Edit an AWS Account Onboarded on Prisma Cloud to Enable Data Security

If you want to enable Data Security on an AWS account that you have previously onboarded on Prisma Cloud, use the following instructions to update the Prisma Cloud stack and include the additional permissions required for enabling Data Security.
  1. Select the AWS Account and enable Data Security.
    1. Select
      Cloud Accounts
    2. Select an AWS account from the list of available accounts.
    3. Select
      Data Security
      If you have enabled Monitor & Protect mode, automatic remediation is not available for Data policies. You must manually address alerts generated against Data policies.
  2. Update your existing stack.
    1. Download the CFT, login to the AWS Console and complete steps 1 - 9 as displayed on screen to update your stack.
    2. Go to
      AWS Management Console
      • Select PrismaCloudApp Stack (if you have previously used the CFT to deploy PrismaCloudApp Stack) and
      • If not, select the stack you created manually for Prisma Cloud.
    3. Update
    4. Replace current template
      Upload a template file
      . Then upload the CFT you downloaded earlier from step a) and click
    5. Copy the
      Callback URL
      Cloud Accounts
      Configure Account
    6. In the Specify stack details page on the AWS Management Console, paste the
      Callback URL
      in the
    7. Click
      to go through the next couple of screens until you get to this page to complete
      Update stack
      The update CFT process creates a PrismaCloudSNS Topic and will be used to monitor CloudTrail data events
    8. Copy
      from the Outputs tab for the stack.
    9. On Prisma Cloud, paste Role ARN in the
      Cloud Accounts
      Configure Account
      , to replace the existing Role ARN.
    10. Copy SNS ARN from the Outputs tab for the stack.
    11. Paste the
      SNS Topic: ARN
      in the
      Cloud Accounts
      Configure Account
      and click
      to continue.
  3. Allow Prisma Cloud to access your bucket.
    If you have configured bucket policy to restrict access, make sure to complete the following tasks on the AWS Management Console:
    1. Copy the Prisma Cloud Role ARN that you added to enable Data Security on Prisma Cloud above.
    2. Edit your bucket policy to include the Prisma Cloud Role ARN.
      The following snippet is an example:
      "ArnNotEquals": { "aws:PrincipalArn": [ "arn:aws:iam::<accountID>:role/<PrismaCloudReadOnlyRoleName>" "arn:aws:iam::<accountID>:root" ] }
      Without these permissions, Prisma Cloud is denied access to S3 buckets with restricted bucket policies (HTTP 403 error).
  4. Setup AWS CloudTrail & SNS.
    1. Create new CloudTrail or use an existing CloudTrail.
      You can store AWS CloudTrail event logs within the S3 bucket in the same account that you are onboarding to Prisma Cloud for Data Security scanning. If you do not want to store AWS CloudTrail event logs within the S3 bucket in the same account, see Provide Prisma Cloud Role with Access to Common S3 Bucket.
      Prisma Cloud will not ingest CloudTrail buckets.
    2. Select
      events to save cost.
      You can also exclude logs for AWS KMS actions, set Log AWS KMS events as
      because it generates a large number of events and Prisma Cloud Data Security does not use this event data.
    3. Select all S3 buckets in your account
      Add S3 bucket
      for only specific buckets.
      events only.
    4. Add your S3 bucket.
      Create New or Use an existing S3 bucket.
    5. Select
    6. Select your SNS preferences.
      Send SNS notification for every log file delivery - Yes
      , and select the SNS topic you created earlier when you created the stack. It was named PrismaCloudSNS in this example.
    7. Click
    8. Confirm that the CloudTrail bucket is created.
    9. Create bucket policy to enable Prisma Cloud to read from your CloudTrail bucket.
    10. Click
  5. Set up
    Forward Scan
    to scan your cloud resources for data security issues.
    Make sure you have created a stack in your AWS account by following the steps listed above.
    1. From your AWS account copy the
      External ID
      Role ARN
      and click
    2. You can choose to
      Add New
      Select existing
      CloudTrail, SNS Topic, or Buckets for Log Files. The consumption of Prisma Cloud license credits depends on the file size in the selected objects and whether you enable forward and backward scans.
      CloudTrail buckets and objects containing ELB access logs, S3 access logs, and VPC flow logs are not scanned.
    3. Click
    4. Follow the steps to
      Configure Forward Scan
      • Download Template
        locally. The template is a .zip file that contains shell script, CFTs, and configuration files.
      • Login to your Amazon CloudShell account, upload the .zip file you downloaded in the above step, and run the following command that will create a Bucket, SNS Topic, and CloudTrail:
        sh pcds_forward_scan_setup.sh -f config.txt
      • Wait for the CREATE_COMPLETE status.
      • Once the above command runs successfully in AWS, click
        Validate Setup
        on Prisma Cloud.
    5. Irrespective of whether the script gets validated or not you can continue to onboard and configure data security for your AWS account. Click
  6. (
    Required, if you use the AWS Key Management Service with Customer Managed Keys (CMK)
    ) Verify that Prisma Cloud IAM role has access to the CMK to scan the files in the bucket.
    By default, when the Prisma Cloud IAM role belongs to the same AWS account as the key, the Security Audit role that is created when use the TF template to onboard your AWS account on Prisma Cloud, has the permissions required to access the CMK and encrypt and decrypt files stored on the S3 bucket. Refer to the AWS documentation.
    If the key belongs to a different AWS account than where Prisma Cloud IAM role exists, you must update the following on the AWS management console:
    1. Update the key policy statement that enables IAM policies to allow access to the CMK.
    2. Update the Prisma Cloud IAM role to provide the additional permissions to access the key. You must add ARN for each CMK within the resource array in the policy statement. For example:
      { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPrismaCloudToAccessKeys", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": ["arn:aws:your-key-details"] } ] }
  7. Click
    and select
    Account Groups
  8. Click
    and review the
    of the cloud account.
    After you have enabled Data Security for the AWS account, to enable scanning of additional buckets or to modify the scan settings, see Define Data Security Scan Settings.

Recommended For You