Edit an AWS Account Onboarded
on Prisma Cloud to Enable Data Security
If you want to enable Data Security on an
AWS account that you have previously onboarded on Prisma Cloud,
use the following instructions to update the Prisma Cloud stack
and include the additional permissions required for enabling Data
Security.
- Select the AWS Account and enable Data Security.
- Select .
- Select an AWS account from the list of available accounts.
- SelectData SecurityandNext.
If you have enabled Monitor & Protect mode, automatic remediation is not available for Data policies. You must manually address alerts generated against Data policies.
- Update your existing stack.
- Download the CFT, login to the AWS Console and complete steps 1 - 9 as displayed on screen to update your stack.
- Go to .
- Select PrismaCloudApp Stack (if you have previously used the CFT to deploy PrismaCloudApp Stack) andUpdate.
- If not, select the stack you created manually for Prisma Cloud.
- Update.
- Replace current templateandUpload a template file. Then upload the CFT you downloaded earlier from step a) and clickNext.
- Copy theCallback URLfrom
- In the Specify stack details page on the AWS Management Console, paste theCallback URLin theSNSEndpointfield.
- ClickNextto go through the next couple of screens until you get to this page to completeUpdate stackprocess.The update CFT process creates a PrismaCloudSNS Topic and will be used to monitor CloudTrail data events
- CopyRoleARNfrom the Outputs tab for the stack.
- On Prisma Cloud, paste Role ARN in the , to replace the existing Role ARN.
- Copy SNS ARN from the Outputs tab for the stack.
- Paste theSNS Topic: ARNin the and clickNextto continue.
- Allow Prisma Cloud to access your bucket.If you have configured bucket policy to restrict access, make sure to complete the following tasks on the AWS Management Console:
- Copy the Prisma Cloud Role ARN that you added to enable Data Security on Prisma Cloud above.
- Edit your bucket policy to include the Prisma Cloud Role ARN.The following snippet is an example:"ArnNotEquals": { "aws:PrincipalArn": [ "arn:aws:iam::<accountID>:role/<PrismaCloudReadOnlyRoleName>" "arn:aws:iam::<accountID>:root" ] }Without these permissions, Prisma Cloud is denied access to S3 buckets with restricted bucket policies (HTTP 403 error).
- Setup AWS CloudTrail & SNS.
- Create new CloudTrail or use an existing CloudTrail.You can store AWS CloudTrail event logs within the S3 bucket in the same account that you are onboarding to Prisma Cloud for Data Security scanning. If you do not want to store AWS CloudTrail event logs within the S3 bucket in the same account, see Provide Prisma Cloud Role with Access to Common S3 Bucket.Prisma Cloud will not ingest CloudTrail buckets.
- SelectWrite-onlyevents to save cost.You can also exclude logs for AWS KMS actions, set Log AWS KMS events asNobecause it generates a large number of events and Prisma Cloud Data Security does not use this event data.
- Select all S3 buckets in your accountorAdd S3 bucketfor only specific buckets.SelectWriteevents only.
- Add your S3 bucket.Create New or Use an existing S3 bucket.
- SelectAdvanced.
- Select your SNS preferences.Send SNS notification for every log file delivery - Yes, and select the SNS topic you created earlier when you created the stack. It was named PrismaCloudSNS in this example.
- ClickCreate.
- Confirm that the CloudTrail bucket is created.
- Create bucket policy to enable Prisma Cloud to read from your CloudTrail bucket.
- ClickNext.
- Set upForward Scanto scan your cloud resources for data security issues.Make sure you have created a stack in your AWS account by following the steps listed above.
- From your AWS account copy theExternal IDandRole ARNand clickNext.
- You can choose toAdd NeworSelect existingCloudTrail, SNS Topic, or Buckets for Log Files. The consumption of Prisma Cloud license credits depends on the file size in the selected objects and whether you enable forward and backward scans.CloudTrail buckets and objects containing ELB access logs, S3 access logs, and VPC flow logs are not scanned.
- ClickNext.
- Follow the steps toConfigure Forward Scan:
- Download Templatelocally. The template is a .zip file that contains shell script, CFTs, and configuration files.
- Login to your Amazon CloudShell account, upload the .zip file you downloaded in the above step, and run the following command that will create a Bucket, SNS Topic, and CloudTrail:sh pcds_forward_scan_setup.sh -f config.txt
- Wait for the CREATE_COMPLETE status.
- Once the above command runs successfully in AWS, clickValidate Setupon Prisma Cloud.
- Irrespective of whether the script gets validated or not you can continue to onboard and configure data security for your AWS account. ClickNext.
- (Required, if you use the AWS Key Management Service with Customer Managed Keys (CMK)) Verify that Prisma Cloud IAM role has access to the CMK to scan the files in the bucket.By default, when the Prisma Cloud IAM role belongs to the same AWS account as the key, the Security Audit role that is created when use the TF template to onboard your AWS account on Prisma Cloud, has the permissions required to access the CMK and encrypt and decrypt files stored on the S3 bucket. Refer to the AWS documentation.If the key belongs to a different AWS account than where Prisma Cloud IAM role exists, you must update the following on the AWS management console:
- Update the key policy statement that enables IAM policies to allow access to the CMK.
- Update the Prisma Cloud IAM role to provide the additional permissions to access the key. You must add ARN for each CMK within the resource array in the policy statement. For example:{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPrismaCloudToAccessKeys", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": ["arn:aws:your-key-details"] } ] }
- ClickNextand selectAccount Groups.
- ClickNextand review theStatusof the cloud account.After you have enabled Data Security for the AWS account, to enable scanning of additional buckets or to modify the scan settings, see Define Data Security Scan Settings.
