Edit an AWS Account Onboarded on Prisma Cloud to Enable Data Security

Select the AWS Account and enable

Data Security

.

Select
Settings
Cloud Accounts
.
Select an AWS account from the list of available accounts.
Configure
Data Security.
Select the
Data Security
checkbox.

If you have enabled
Monitor & Protect
mode, automatic remediation is not available for Data policies. You must manually address alerts generated against Data policies.

Update your existing stack.

Download the CFT, login to the AWS Console and complete steps 1 - 8 as displayed on screen to update your stack.

Go to
AWS Management Console
Stacks
.
Select PrismaCloudApp Stack (if you have previously used the CFT to deploy PrismaCloudApp Stack) and

Update

.

If not, select the stack you created manually for Prisma Cloud.


Update
.

Replace current template
and
Upload a template file
. Then upload the CFT you downloaded earlier from step a) and click
Next
.

Copy the
Callback URL
from
Settings
Cloud Accounts
Configure Account
In the Specify stack details page on the AWS Management Console, paste the
Callback URL
in the
SNSEndpoint
field.

Click
Next
to go through the next couple of screens until you get to this page to complete
Update stack
process.
The update CFT process creates a PrismaCloudSNS Topic and will be used to monitor CloudTrail data events

Copy
RoleARN
from the Outputs tab for the stack.

On Prisma Cloud, paste Role ARN in the
Settings
Cloud Accounts
Configure Account
, to replace the existing Role ARN.
Copy SNS ARN from the Outputs tab for the stack.

Paste the
SNS Topic: ARN
in the
Settings
Cloud Accounts
Configure Account
and click
Next
to continue.

Allow Prisma Cloud to access your bucket.

If you have configured bucket policy to restrict access, make sure to complete the following tasks on the AWS Management Console:

Copy the Prisma Cloud Role ARN that you added to enable Data Security on Prisma Cloud above.
Edit your bucket policy to include the Prisma Cloud Role ARN.
The following snippet is an example: Consider a bucket policy that denies access to
monitored-bucket
when requesting
s3:GetObject
API.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": [
        "arn:aws:s3:::monitored-bucket",
        "arn:aws:s3:::monitored-bucket/*"
      ]
    }
  ]
}
In order for PrismaCloud to get access to the objects in
monitored-bucket
, attach a negation condition to the bucket policy to allow
PrismaCloudReadOnlyRoleWithDLP
to access the bucket.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": [
        "arn:aws:s3:::monitored-bucket",
        "arn:aws:s3:::monitored-bucket/*"
      ],
      "Condition": {
        "ArnNotEquals": {
          "aws:PrincipalArn": [
		          	"arn:aws:iam::<accountID>:role/<PrismaCloudReadOnlyRoleWithDLP>"
          ]
        }
      }
    }
  ]
}
Without these permissions, Prisma Cloud is denied access to S3 buckets with restricted bucket policies (HTTP 403 error).

Set up

Forward Scan

to scan your cloud resources for data security issues.

Make sure you have created a stack in your AWS account by following the steps listed above.

From your AWS account, copy and paste
Role ARN
and click
Next
.

Configure Data Security
to scan all your resources or you can choose to customize what you want to scan.
When you select Scan All, Prisma Cloud will Forward scan and Backward scan all eligible objects. The forward scan inspects any new or modified files, and the backward scan is retrospective, which means that it inspects files that exist in the storage bucket. The Supported File Sizes and Types—Prisma Cloud Data Security of files that you want to scan within your storage bucket will determine how many Prisma Cloud credits are used for Data Security.

When you select Custom Scan, Prisma Cloud will Forward scan and/or Backward scan eligible objects in selected resources.+


You can choose to
Add New
or
Select existing
CloudTrail, SNS Topic, or Buckets for Log Files. The consumption of Prisma Cloud license credits depends on the file size in the selected objects and whether you enable forward and backward scans.
CloudTrail buckets are not scanned. You can choose buckets with objects containing ELB access logs, S3 access logs, and VPC flow logs for scanning.

Follow the steps to
Configure Forward Scan
:
Download Template

locally. The template is a .zip file that contains shell script, CFTs, and configuration files.

Login to your Amazon CloudShell account, upload the .zip file you downloaded in the above step, and run the following command that will create a Bucket, SNS Topic, and CloudTrail:

sh pcds_forward_scan_setup.sh -f config.txt

Wait for the CREATE_COMPLETE status.



Once the above command runs successfully in AWS, click

Validate Setup

on Prisma Cloud.


Irrespective of whether the script gets validated or not you can continue to onboard and configure data security for your AWS account. If validation fails, see Troubleshoot Data Security Errors and set up AWS CloudTrail & SNS manually to resolve it.
Click
Next
.

(

Optional

) Follow this step only if the objects inside your S3 buckets are encrypted with Customer Managed Keys (CMK).

The step varies depending on whether the CMK is located within the same AWS account or a different one:

When the CMK is in the same AWS account that you’re onboarding, the Prisma Cloud role needs additional permissions to access the key. Add the following statement to the Prisma Cloud role and update the resources array with all the CMK ARNs:

{
            "Sid": "AllowPrismaCloudToAccessKeys",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": ["arn:aws:kms:ap-south-123456789101:key/3269f3d0-1820-407f-b67e-73acdd9243f4"]}

When the CMK is in a different AWS account than the one that you’re onboarding, you need to first add the following policy statement to all the CMKs that are used for encryption and update the

Principal AWS

field with the Prisma Cloud ARN:

{
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::726893731529:role/PrismaCloudReadOnlyRoleWithDLP"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
}

The PrismaCloudReadOnlyRoleWithDLP role refers to the Prisma Cloud Data Security role. This role needs additional permissions to access the key. Add the following statement to the Prisma Cloud role and update the resources array with all the CMK ARNs:

{
            "Sid": "AllowPrismaCloudToAccessKeys",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": ["arn:aws:kms:ap-south-123456789101:key/3269f3d0-1820-407f-b67e-73acdd9243f4"]
}

Click

Next

and assign

Account Groups

.

Click

Next

and review the

Status

of the cloud account.

After you have enabled Data Security for the AWS account, to enable scanning of additional buckets or to modify the scan settings, see Define Data Security Scan Settings.