Edit an AWS Account Onboarded on Prisma Cloud to Enable Data Security

If you want to enable Data Security on an AWS account that you have previously onboarded on Prisma Cloud, use the following instructions to update the Prisma Cloud stack and include the additional permissions required for enabling Data Security.
  1. Select the AWS Account and enable
    Data Security
    .
    1. Select
      Settings
      Cloud Accounts
      .
    2. Select an AWS account from the list of available accounts.
    3. Configure
      Data Security.
    4. Select the
      Data Security
      checkbox.
      If you have enabled
      Monitor & Protect
      mode, automatic remediation is not available for Data policies. You must manually address alerts generated against Data policies.
  2. Update your existing stack.
    1. Download the CFT, login to the AWS Console and complete steps 1 - 8 as displayed on screen to update your stack.
    2. Go to
      AWS Management Console
      Stacks
      .
      • Select PrismaCloudApp Stack (if you have previously used the CFT to deploy PrismaCloudApp Stack) and
        Update
        .
      • If not, select the stack you created manually for Prisma Cloud.
    3. Update
      .
    4. Replace current template
      and
      Upload a template file
      . Then upload the CFT you downloaded earlier from step a) and click
      Next
      .
    5. Copy the
      Callback URL
      from
      Settings
      Cloud Accounts
      Configure Account
    6. In the Specify stack details page on the AWS Management Console, paste the
      Callback URL
      in the
      SNSEndpoint
      field.
    7. Click
      Next
      to go through the next couple of screens until you get to this page to complete
      Update stack
      process.
      The update CFT process creates a PrismaCloudSNS Topic and will be used to monitor CloudTrail data events
    8. Copy
      RoleARN
      from the Outputs tab for the stack.
    9. On Prisma Cloud, paste Role ARN in the
      Settings
      Cloud Accounts
      Configure Account
      , to replace the existing Role ARN.
    10. Copy SNS ARN from the Outputs tab for the stack.
    11. Paste the
      SNS Topic: ARN
      in the
      Settings
      Cloud Accounts
      Configure Account
      and click
      Next
      to continue.
  3. Allow Prisma Cloud to access your bucket.
    If you have configured bucket policy to restrict access, make sure to complete the following tasks on the AWS Management Console:
    1. Copy the Prisma Cloud Role ARN that you added to enable Data Security on Prisma Cloud above.
    2. Edit your bucket policy to include the Prisma Cloud Role ARN.
      The following snippet is an example: Consider a bucket policy that denies access to
      monitored-bucket
      when requesting
      s3:GetObject
      API.
      { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::monitored-bucket", "arn:aws:s3:::monitored-bucket/*" ] } ] }
      In order for PrismaCloud to get access to the objects in
      monitored-bucket
      , attach a negation condition to the bucket policy to allow
      PrismaCloudReadOnlyRoleWithDLP
      to access the bucket.
      { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::monitored-bucket", "arn:aws:s3:::monitored-bucket/*" ], "Condition": { "ArnNotEquals": { "aws:PrincipalArn": [ "arn:aws:iam::<accountID>:role/<PrismaCloudReadOnlyRoleWithDLP>" ] } } } ] }
      Without these permissions, Prisma Cloud is denied access to S3 buckets with restricted bucket policies (HTTP 403 error).
  4. Set up
    Forward Scan
    to scan your cloud resources for data security issues.
    Make sure you have created a stack in your AWS account by following the steps listed above.
    1. From your AWS account, copy and paste
      Role ARN
      and click
      Next
      .
    2. Configure Data Security
      to scan all your resources or you can choose to customize what you want to scan.
      • When you select Scan All, Prisma Cloud will Forward scan and Backward scan all eligible objects. The forward scan inspects any new or modified files, and the backward scan is retrospective, which means that it inspects files that exist in the storage bucket. The Supported File Sizes and Types—Prisma Cloud Data Security of files that you want to scan within your storage bucket will determine how many Prisma Cloud credits are used for Data Security.
      • When you select Custom Scan, Prisma Cloud will Forward scan and/or Backward scan eligible objects in selected resources.+
    3. You can choose to
      Add New
      or
      Select existing
      CloudTrail, SNS Topic, or Buckets for Log Files. The consumption of Prisma Cloud license credits depends on the file size in the selected objects and whether you enable forward and backward scans.
      CloudTrail buckets are not scanned. You can choose buckets with objects containing ELB access logs, S3 access logs, and VPC flow logs for scanning.
    4. Follow the steps to
      Configure Forward Scan
      :
      • Download Template
        locally. The template is a .zip file that contains shell script, CFTs, and configuration files.
      • Login to your Amazon CloudShell account, upload the .zip file you downloaded in the above step, and run the following command that will create a Bucket, SNS Topic, and CloudTrail:
        sh pcds_forward_scan_setup.sh -f config.txt
      • Wait for the CREATE_COMPLETE status.
      • Once the above command runs successfully in AWS, click
        Validate Setup
        on Prisma Cloud.
    5. Irrespective of whether the script gets validated or not you can continue to onboard and configure data security for your AWS account. If validation fails, see Troubleshoot Data Security Errors and set up AWS CloudTrail & SNS manually to resolve it.
    6. Click
      Next
      .
  5. (
    Optional
    ) Follow this step only if the objects inside your S3 buckets are encrypted with Customer Managed Keys (CMK).
    The step varies depending on whether the CMK is located within the same AWS account or a different one:
    • When the CMK is in the same AWS account that you’re onboarding, the Prisma Cloud role needs additional permissions to access the key. Add the following statement to the Prisma Cloud role and update the resources array with all the CMK ARNs:
      { "Sid": "AllowPrismaCloudToAccessKeys", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": ["arn:aws:kms:ap-south-123456789101:key/3269f3d0-1820-407f-b67e-73acdd9243f4"]}
    • When the CMK is in a different AWS account than the one that you’re onboarding, you need to first add the following policy statement to all the CMKs that are used for encryption and update the
      Principal AWS
      field with the Prisma Cloud ARN:
      { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::726893731529:role/PrismaCloudReadOnlyRoleWithDLP" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }
      The PrismaCloudReadOnlyRoleWithDLP role refers to the Prisma Cloud Data Security role. This role needs additional permissions to access the key. Add the following statement to the Prisma Cloud role and update the resources array with all the CMK ARNs:
      { "Sid": "AllowPrismaCloudToAccessKeys", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": ["arn:aws:kms:ap-south-123456789101:key/3269f3d0-1820-407f-b67e-73acdd9243f4"] }
  6. Click
    Next
    and assign
    Account Groups
    .
  7. Click
    Next
    and review the
    Status
    of the cloud account.
    After you have enabled Data Security for the AWS account, to enable scanning of additional buckets or to modify the scan settings, see Define Data Security Scan Settings.

Recommended For You