoleWithDLP refers to the Prisma Cloud Role ARN that you added to enable Data Security on Prisma Cloud. This role needs additional permissions to access the key. Add the following statement to the Prisma Cloud role and update the resources array with all the CMK ARNs:
        {
            "Sid": "AllowPrismaCloudToAccessKeys",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": ["arn:aws:kms:ap-south-123456789101:key/3269f3d0-1820-407f-b67e-73acdd9243f4"]
}
    15. Review Status
      .
    16. Click
      Save and Close
      .
    17. Click the
      View
       icon next to the AWS account for which you enabled data security and view the details under
      Data Security
      .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo