Add a New AWS Account and Enable Data Security

Begin here if you want to add your AWS cloud account on Prisma Cloud and start scanning the files stored in your S3 buckets.
  1. Add a new AWS account.
    1. Select
      Cloud Accounts
      New Cloud Account
    2. Select
      and add a
      Cloud Account Name
    3. Select the
      Decide whether to enable permissions to only monitor (read-only access) or to monitor and protect (read-write access) the resources in your cloud account. Your selection determines which AWS Cloud Formation Template (CFT) is used to automate the process of creating the custom role required for Prisma Cloud.
      There are some additional steps if you want to scan cloud resources, other than S3 buckets, on this AWS account. To review the requirements start at Add an AWS Cloud Account on Prisma Cloud, otherwise continue to the next step in this workflow.
    4. Select
      Data Security
      Prisma Cloud Data Security supports Monitor mode only. Data policies on Prisma Cloud do not support automatic remediation; therefore, if you enable Data Security on an AWS account with Monitor & Protect mode you must manually fix issues to address alerts generated from Data policies.
    5. Select
  2. Create a stack in your AWS account.
    1. Select
      Create Stack
      Log in to your AWS account in a separate tab. The CloudFormation template defaults to N. Virginia. You must change it to the region where your AWS Account is before you create the stack.
    2. Select
      I acknowledge that AWS CloudFormation might create IAM resources with custom names
      Create stack
      Wait for the CREATE_COMPLETE status.
    3. Copy Role: ARN & SNS Topic: ARN from the Outputs tab in the AWS Management Console.
    4. Paste
      Role: ARN
      SNS Topic: ARN
      in the Cloud Onboarding Setup screen.
  3. Allow Prisma Cloud to access your bucket.
    If you have configured bucket policy to restrict access, make sure to complete the following tasks on the AWS Management Console:
    1. Copy the Prisma Cloud Role ARN that you added to enable Data Security on Prisma Cloud above.
    2. Edit your bucket policy to include the Prisma Cloud Role ARN.
      The following snippet is an example:
      "ArnNotEquals": { "aws:PrincipalArn": [ "arn:aws:iam::<accountID>:role/<PrismaCloudReadOnlyRoleName>" "arn:aws:iam::<accountID>:root" ] }
      Without these permissions, Prisma Cloud is denied access to S3 buckets with restricted bucket policies (HTTP 403 error).
  4. Setup AWS CloudTrail & SNS.
    1. Create new CloudTrail or use an existing CloudTrail.
      You can store AWS CloudTrail event logs within the S3 bucket in the same account that you are onboarding to Prisma Cloud for Data Security scanning. If you do not want to store AWS CloudTrail event logs within the S3 bucket in the same account, see Provide Prisma Cloud Role with Access to Common S3 Bucket.
      Prisma Cloud will not ingest CloudTrail buckets.
    2. Select
      events to save cost.
      You can also exclude logs for AWS KMS actions, set Log AWS KMS events as
      because it generates a large number of events and Prisma Cloud Data Security does not use this event data.
    3. Select all S3 buckets in your account
      Add S3 bucket
      for only specific buckets.
      events only.
    4. Add your S3 bucket.
      Create New or Use an existing S3 bucket.
    5. Select
    6. Select your SNS preferences.
      Send SNS notification for every log file delivery - Yes
      , and select the SNS topic you created earlier when you created the stack. It was named PrismaCloudSNS in this example.
    7. Click
    8. Confirm that the CloudTrail bucket is created.
    9. Create bucket policy to enable Prisma Cloud to read from your CloudTrail bucket.
    10. Click
  5. Select the S3 buckets in which you want to scan data.
    You can choose to scan
    storage buckets. The consumption of Prisma Cloud license credits depends on the file size in the selected buckets and whether you enable forward and backward scans.
    CloudTrail buckets are skipped because they contain AWS CloudTrail generated logs instead of your data. Objects containing ELB access logs, VPC flow logs and S3 access logs are also automatically skipped.
    1. Select whether you want to scan data
      only or
      Forward and Backward
      Forward scan is enabled by default. Prisma Cloud scans all files that are modified or new files added to the bucket after you enable scanning.
      • (
        ) When you select Forward and Backward scan, the forward scan inspects any new or modified files, and the backward scan is retrospective, which means that it inspects files that exist in the storage bucket. The size and number of Supported File Extensions—Prisma Cloud Data Security that you want to scan within your storage bucket will determine how many Prisma Cloud credits are used for Data Security. However, in the event that you trigger the scan quota threshold and the Prisma Cloud Data Security scan is paused, if you have enabled both forward and backward scan all files will be inspected when you increase the scan quota and scanning resumes. For backward scan, all existing files in the bucket are scanned in a batch operation. Depending on the number of files in your bucket, backward scan can consume more credits.
      • Custom buckets will list all buckets in your AWS account.
        Custom option lets you choose individual buckets to scan based on scan type (recommended)
      • Choose buckets and select a scan type for each bucket.
  6. Click
    and select one or more
    Account Groups
    You must assign each cloud account to an account group and create an alert rule to associate with that account group, in order to generate alerts when a policy violation occurs. See Generate Alerts for Data Policies.
  7. Click
    and review the status.
    If the error
    Subscription for SNS Topic not found
    displays, see Troubleshoot Data Security Errors.

Recommended For You