Add a New AWS Account and Enable Data Security

Begin here if you want to add your AWS cloud account on Prisma Cloud and start scanning the files stored in your S3 buckets.
  1. Add a new AWS account.
    1. Select
      Cloud Accounts
      Add Cloud Account
    2. Select
      , enter a
      Cloud Account Name
      , and select to onboard an
    3. Select the
      Decide whether to enable permissions to only
      (read-only access) or to
      Monitor & Protect
      (read-write access) the resources in your cloud account. Your selection determines which AWS Cloud Formation Template (CFT) is used to automate the process of creating the custom role required for Prisma Cloud.
      There are some additional steps if you want to scan cloud resources, other than S3 buckets, on this AWS account. To review the requirements start at Add an AWS Cloud Account on Prisma Cloud, otherwise continue to the next step in this workflow.
    4. Select the
      Data Security
      Prisma Cloud Data Security supports Monitor mode only. Data policies on Prisma Cloud do not support automatic remediation; therefore, if you enable Data Security on an AWS account with Monitor & Protect mode you must manually fix issues to address alerts generated from data policies.
    5. Click
  2. Create a stack in your AWS account.
    1. Select
      Create Stack
      Log in to your AWS account in a separate tab. The CloudFormation template defaults to N. Virginia. You must change it to the region where your AWS Account is before you create the stack.
    2. Select
      I acknowledge that AWS CloudFormation might create IAM resources with custom names
      Create stack
      Wait for the CREATE_COMPLETE status.
    3. Copy
      Role: ARN
      SNS Topic: ARN
      from the Outputs tab in the AWS Management Console.
  3. Allow Prisma Cloud to access your bucket.
    If you have configured bucket policy to restrict access, make sure to complete the following tasks on the AWS Management Console:
    1. Copy the Prisma Cloud Role ARN that you added to enable Data Security on Prisma Cloud above.
    2. Edit your bucket policy to include the Prisma Cloud Role ARN.
      The following snippet is an example: Consider a bucket policy that denies access to
      when requesting
      { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::monitored-bucket", "arn:aws:s3:::monitored-bucket/*" ] } ] }
      In order for PrismaCloud to get access to the objects in
      , attach a negation condition to the bucket policy to allow
      to access the bucket.
      { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::monitored-bucket", "arn:aws:s3:::monitored-bucket/*" ], "Condition": { "ArnNotEquals": { "aws:PrincipalArn": [ "arn:aws:iam::<accountID>:role/<PrismaCloudReadOnlyRoleWithDLP>" ] } } } ] }
      Without these permissions, Prisma Cloud is denied access to S3 buckets with restricted bucket policies (HTTP 403 error).
  4. Set up
    Forward Scan
    to scan your cloud resources for data security issues.
    Make sure you have created a stack in your AWS account by following the steps listed above.
    1. From your AWS account, copy and paste
      Role ARN
      and click
    2. Configure Data Security
      to scan all your resources or you can choose to customize what you want to scan.
      • When you select Scan All, Prisma Cloud will Forward scan and Backward scan all eligible objects. The forward scan inspects any new or modified files, and the backward scan is retrospective, which means that it inspects files that exist in the storage bucket. The size and number of files that you want to scan within your storage bucket will determine how many Prisma Cloud credits are used for Data Security.
      • When you select Custom Scan, Prisma Cloud will Forward scan and/or Backward scan eligible objects in selected resources.
    3. You can choose to
      Add New
      Select existing
      CloudTrail, SNS Topic, or Buckets for Log Files. The consumption of Prisma Cloud license credits depends on the file size in the selected objects and whether you enable forward and backward scans.
      CloudTrail buckets are not scanned. You can choose buckets with objects containing ELB access logs, S3 access logs, and VPC flow logs for scanning.
    4. Follow the steps to
      Configure Forward Scan
      • Download Template
        locally. The template is a .zip file that contains shell script, CFTs, and configuration files.
      • Login to your Amazon CloudShell account, upload the .zip file you downloaded in the above step, and run the following command that will create a Bucket, SNS Topic, and CloudTrail:
        sh -f config.txt
      • Wait for the CREATE_COMPLETE status.
      • Once the above command runs successfully in AWS, click
        Validate Setup
        on Prisma Cloud.
    5. Irrespective of whether the script gets validated or not you can continue to onboard and configure data security for your AWS account. If validation fails, see Troubleshoot Data Security Errors and set up AWS CloudTrail & SNS manually to resolve it.
    6. Click
  5. (
    ) Follow this step only if the objects inside your S3 buckets are encrypted with Customer Managed Keys (CMK).
    The step varies depending on whether the CMK is located within the same AWS account or a different one:
    • When the CMK is in the same AWS account that you’re onboarding, the Prisma Cloud role needs additional permissions to access the key. Add the following statement to the Prisma Cloud role and update the resources array with all the CMK ARNs:
      { "Sid": "AllowPrismaCloudToAccessKeys", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": ["arn:aws:kms:ap-south-123456789101:key/3269f3d0-1820-407f-b67e-73acdd9243f4"]}
    • When the CMK is in a different AWS account than the one that you’re onboarding, you need to first add the following policy statement to all the CMKs that are used for encryption and update the
      Principal AWS
      field with the Prisma Cloud ARN:
      { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::726893731529:role/PrismaCloudReadOnlyRoleWithDLP" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }
      refers to the Prisma Cloud Role ARN that you added to enable Data Security on Prisma Cloud. This role needs additional permissions to access the key. Add the following statement to the Prisma Cloud role and update the resources array with all the CMK ARNs:
      { "Sid": "AllowPrismaCloudToAccessKeys", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": ["arn:aws:kms:ap-south-123456789101:key/3269f3d0-1820-407f-b67e-73acdd9243f4"]}
  6. Click
    and select one or more
    Account Groups
    You must assign each cloud account to an account group and create an alert rule to associate with that account group, in order to generate alerts when a policy violation occurs. See Generate Alerts for Data Policies.
  7. Click
    and review the
    If any of the status displays an error, see Troubleshoot Data Security Errors to resolve it.
  8. Click
    or you can choose to add another account.

Recommended For You