Add a New AWS Account and Enable Data Security

Begin here if you want to add your AWS cloud account on Prisma Cloud and start scanning the files stored in your S3 buckets.
  1. Add a new AWS account.
    1. Select
      Settings
      Cloud Accounts
      Add Cloud Account
      .
    2. Select
      AWS
      , enter a
      Cloud Account Name
      , and select to onboard an
      Account
      .
    3. Select the
      Mode
      .
      Decide whether to enable permissions to only
      Monitor
      (read-only access) or to
      Monitor & Protect
      (read-write access) the resources in your cloud account. Your selection determines which AWS Cloud Formation Template (CFT) is used to automate the process of creating the custom role required for Prisma Cloud.
      There are some additional steps if you want to scan cloud resources, other than S3 buckets, on this AWS account. To review the requirements start at Add an AWS Cloud Account on Prisma Cloud, otherwise continue to the next step in this workflow.
    4. Select the
      Data Security
      checkbox.
      Prisma Cloud Data Security supports Monitor mode only. Data policies on Prisma Cloud do not support automatic remediation; therefore, if you enable Data Security on an AWS account with Monitor & Protect mode you must manually fix issues to address alerts generated from data policies.
    5. Click
      Next
      .
  2. Create a stack in your AWS account.
    1. Select
      Create Stack
      .
      Log in to your AWS account in a separate tab. The CloudFormation template defaults to N. Virginia. You must change it to the region where your AWS Account is before you create the stack.
    2. Select
      I acknowledge that AWS CloudFormation might create IAM resources with custom names
      and
      Create stack
      .
      Wait for the CREATE_COMPLETE status.
    3. Copy
      Role: ARN
      and
      SNS Topic: ARN
      from the Outputs tab in the AWS Management Console.
  3. Allow Prisma Cloud to access your bucket.
    If you have configured bucket policy to restrict access, make sure to complete the following tasks on the AWS Management Console:
    1. Copy the Prisma Cloud Role ARN that you added to enable Data Security on Prisma Cloud above.
    2. Edit your bucket policy to include the Prisma Cloud Role ARN.
      The following snippet is an example: Consider a bucket policy that denies access to
      monitored-bucket
      when requesting
      s3:GetObject
      API.
      { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::monitored-bucket", "arn:aws:s3:::monitored-bucket/*" ] } ] }
      In order for PrismaCloud to get access to the objects in
      monitored-bucket
      , attach a negation condition to the bucket policy to allow
      PrismaCloudReadOnlyRoleWithDLP
      to access the bucket.
      { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::monitored-bucket", "arn:aws:s3:::monitored-bucket/*" ], "Condition": { "ArnNotEquals": { "aws:PrincipalArn": [ "arn:aws:iam::<accountID>:role/<PrismaCloudReadOnlyRoleWithDLP>" ] } } } ] }
      Without these permissions, Prisma Cloud is denied access to S3 buckets with restricted bucket policies (HTTP 403 error).
  4. Set up
    Forward Scan
    to scan your cloud resources for data security issues.
    Make sure you have created a stack in your AWS account by following the steps listed above.
    1. From your AWS account, copy and paste
      Role ARN
      and click
      Next
      .
    2. Configure Data Security
      to scan all your resources or you can choose to customize what you want to scan.
      • When you select Scan All, Prisma Cloud will Forward scan and Backward scan all eligible objects. The forward scan inspects any new or modified files, and the backward scan is retrospective, which means that it inspects files that exist in the storage bucket. The size and number of files that you want to scan within your storage bucket will determine how many Prisma Cloud credits are used for Data Security.
      • When you select Custom Scan, Prisma Cloud will Forward scan and/or Backward scan eligible objects in selected resources.
    3. You can choose to
      Add New
      or
      Select existing
      CloudTrail, SNS Topic, or Buckets for Log Files. The consumption of Prisma Cloud license credits depends on the file size in the selected objects and whether you enable forward and backward scans.
      CloudTrail buckets are not scanned. You can choose buckets with objects containing ELB access logs, S3 access logs, and VPC flow logs for scanning.
    4. Follow the steps to
      Configure Forward Scan
      :
      • Download Template
        locally. The template is a .zip file that contains shell script, CFTs, and configuration files.
      • Login to your Amazon CloudShell account, upload the .zip file you downloaded in the above step, and run the following command that will create a Bucket, SNS Topic, and CloudTrail:
        sh pcds_forward_scan_setup.sh -f config.txt
      • Wait for the CREATE_COMPLETE status.
      • Once the above command runs successfully in AWS, click
        Validate Setup
        on Prisma Cloud.
    5. Irrespective of whether the script gets validated or not you can continue to onboard and configure data security for your AWS account. If validation fails, see Troubleshoot Data Security Errors and set up AWS CloudTrail & SNS manually to resolve it.
    6. Click
      Next
      .
  5. (
    Optional
    ) Follow this step only if the objects inside your S3 buckets are encrypted with Customer Managed Keys (CMK).
    The step varies depending on whether the CMK is located within the same AWS account or a different one:
    • When the CMK is in the same AWS account that you’re onboarding, the Prisma Cloud role needs additional permissions to access the key. Add the following statement to the Prisma Cloud role and update the resources array with all the CMK ARNs:
      { "Sid": "AllowPrismaCloudToAccessKeys", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": ["arn:aws:kms:ap-south-123456789101:key/3269f3d0-1820-407f-b67e-73acdd9243f4"]}
    • When the CMK is in a different AWS account than the one that you’re onboarding, you need to first add the following policy statement to all the CMKs that are used for encryption and update the
      Principal AWS
      field with the Prisma Cloud ARN:
      { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::726893731529:role/PrismaCloudReadOnlyRoleWithDLP" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }
      PrismaCloudReadOnlyRoleWithDLP
      refers to the Prisma Cloud Role ARN that you added to enable Data Security on Prisma Cloud. This role needs additional permissions to access the key. Add the following statement to the Prisma Cloud role and update the resources array with all the CMK ARNs:
      { "Sid": "AllowPrismaCloudToAccessKeys", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": ["arn:aws:kms:ap-south-123456789101:key/3269f3d0-1820-407f-b67e-73acdd9243f4"]}
  6. Click
    Next
    and select one or more
    Account Groups
    .
    You must assign each cloud account to an account group and create an alert rule to associate with that account group, in order to generate alerts when a policy violation occurs. See Generate Alerts for Data Policies.
  7. Click
    Next
    and review the
    Status
    .
    If any of the status displays an error, see Troubleshoot Data Security Errors to resolve it.
  8. Click
    Done
    and
    Close
    or you can choose to add another account.

Recommended For You