Configure Data Security for AWS Organization Account

Onboard AWS organization account and enable data security.
After onboarding an AWS organization account, you can configure data security and start scanning your S3 buckets. Prisma Cloud creates two separate sets of AWS resources based on whether your onboarded account is an individual account or an organization account. You can onboard all the Organization Units (OUs) and Member Accounts under root or pick and choose the OUs and Member Accounts under root for selective onboarding.
See video of the steps listed below.
  1. After you successfully onboard your AWS organization account, go to
    Settings
    Cloud Accounts
    Account Overview
    and select
    Configure
    to configure data security for your AWS organization account.
    If you have already onboarded an AWS member account as an individual account and enabled Data Security for it, you must disable data security for that member account to ensure that it is included as a part of the AWS Organization.
  2. Create a stack in your AWS master organization account.
    1. Select
      Create Stack
      .
      In the Prisma Cloud console, the
      AWS Management External ID
      and
      SNS Endpoint URL
      values are pre-populated and you cannot edit those fields.
    2. Log in to your AWS account in a separate tab. Copy and paste the
      AWS Management External ID
      and
      SNS Endpoint URL
      values from your Prisma Cloud console in the corresponding AWS Management Console fields.
      The CloudFormation template defaults to N. Virginia. You must change it to the region where your AWS Account is before you create the stack.
    3. Select
      I acknowledge that AWS CloudFormation might create IAM resources with custom names
      and
      Create stack
      .
      Wait for the CREATE_COMPLETE status.
    4. Copy the
      PrismaCloudARN
      and
      PrismaCloudSNSARN
      values from the
      Outputs
      tab in the AWS Management Console.
    5. Paste
      PrismaCloudARN
      and
      PrismaCloudSNSARN
      in the Prisma Cloud Configure Data Security screen.
    6. Next
      .
  3. Configure the AWS Member Account.
    1. Download the
      CloudFormation
      member template.
      Complete the onscreen instructions to create the StackSet.
    2. StackSet deployment will deploy the stack to all member accounts associated with the master account. On the AWS management console, select
      Services
      CloudFormation
      StackSets
      Create StackSet
      for the member account.
    3. Upload the template file and click
      Next
      .
    4. Enter a StackSet name. In Parameters, enter the value for the member
      ExternalId
      .
      Create an
      ExternalId
      by using a combination of letters, numbers, and/or hyphens. For example,
      Test-number-123
      ,
      05dd1aca-244a-447c-ab1e-aac935fd3348
      , and
      12345-test-abc
      are all valid member
      ExternalIds
      . The
      PrismaCloudRoleName
      is auto-populated but you have the option to modify it as long as it contains Org within the string.
    5. Click
      Next
      and select
      Service managed permissions
      .
    6. Click
      Next
      and select
      Deploy to organization
      under Deployment targets.
      If you do not want to onboard all member accounts, you can select
      Deploy to organization unit OUs
      and deploy the Stackset only to selected OUs only.
    7. Set Automatic deployment
      Enabled
      , and Account removal behavior
      Delete stacks
      .
    8. In Specify regions, select one region.
      Make sure that the region you select is enabled on all accounts within your AWS Organization. If you select a region that is disabled, the template cannot deploy resources within the region and will fail with errors.
    9. In Deployment Options:
      • Maximum concurrent accounts, select
        Percentage
        and set it to
        100
        .
      • Failure tolerance, select
        Percentage
        and set it to
        100
        .
      • Keep the default option of
        Sequential
        under
        Region Concurrency
        .
    10. Click
      Next
      , and review the configuration.
    11. Select
      I acknowledge that AWS CloudFormation might create IAM resources with custom names
      and
      Submit
      .
      The StackSet creation is initiated. Wait for the SUCCEEDED status.
      When the process completes, stacks will be created for all the member accounts associated with this master account and are listed under
      Stack instances
      on the AWS management console.
    12. Under
      Parameters
      copy the values for
      ExternalID
      and
      PrismaCloudRoleName
      .
  4. Configure the AWS Member Account on Prisma Cloud.
    1. Paste the
      ExternalID
      and
      PrismaCloudRoleName
      in to Prisma Cloud.
    2. Select
      I confirm that the CFT StackSet has successfully created the Prisma Cloud member role in each member account.
      and click
      Next
      .
  5. Select
    Configure Scan
    option and
    Save
    .
  6. You will see a success status message on successful data security configuration of your AWS organization account. Click
    Done
    to see Data Security enabled on the AWS Cloud Account Overview page.
    If the
    Data Security unsuccessfully configured
    error displays, see Troubleshoot Data Security Errors.
  7. You can verify the configuration on the
    Settings
    Data
    Scan Settings
    page.

Recommended For You