Configure Data Security for AWS Organization Account
Onboard AWS organization account and enable data security.
After onboarding an AWS organization account, you can configure data security and start scanning your S3 buckets. Prisma Cloud creates two separate sets of AWS resources based on whether your onboarded account is an individual account or an organization account. You can onboard all the Organization Units (OUs) and Member Accounts under root or pick and choose the OUs and Member Accounts under root for selective onboarding. You must onboard the AWS organization first and you can then configure Prisma Cloud Data Security.
- After you successfully onboard your AWS organization account, go toand selectSettingsCloud AccountsAccount OverviewConfigureto configure data security for your AWS organization account.If you have already onboarded an AWS member account as an individual account and enabled Data Security for it, you must disable data security for that member account to ensure that it is included as a part of the AWS Organization.
- Create a stack in your AWS master organization account.
- SelectCreate Stack.In the Prisma Cloud console, theAWS Management External IDandSNS Endpoint URLvalues are pre-populated and you cannot edit those fields.
- Log in to your AWS account in a separate tab. Copy and paste theAWS Management External IDandSNS Endpoint URLvalues from your Prisma Cloud console in the corresponding AWS Management Console fields.The CloudFormation template defaults to N. Virginia. You must change it to the region where your AWS Account is before you create the stack.
- SelectI acknowledge that AWS CloudFormation might create IAM resources with custom namesandCreate stack.Wait for the CREATE_COMPLETE status.
- Copy thePrismaCloudARNandPrismaCloudSNSARNvalues from theOutputstab in the AWS Management Console.
- PastePrismaCloudARNandPrismaCloudSNSARNin the Prisma Cloud Configure Data Security screen.
- Configure the AWS Member Account.
- Download theCloudFormationmember template.Complete the onscreen instructions to create the StackSet.
- StackSet deployment will deploy the stack to all member accounts associated with the master account. On the AWS management console, selectfor the member account.ServicesCloudFormationStackSetsCreate StackSet
- Upload the template file and clickNext.
- Enter a StackSet name. Under Parameters, enter the value for the memberExternalId.Create anExternalIdby using a combination of letters, numbers, and/or hyphens. For example,Test-number-123,05dd1aca-244a-447c-ab1e-aac935fd3348, and12345-test-abcare all valid memberExternalIds. ThePrismaCloudRoleNameis auto-populated but you have the option to modify it as long as it containsOrgwithin the string.
- UnderExecution configuration, selectActiveorInactive, and clickNext.For faster deployment, it is recommended you selectActive.
- UnderAdd stacks to stack set, selectDeploy new stacksoption.
- UnderAccounts, choose your preferred accounts or organizational units in which you want to enable Data Security.
- In Specify regions, select one region.Make sure that the region you select is enabled on all accounts within your AWS Organization. If you select a region that is disabled, the template cannot deploy resources within the region and will fail with errors.
- In Deployment Options:
- UnderMaximum concurrent accounts, selectPercentageand set it to100.
- UnderFailure tolerance, selectPercentageand set it to100.
- Keep the default option ofSequentialunderRegion Concurrency.
- ClickNext, and review the configuration.
- SelectI acknowledge that AWS CloudFormation might create IAM resources with custom namesandSubmit.The StackSet creation is initiated. Wait for the SUCCEEDED status.When the process completes, stacks will be created for all the member accounts associated with this master account and are listed underStack instanceson the AWS management console.
- UnderParameters, copy the values forExternalIDandPrismaCloudRoleName.
- Setup organization CloudTrail in the master AWS account. Prisma Cloud Data Security requires CloudTrail events to ingest new bucket and object changes (Writeevents). You can use new or existing CloudTrail.
- CreateorEditorganization CloudTrail in the master AWS account.
- Enter aTrail name.
- Select theEnable for all accounts in my organizationcheckbox.
- SelectCreate new S3 bucketorUse existing S3 bucketlocation. The S3 bucket should be in the same AWS account.
- Under additional settings, enableSNS notification deliveryand selectPrismaCloudSNS. The SNS was created as part of Prisma Cloud Data Security CloudFormation Template.(Optional) If you selectExistingand a topic that is associated with the CloudTrail already exists, create a new SNS subscription in the existing topic. Make sure to use the https endpoint (callback URL) mentioned on theCloud Accountspage of Prisma Cloud in the subscription.Irrespective of what you select (new or existing), make sure the callback URL in Prisma Cloud matches the SNS subscription endpoint in AWS.
- ClickNextand underChoose log events, select theManagement eventsandData eventscheckboxes.
- UnderManagement events, select theWritecheckbox.
- UnderData events, selectS3asData event sourceand select theWritecheckbox forAll current and future S3 buckets.
- Saveand review your changes.
- Configure the AWS Member Account on Prisma Cloud.
- Paste theExternalIDandPrismaCloudRoleNamein to Prisma Cloud.
- SelectI confirm that the CFT StackSet has successfully created the Prisma Cloud member role in each member account.and clickNext.
- SelectConfigure Scanoption andSave.
- You will see a success status message on successful data security configuration of your AWS organization account. ClickDoneto see Data Security enabled on the AWS Cloud Account Overview page.After you successfully enable the data security module for your AWS organization, the S3 buckets from the member accounts are displayed. Prisma Cloud does not ingest buckets from the master account.If theData Security unsuccessfully configurederror displays, see Troubleshoot Data Security Errors to resolve the issues.
- You can verify the configuration on thepage.SettingsDataScan Settings
Recommended For You
Recommended videos not found.