Add a New AWS Account and Enable Data Security

Begin here if you want to add your AWS cloud account on Prisma Cloud and start scanning the files stored in your S3 buckets.
  1. Add a new AWS account.
    1. Select
      Settings
      Cloud Accounts
      Add Cloud Account
      .
    2. Select
      AWS
      , enter a
      Cloud Account Name
      , and select to onboard an
      Account
      .
    3. Select the
      Mode
      .
      Decide whether to enable permissions to only
      Monitor
      (read-only access) or to
      Monitor & Protect
      (read-write access) the resources in your cloud account. Your selection determines which AWS Cloud Formation Template (CFT) is used to automate the process of creating the custom role required for Prisma Cloud.
      There are some additional steps if you want to scan cloud resources, other than S3 buckets, on this AWS account. To review the requirements start at Add an AWS Cloud Account on Prisma Cloud, otherwise continue to the next step in this workflow.
    4. Select the
      Data Security
      checkbox.
      Prisma Cloud Data Security supports Monitor mode only. Data policies on Prisma Cloud do not support automatic remediation; therefore, if you enable Data Security on an AWS account with Monitor & Protect mode you must manually fix issues to address alerts generated from data policies.
    5. Click
      Next
      .
  2. Create a stack in your AWS account.
    1. Select
      Create Stack
      .
      Log in to your AWS account in a separate tab. The CloudFormation template defaults to N. Virginia. You must change it to the region where your AWS Account is before you create the stack.
    2. Select
      I acknowledge that AWS CloudFormation might create IAM resources with custom names
      and
      Create stack
      .
      Wait for the CREATE_COMPLETE status.
    3. Copy
      Role: ARN
      and
      SNS Topic: ARN
      from the Outputs tab in the AWS Management Console.
    4. Paste
      Role: ARN
      and
      SNS Topic: ARN
      in the Prisma Cloud Onboarding Setup screen.
  3. Allow Prisma Cloud to access your bucket.
    If you have configured bucket policy to restrict access, make sure to complete the following tasks on the AWS Management Console:
    1. Copy the Prisma Cloud Role ARN that you added to enable Data Security on Prisma Cloud above.
    2. Edit your bucket policy to include the Prisma Cloud Role ARN.
      The following snippet is an example:
      "ArnNotEquals": { "aws:PrincipalArn": [ "arn:aws:iam::<accountID>:role/<PrismaCloudReadOnlyRoleName>" "arn:aws:iam::<accountID>:root" ] }
      Without these permissions, Prisma Cloud is denied access to S3 buckets with restricted bucket policies (HTTP 403 error).
  4. Setup AWS CloudTrail & SNS.
    1. Create new CloudTrail or use an existing CloudTrail.
      You can store AWS CloudTrail event logs within the S3 bucket in the same account that you are onboarding to Prisma Cloud for Data Security scanning. If you do not want to store AWS CloudTrail event logs within the S3 bucket in the same account, see Provide Prisma Cloud Role with Access to Common S3 Bucket.
      Prisma Cloud will not ingest CloudTrail buckets.
    2. Select
      Write-only
      events to save cost.
      You can also exclude logs for AWS KMS actions, set Log AWS KMS events as
      No
      because it generates a large number of events and Prisma Cloud Data Security does not use this event data.
    3. Select all S3 buckets in your account
      or
      Add S3 bucket
      for only specific buckets.
      Select
      Write
      events only.
    4. Add your S3 bucket.
      Create New or Use an existing S3 bucket.
    5. Select
      Advanced
      .
    6. Select your SNS preferences.
      Send SNS notification for every log file delivery - Yes
      , and select the SNS topic you created earlier when you created the stack. It was named PrismaCloudSNS in this example.
    7. Click
      Create
      .
    8. Confirm that the CloudTrail bucket is created.
    9. Create bucket policy to enable Prisma Cloud to read from your CloudTrail bucket.
    10. Click
      Next
      .
  5. Set up
    Forward Scan
    to scan your cloud resources for data security issues.
    Make sure you have created a stack in your AWS account by following the steps listed above.
    1. From your AWS account copy the
      External ID
      and
      Role ARN
      and click
      Next
      .
    2. You can choose to
      Add New
      or
      Select existing
      CloudTrail, SNS Topic, or Buckets for Log Files. The consumption of Prisma Cloud license credits depends on the file size in the selected objects and whether you enable forward and backward scans.
      CloudTrail buckets and objects containing ELB access logs, S3 access logs, and VPC flow logs are not scanned.
    3. Click
      Next
      .
    4. Follow the steps to
      Configure Forward Scan
      :
      • Download Template
        locally. The template is a .zip file that contains shell script, CFTs, and configuration files.
      • Login to your Amazon CloudShell account, upload the .zip file you downloaded in the above step, and run the following command that will create a Bucket, SNS Topic, and CloudTrail:
        sh pcds_forward_scan_setup.sh -f config.txt
      • Wait for the CREATE_COMPLETE status.
      • Once the above command runs successfully in AWS, click
        Validate Setup
        on Prisma Cloud.
    5. Irrespective of whether the script gets validated or not you can continue to onboard and configure data security for your AWS account. Click
      Next
      .
  6. (
    Optional
    ) Follow this step only if the objects inside your S3 buckets are encrypted with Customer Managed Keys (CMK).
    The step varies depending on whether the CMK is located within the same AWS account or a different one:
    • When the CMK is in the same AWS account that you’re onboarding, the Prisma Cloud role needs additional permissions to access the key. Add the following statement to the Prisma Cloud role and update the resources array with all the CMK ARNs:
      { "Sid": "AllowPrismaCloudToAccessKeys", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": ["arn:aws:kms:ap-south-123456789101:key/3269f3d0-1820-407f-b67e-73acdd9243f4"]}
    • When the CMK is in a different AWS account than the one that you’re onboarding, you need to first add the following policy statement to all the CMKs that are used for encryption and update the
      Principal AWS
      field with the Prisma Cloud ARN:
      { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::726893731529:role/PrismaCloudReadOnlyRoleWithDLP-app13" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }
      The Prisma Cloud role needs additional permissions to access the key. Add the following statement to the Prisma Cloud role and update the resources array with all the CMK ARNs:
      { "Sid": "AllowPrismaCloudToAccessKeys", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": ["arn:aws:kms:ap-south-123456789101:key/3269f3d0-1820-407f-b67e-73acdd9243f4"]}
  7. Select whether you want to scan data
    Forward
    only or
    Forward and Backward
    .
    Forward scan is enabled by default. Prisma Cloud scans all files that are modified or new files added to the bucket after you enable scanning.
    • (
      Recommended
      ) When you select Forward and Backward scan, the forward scan inspects any new or modified files, and the backward scan is retrospective, which means that it inspects files that exist in the storage bucket. The size and number of Supported File Types—Prisma Cloud Data Security that you want to scan within your storage bucket will determine how many Prisma Cloud credits are used for Data Security. However, in the event that you trigger the scan quota threshold and the Prisma Cloud Data Security scan is paused, if you have enabled both forward and backward scan all files will be inspected when you increase the scan quota and scanning resumes. For backward scan, all existing files in the bucket are scanned in a batch operation. Depending on the number of files in your bucket, backward scan can consume more credits.
    • Custom buckets will list all buckets in your AWS account.
      Custom option lets you choose individual buckets to scan based on scan type (recommended).
    • Choose buckets and select a scan type for each bucket.
  8. Click
    Next
    and select one or more
    Account Groups
    .
    You must assign each cloud account to an account group and create an alert rule to associate with that account group, in order to generate alerts when a policy violation occurs. See Generate Alerts for Data Policies.
  9. Click
    Next
    and review the
    Status
    .
    If any of the status displays an error, see Troubleshoot Data Security Errors to resolve it.
  10. Click
    Done
    and
    Close
    or you can choose to add another account.

Recommended For You