Edit an AWS Account Onboarded on Prisma Cloud to Enable Data Security

If you want to enable Data Security on an AWS account that you have previously onboarded on Prisma Cloud, use the following instructions to update the Prisma Cloud stack and include the additional permissions required for enabling Data Security.
  1. Select the AWS Account and enable Data Security.
    1. Select
      Settings
      Cloud Accounts
      .
    2. Select an AWS account from the list of available accounts.
    3. Select
      Data Security
      and
      Next
      .
      If you have enabled Monitor & Protect mode, automatic remediation is not available for Data policies. You must manually address alerts generated against Data policies.
  2. Update your existing stack.
    1. Download the CFT, login to the AWS Console and complete steps 1 - 9 as displayed on screen to update your stack.
    2. Go to
      AWS Management Console
      Stacks
      .
      • Select PrismaCloudApp Stack (if you have previously used the CFT to deploy PrismaCloudApp Stack) and
        Update
        .
      • If not, select the stack you created manually for Prisma Cloud.
    3. Update
      .
    4. Replace current template
      and
      Upload a template file
      . Then upload the CFT you downloaded earlier from step a) and click
      Next
      .
    5. Copy the
      Callback URL
      from
      Settings
      Cloud Accounts
      Configure Account
    6. In the Specify stack details page on the AWS Management Console, paste the
      Callback URL
      in the
      SNSEndpoint
      field.
    7. Click
      Next
      to go through the next couple of screens until you get to this page to complete
      Update stack
      process.
      The update CFT process creates a PrismaCloudSNS Topic and will be used to monitor CloudTrail data events
    8. Copy
      RoleARN
      from the Outputs tab for the stack.
    9. On Prisma Cloud, paste Role ARN in the
      Settings
      Cloud Accounts
      Configure Account
      , to replace the existing Role ARN.
    10. Copy SNS ARN from the Outputs tab for the stack.
    11. Paste the
      SNS Topic: ARN
      in the
      Settings
      Cloud Accounts
      Configure Account
      and click
      Next
      to continue.
  3. Allow Prisma Cloud to access your bucket.
    If you have configured bucket policy to restrict access, make sure to complete the following tasks on the AWS Management Console:
    1. Copy the Prisma Cloud Role ARN that you added to enable Data Security on Prisma Cloud above.
    2. Edit your bucket policy to include the Prisma Cloud Role ARN.
      The following snippet is an example:
      "ArnNotEquals": { "aws:PrincipalArn": [ "arn:aws:iam::<accountID>:role/<PrismaCloudReadOnlyRoleName>" "arn:aws:iam::<accountID>:root" ] }
      Without these permissions, Prisma Cloud is denied access to S3 buckets with restricted bucket policies (HTTP 403 error).
  4. Setup AWS CloudTrail & SNS.
    1. Create new CloudTrail or use an existing CloudTrail.
      You can store AWS CloudTrail event logs within the S3 bucket in the same account that you are onboarding to Prisma Cloud for Data Security scanning. If you do not want to store AWS CloudTrail event logs within the S3 bucket in the same account, see Provide Prisma Cloud Role with Access to Common S3 Bucket.
      Prisma Cloud will not ingest CloudTrail buckets.
    2. Select
      Write-only
      events to save cost.
      You can also exclude logs for AWS KMS actions, set Log AWS KMS events as
      No
      because it generates a large number of events and Prisma Cloud Data Security does not use this event data.
    3. Select all S3 buckets in your account
      or
      Add S3 bucket
      for only specific buckets.
      Select
      Write
      events only.
    4. Add your S3 bucket.
      Create New or Use an existing S3 bucket.
    5. Select
      Advanced
      .
    6. Select your SNS preferences.
      Send SNS notification for every log file delivery - Yes
      , and select the SNS topic you created earlier when you created the stack. It was named PrismaCloudSNS in this example.
    7. Click
      Create
      .
    8. Confirm that the CloudTrail bucket is created.
    9. Create bucket policy to enable Prisma Cloud to read from your CloudTrail bucket.
    10. Click
      Next
      .
  5. Select the S3 buckets in which you want to scan data.
    You can choose to scan
    All
    or
    Custom
    storage buckets. The consumption of Prisma Cloud license credits depends on the file size in the selected buckets and whether you enable forward and backward scans.
    CloudTrail buckets are skipped because they contain AWS CloudTrail generated logs instead of your data. Objects containing ELB access logs, VPC flow logs and S3 access logs are also automatically skipped.
    1. Select whether you want to scan data
      Forward
      only or
      Forward and Backward
      .
      Forward scan is enabled by default. Prisma Cloud scans all files that are modified or new files added to the bucket after you enable scanning.
      • (
        Recommended
        ) When you select Forward and Backward scan, the forward scan inspects any new or modified files, and the backward scan is retrospective, which means that it inspects files that exist in the storage bucket. The size and number of Supported File Extensions—Prisma Cloud Data Security that you want to scan within your storage bucket will determine how many Prisma Cloud credits are used for Data Security. However, in the event that you trigger the scan quota threshold and the Prisma Cloud Data Security scan is paused, if you have enabled both forward and backward scan all files will be inspected when you increase the scan quota and scanning resumes. For backward scan, all existing files in the bucket are scanned in a batch operation. Depending on the number of files in your bucket, backward scan can consume more credits.
      • Custom buckets will list all buckets in your AWS account.
        Custom option lets you choose individual buckets to scan based on scan type (recommended)
      • Choose buckets and select a scan type for each bucket.
  6. (
    Required, if you use the AWS Key Management Service with Customer Managed Keys (CMK)
    ) Verify that Prisma Cloud IAM role has access to the CMK to scan the files in the bucket.
    By default, when the Prisma Cloud IAM role belongs to the same AWS account as the key, the Security Audit role that is created when use the TF template to onboard your AWS account on Prisma Cloud, has the permissions required to access the CMK and encrypt and decrypt files stored on the S3 bucket. Refer to the AWS documentation.
    If the key belongs to a different AWS account than where Prisma Cloud IAM role exists, you must update the following on the AWS management console:
    1. Update the key policy statement that enables IAM policies to allow access to the CMK.
    2. Update the Prisma Cloud IAM role to provide the additional permissions to access the key. You must add ARN for each CMK within the resource array in the policy statement. For example:
      { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPrismaCloudToAccessKeys", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": ["arn:aws:your-key-details"] } ] }
  7. Click
    Next
    and select
    Account Groups
    .
  8. Click
    Next
    and review the
    Status
    of the cloud account.
    After you have enabled Data Security for the AWS account, to enable scanning of additional buckets or to modify the scan settings, see Define Data Security Scan Settings.

Recommended For You