Configure Data Security for AWS Organization Account

After you successfully onboard your AWS organization account, go to

Settings

Cloud Accounts

Account Overview

and select

Configure

to configure data security for your AWS organization account.

If you have already onboarded an AWS member account as an individual account and enabled Data Security for it, you must disable data security for that member account to ensure that it is included as a part of the AWS Organization.



Create a stack in your AWS master organization account.

Select
Create Stack
.
In the Prisma Cloud console, the
AWS Management External ID
and
SNS Endpoint URL
values are pre-populated and you cannot edit those fields.

Log in to your AWS account in a separate tab. Copy and paste the
AWS Management External ID
and
SNS Endpoint URL
values from your Prisma Cloud console in the corresponding AWS Management Console fields.
The CloudFormation template defaults to N. Virginia. You must change it to the region where your AWS Account is before you create the stack.

Select
I acknowledge that AWS CloudFormation might create IAM resources with custom names
and
Create stack
.
Wait for the CREATE_COMPLETE status.

Copy the
PrismaCloudARN
and
PrismaCloudSNSARN
values from the
Outputs
tab in the AWS Management Console.

Paste
PrismaCloudARN
and
PrismaCloudSNSARN
in the Prisma Cloud Configure Data Security screen.

Next
.

Configure the AWS Member Account.

Download the

CloudFormation

member template.

Complete the onscreen instructions to create the StackSet.

StackSet deployment will deploy the stack to all member accounts associated with the master account. On the AWS management console, select

Services

CloudFormation

StackSets

Create StackSet

for the member account.



Upload the template file and click

Next

.



Enter a StackSet name. Under Parameters, enter the value for the member

ExternalId

.



Create an

ExternalId

by using a combination of letters, numbers, and/or hyphens. For example,

Test-number-123

,

05dd1aca-244a-447c-ab1e-aac935fd3348

, and

12345-test-abc

are all valid member

ExternalIds

. The

PrismaCloudRoleName

is auto-populated but you have the option to modify it as long as it contains

Org

within the string.

Under

Execution configuration

, select

Active

or

Inactive

, and click

Next

.

For faster deployment, it is recommended you select

Active

.



Under

Add stacks to stack set

, select

Deploy new stacks

option.

Under

Accounts

, choose your preferred accounts or organizational units in which you want to enable Data Security.



In Specify regions, select one region.

Make sure that the region you select is enabled on all accounts within your AWS Organization. If you select a region that is disabled, the template cannot deploy resources within the region and will fail with errors.



In Deployment Options:

Under
Maximum concurrent accounts
, select
Percentage
and set it to
100
.
Under
Failure tolerance
, select
Percentage
and set it to
100
.
Keep the default option of
Sequential
under
Region Concurrency
.

Click

Next

, and review the configuration.

Select

I acknowledge that AWS CloudFormation might create IAM resources with custom names

and

Submit

.



The StackSet creation is initiated. Wait for the SUCCEEDED status.



When the process completes, stacks will be created for all the member accounts associated with this master account and are listed under

Stack instances

on the AWS management console.



Under

Parameters

, copy the values for

ExternalID

and

PrismaCloudRoleName

.



Setup organization CloudTrail in the master AWS account. Prisma Cloud Data Security requires CloudTrail events to ingest new bucket and object changes (

Write

events). You can use new or existing CloudTrail.

Create
or
Edit
organization CloudTrail in the master AWS account.
Enter a
Trail name
.

Select the
Enable for all accounts in my organization
checkbox.
Select
Create new S3 bucket
or
Use existing S3 bucket
location. The S3 bucket should be in the same AWS account.

Under additional settings, enable
SNS notification delivery
and select
PrismaCloudSNS
. The SNS was created as part of Prisma Cloud Data Security CloudFormation Template.

(Optional) If you select
Existing
and a topic that is associated with the CloudTrail already exists, create a new SNS subscription in the existing topic. Make sure to use the https endpoint (callback URL) mentioned on the
Cloud Accounts
page of Prisma Cloud in the subscription.

Irrespective of what you select (new or existing), make sure the callback URL in Prisma Cloud matches the SNS subscription endpoint in AWS.

Click
Next
and under
Choose log events
, select the
Management events
and
Data events
checkboxes.

Under
Management events
, select the
Write
checkbox.

Under
Data events
, select
S3
as
Data event source
and select the
Write
checkbox for
All current and future S3 buckets
.

Save
and review your changes.

Configure the AWS Member Account on Prisma Cloud.

Paste the

ExternalID

and

PrismaCloudRoleName

in to Prisma Cloud.

Select

I confirm that the CFT StackSet has successfully created the Prisma Cloud member role in each member account.

and click

Next

.



Select

Configure Scan

option and

Save

.



You will see a success status message on successful data security configuration of your AWS organization account. Click

Done

to see Data Security enabled on the AWS Cloud Account Overview page.

After you successfully enable the data security module for your AWS organization, the S3 buckets from the member accounts are displayed. Prisma Cloud does not ingest buckets from the master account.





If the

Data Security unsuccessfully configured

error displays, see Troubleshoot Data Security Errors to resolve the issues.

You can verify the configuration on the

Settings

Data

Scan Settings

page.