Edit an AWS Account Onboarded on Prisma Cloud to Enable Data Security
If you want to enable Data Security on an AWS account that you have previously onboarded on Prisma Cloud, use the following instructions to update the Prisma Cloud stack and include the additional permissions required for enabling Data Security.
- Select the AWS Account and enableData Security.
- Select.SettingsCloud Accounts
- Select an AWS account from the list of available accounts.
- ConfigureData Security.
- Select theData Securitycheckbox.If you have enabledMonitor & Protectmode, automatic remediation is not available for Data policies. You must manually address alerts generated against Data policies.
- Update your existing stack.
- Download the CFT, login to the AWS Console and complete steps 1 - 8 as displayed on screen to update your stack.
- Go to.AWS Management ConsoleStacks
- Select PrismaCloudApp Stack (if you have previously used the CFT to deploy PrismaCloudApp Stack) andUpdate.
- If not, select the stack you created manually for Prisma Cloud.
- Update.
- Replace current templateandUpload a template file. Then upload the CFT you downloaded earlier from step a) and clickNext.
- Copy theCallback URLfromSettingsCloud AccountsConfigure Account
- In the Specify stack details page on the AWS Management Console, paste theCallback URLin theSNSEndpointfield.
- ClickNextto go through the next couple of screens until you get to this page to completeUpdate stackprocess.The update CFT process creates a PrismaCloudSNS Topic and will be used to monitor CloudTrail data events
- CopyRoleARNfrom the Outputs tab for the stack.
- On Prisma Cloud, paste Role ARN in the, to replace the existing Role ARN.SettingsCloud AccountsConfigure Account
- Copy SNS ARN from the Outputs tab for the stack.
- Paste theSNS Topic: ARNin theand clickSettingsCloud AccountsConfigure AccountNextto continue.
- Allow Prisma Cloud to access your bucket.If you have configured bucket policy to restrict access, make sure to complete the following tasks on the AWS Management Console:
- Copy the Prisma Cloud Role ARN that you added to enable Data Security on Prisma Cloud above.
- Edit your bucket policy to include the Prisma Cloud Role ARN.The following snippet is an example: Consider a bucket policy that denies access tomonitored-bucketwhen requestings3:GetObjectAPI.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::monitored-bucket", "arn:aws:s3:::monitored-bucket/*" ] } ] }In order for PrismaCloud to get access to the objects inmonitored-bucket, attach a negation condition to the bucket policy to allowPrismaCloudReadOnlyRoleWithDLPto access the bucket.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::monitored-bucket", "arn:aws:s3:::monitored-bucket/*" ], "Condition": { "ArnNotEquals": { "aws:PrincipalArn": [ "arn:aws:iam::<accountID>:role/<PrismaCloudReadOnlyRoleWithDLP>" ] } } } ] }Without these permissions, Prisma Cloud is denied access to S3 buckets with restricted bucket policies (HTTP 403 error).
- Set upForward Scanto scan your cloud resources for data security issues.Make sure you have created a stack in your AWS account by following the steps listed above.
- From your AWS account, copy and pasteRole ARNand clickNext.
- Configure Data Securityto scan all your resources or you can choose to customize what you want to scan.
- When you select Scan All, Prisma Cloud will Forward scan and Backward scan all eligible objects. The forward scan inspects any new or modified files, and the backward scan is retrospective, which means that it inspects files that exist in the storage bucket. The Supported File Sizes and Types—Prisma Cloud Data Security of files that you want to scan within your storage bucket will determine how many Prisma Cloud credits are used for Data Security.
- When you select Custom Scan, Prisma Cloud will Forward scan and/or Backward scan eligible objects in selected resources.+
- You can choose toAdd NeworSelect existingCloudTrail, SNS Topic, or Buckets for Log Files. The consumption of Prisma Cloud license credits depends on the file size in the selected objects and whether you enable forward and backward scans.CloudTrail buckets are not scanned. You can choose buckets with objects containing ELB access logs, S3 access logs, and VPC flow logs for scanning.
- Follow the steps toConfigure Forward Scan:
- Download Templatelocally. The template is a .zip file that contains shell script, CFTs, and configuration files.
- Login to your Amazon CloudShell account, upload the .zip file you downloaded in the above step, and run the following command that will create a Bucket, SNS Topic, and CloudTrail:sh pcds_forward_scan_setup.sh -f config.txtWait for the CREATE_COMPLETE status.Once the above command runs successfully in AWS, clickValidate Setupon Prisma Cloud.
Irrespective of whether the script gets validated or not you can continue to onboard and configure data security for your AWS account. If validation fails, see Troubleshoot Data Security Errors and set up AWS CloudTrail & SNS manually to resolve it.ClickNext. - (Optional) Follow this step only if the objects inside your S3 buckets are encrypted with Customer Managed Keys (CMK).The step varies depending on whether the CMK is located within the same AWS account or a different one:
- When the CMK is in the same AWS account that you’re onboarding, the Prisma Cloud role needs additional permissions to access the key. Add the following statement to the Prisma Cloud role and update the resources array with all the CMK ARNs:{ "Sid": "AllowPrismaCloudToAccessKeys", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": ["arn:aws:kms:ap-south-123456789101:key/3269f3d0-1820-407f-b67e-73acdd9243f4"]}When the CMK is in a different AWS account than the one that you’re onboarding, you need to first add the following policy statement to all the CMKs that are used for encryption and update thePrincipal AWSfield with the Prisma Cloud ARN:{ "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::726893731529:role/PrismaCloudReadOnlyRoleWithDLP" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }The PrismaCloudReadOnlyRoleWithDLP role refers to the Prisma Cloud Data Security role. This role needs additional permissions to access the key. Add the following statement to the Prisma Cloud role and update the resources array with all the CMK ARNs:{ "Sid": "AllowPrismaCloudToAccessKeys", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": ["arn:aws:kms:ap-south-123456789101:key/3269f3d0-1820-407f-b67e-73acdd9243f4"] }
- ClickNextand assignAccount Groups.
- ClickNextand review theStatusof the cloud account.After you have enabled Data Security for the AWS account, to enable scanning of additional buckets or to modify the scan settings, see Define Data Security Scan Settings.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.