Add a New AWS Account and Enable Data Security

Begin here if you want to add your AWS cloud account on Prisma Cloud and start scanning the files stored in your S3 buckets.
  1. Add a new AWS account.
    1. Select
      Cloud Accounts
      Add Cloud Account
    2. Select
      , enter a
      Cloud Account Name
      , and select to onboard an
    3. Select the
      Decide whether to enable permissions to only
      (read-only access) or to
      Monitor & Protect
      (read-write access) the resources in your cloud account. Your selection determines which AWS Cloud Formation Template (CFT) is used to automate the process of creating the custom role required for Prisma Cloud.
      There are some additional steps if you want to scan cloud resources, other than S3 buckets, on this AWS account. To review the requirements start at Add an AWS Cloud Account on Prisma Cloud, otherwise continue to the next step in this workflow.
    4. Select the
      Data Security
      Prisma Cloud Data Security supports Monitor mode only. Data policies on Prisma Cloud do not support automatic remediation; therefore, if you enable Data Security on an AWS account with Monitor & Protect mode you must manually fix issues to address alerts generated from data policies.
    5. Click
  2. Create a stack in your AWS account.
    1. Select
      Create Stack
      Log in to your AWS account in a separate tab. The CloudFormation template defaults to N. Virginia. You must change it to the region where your AWS Account is before you create the stack.
    2. Select
      I acknowledge that AWS CloudFormation might create IAM resources with custom names
      Create stack
      Wait for the CREATE_COMPLETE status.
    3. Copy
      Role: ARN
      SNS Topic: ARN
      from the Outputs tab in the AWS Management Console.
    4. Paste
      Role: ARN
      SNS Topic: ARN
      in the Prisma Cloud Onboarding Setup screen.
  3. Allow Prisma Cloud to access your bucket.
    If you have configured bucket policy to restrict access, make sure to complete the following tasks on the AWS Management Console:
    1. Copy the Prisma Cloud Role ARN that you added to enable Data Security on Prisma Cloud above.
    2. Edit your bucket policy to include the Prisma Cloud Role ARN.
      The following snippet is an example:
      "ArnNotEquals": { "aws:PrincipalArn": [ "arn:aws:iam::<accountID>:role/<PrismaCloudReadOnlyRoleName>" "arn:aws:iam::<accountID>:root" ] }
      Without these permissions, Prisma Cloud is denied access to S3 buckets with restricted bucket policies (HTTP 403 error).
  4. Setup AWS CloudTrail & SNS.
    1. Create new CloudTrail or use an existing CloudTrail.
      You can store AWS CloudTrail event logs within the S3 bucket in the same account that you are onboarding to Prisma Cloud for Data Security scanning. If you do not want to store AWS CloudTrail event logs within the S3 bucket in the same account, see Provide Prisma Cloud Role with Access to Common S3 Bucket.
      Prisma Cloud will not ingest CloudTrail buckets.
    2. Select
      events to save cost.
      You can also exclude logs for AWS KMS actions, set Log AWS KMS events as
      because it generates a large number of events and Prisma Cloud Data Security does not use this event data.
    3. Select all S3 buckets in your account
      Add S3 bucket
      for only specific buckets.
      events only.
    4. Add your S3 bucket.
      Create New or Use an existing S3 bucket.
    5. Select
    6. Select your SNS preferences.
      Send SNS notification for every log file delivery - Yes
      , and select the SNS topic you created earlier when you created the stack. It was named PrismaCloudSNS in this example.
    7. Click
    8. Confirm that the CloudTrail bucket is created.
    9. Create bucket policy to enable Prisma Cloud to read from your CloudTrail bucket.
    10. Click
  5. Set up
    Forward Scan
    to scan your cloud resources for data security issues.
    Make sure you have created a stack in your AWS account by following the steps listed above.
    1. From your AWS account copy the
      External ID
      Role ARN
      and click
    2. You can choose to
      Add New
      Select existing
      CloudTrail, SNS Topic, or Buckets for Log Files. The consumption of Prisma Cloud license credits depends on the file size in the selected objects and whether you enable forward and backward scans.
      CloudTrail buckets and objects containing ELB access logs, S3 access logs, and VPC flow logs are not scanned.
    3. Click
    4. Follow the steps to
      Configure Forward Scan
      • Download Template
        locally. The template is a .zip file that contains shell script, CFTs, and configuration files.
      • Login to your Amazon CloudShell account, upload the .zip file you downloaded in the above step, and run the following command that will create a Bucket, SNS Topic, and CloudTrail:
        sh -f config.txt
      • Wait for the CREATE_COMPLETE status.
      • Once the above command runs successfully in AWS, click
        Validate Setup
        on Prisma Cloud.
    5. Irrespective of whether the script gets validated or not you can continue to onboard and configure data security for your AWS account. Click
  6. (
    ) Follow this step only if the objects inside your S3 buckets are encrypted with Customer Managed Keys (CMK).
    The step varies depending on whether the CMK is located within the same AWS account or a different one:
    • When the CMK is in the same AWS account that you’re onboarding, the Prisma Cloud role needs additional permissions to access the key. Add the following statement to the Prisma Cloud role and update the resources array with all the CMK ARNs:
      { "Sid": "AllowPrismaCloudToAccessKeys", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": ["arn:aws:kms:ap-south-123456789101:key/3269f3d0-1820-407f-b67e-73acdd9243f4"]}
    • When the CMK is in a different AWS account than the one that you’re onboarding, you need to first add the following policy statement to all the CMKs that are used for encryption and update the
      Principal AWS
      field with the Prisma Cloud ARN:
      { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::726893731529:role/PrismaCloudReadOnlyRoleWithDLP-app13" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }
      The Prisma Cloud role needs additional permissions to access the key. Add the following statement to the Prisma Cloud role and update the resources array with all the CMK ARNs:
      { "Sid": "AllowPrismaCloudToAccessKeys", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": ["arn:aws:kms:ap-south-123456789101:key/3269f3d0-1820-407f-b67e-73acdd9243f4"]}
  7. Select whether you want to scan data
    only or
    Forward and Backward
    Forward scan is enabled by default. Prisma Cloud scans all files that are modified or new files added to the bucket after you enable scanning.
    • (
      ) When you select Forward and Backward scan, the forward scan inspects any new or modified files, and the backward scan is retrospective, which means that it inspects files that exist in the storage bucket. The size and number of Supported File Types—Prisma Cloud Data Security that you want to scan within your storage bucket will determine how many Prisma Cloud credits are used for Data Security. However, in the event that you trigger the scan quota threshold and the Prisma Cloud Data Security scan is paused, if you have enabled both forward and backward scan all files will be inspected when you increase the scan quota and scanning resumes. For backward scan, all existing files in the bucket are scanned in a batch operation. Depending on the number of files in your bucket, backward scan can consume more credits.
    • Custom buckets will list all buckets in your AWS account.
      Custom option lets you choose individual buckets to scan based on scan type (recommended).
    • Choose buckets and select a scan type for each bucket.
  8. Click
    and select one or more
    Account Groups
    You must assign each cloud account to an account group and create an alert rule to associate with that account group, in order to generate alerts when a policy violation occurs. See Generate Alerts for Data Policies.
  9. Click
    and review the
    If any of the status displays an error, see Troubleshoot Data Security Errors to resolve it.
  10. Click
    or you can choose to add another account.

Recommended For You