Configure Data Security for AWS Organization Account
Onboard AWS organization account and enable data security.
After onboarding an AWS organization account, you can configure data security and start scanning your S3 buckets. Prisma Cloud creates two separate sets of AWS resources based on whether your onboarded account is an individual account or an organization account. You can onboard all the Organization Units (OUs) and Member Accounts under root or pick and choose the OUs and Member Accounts under root for selective onboarding.
- After you successfully onboard your AWS organization account, go toand selectSettingsCloud AccountsAccount OverviewConfigureto configure data security for your AWS organization account.If you have already onboarded an AWS member account as an individual account and enabled Data Security for it, you must disable data security for that member account to ensure that it is included as a part of the AWS Organization.
- Create a stack in your AWS master organization account.
- SelectCreate Stack.In the Prisma Cloud console, theAWS Management External IDandSNS Endpoint URLvalues are pre-populated and you cannot edit those fields.
- Log in to your AWS account in a separate tab. Copy and paste theAWS Management External IDandSNS Endpoint URLvalues from your Prisma Cloud console in the corresponding AWS Management Console fields.The CloudFormation template defaults to N. Virginia. You must change it to the region where your AWS Account is before you create the stack.
- SelectI acknowledge that AWS CloudFormation might create IAM resources with custom namesandCreate stack.Wait for the CREATE_COMPLETE status.
- Copy thePrismaCloudARNandPrismaCloudSNSARNvalues from theOutputstab in the AWS Management Console.
- PastePrismaCloudARNandPrismaCloudSNSARNin the Prisma Cloud Configure Data Security screen.
- Configure the AWS Member Account.
- Download theCloudFormationmember template.Complete the onscreen instructions to create the StackSet.
- StackSet deployment will deploy the stack to all member accounts associated with the master account. On the AWS management console, selectfor the member account.ServicesCloudFormationStackSetsCreate StackSet
- Upload the template file and clickNext.
- Enter a StackSet name. In Parameters, enter the value for the memberExternalId.Create anExternalIdby using a combination of letters, numbers, and/or hyphens. For example,Test-number-123,05dd1aca-244a-447c-ab1e-aac935fd3348, and12345-test-abcare all valid memberExternalIds. ThePrismaCloudRoleNameis auto-populated but you have the option to modify it as long as it contains Org within the string.
- ClickNextand selectService managed permissions.
- ClickNextand selectDeploy to organizationunder Deployment targets.If you do not want to onboard all member accounts, you can selectDeploy to organization unit OUsand deploy the Stackset only to selected OUs only.
- Set Automatic deploymentEnabled, and Account removal behaviorDelete stacks.
- In Specify regions, select one region.Make sure that the region you select is enabled on all accounts within your AWS Organization. If you select a region that is disabled, the template cannot deploy resources within the region and will fail with errors.
- In Deployment Options:
- Maximum concurrent accounts, selectPercentageand set it to100.
- Failure tolerance, selectPercentageand set it to100.
- Keep the default option ofSequentialunderRegion Concurrency.
- ClickNext, and review the configuration.
- SelectI acknowledge that AWS CloudFormation might create IAM resources with custom namesandSubmit.The StackSet creation is initiated. Wait for the SUCCEEDED status.When the process completes, stacks will be created for all the member accounts associated with this master account and are listed underStack instanceson the AWS management console.
- UnderParameterscopy the values forExternalIDandPrismaCloudRoleName.
- Configure the AWS Member Account on Prisma Cloud.
- Paste theExternalIDandPrismaCloudRoleNamein to Prisma Cloud.
- SelectI confirm that the CFT StackSet has successfully created the Prisma Cloud member role in each member account.and clickNext.
- SelectConfigure Scanoption andSave.
- You will see a success status message on successful data security configuration of your AWS organization account. ClickDoneto see Data Security enabled on the AWS Cloud Account Overview page.
- You can verify the configuration on thepage.SettingsDataScan Settings
Recommended For You
Recommended videos not found.