Configure Data Security for AWS Organization Account

Onboard AWS organization account and enable data security.
After onboarding an AWS organization account, you can configure data security and start scanning your S3 buckets. Prisma Cloud creates two separate sets of AWS resources based on whether your onboarded account is an individual account or an organization account. You can onboard all the Organization Units (OUs) and Member Accounts under root or pick and choose the OUs and Member Accounts under root for selective onboarding.
See video of the steps listed below.
  1. After you successfully onboard your AWS organization account, go to
    Settings
    Cloud Accounts
    Account Overview
    and select
    Configure
    to configure data security for your AWS organization account.
    If you have already onboarded an AWS member account as an individual account and enabled Data Security for it, you must disable data security for that member account to ensure that it is included as a part of the AWS Organization.
  2. Create a stack in your AWS master organization account.
    1. Select
      Create Stack
      .
      In the Prisma Cloud console, the
      AWS Management External ID
      and
      SNS Endpoint URL
      values are pre-populated and you cannot edit those fields.
    2. Log in to your AWS account in a separate tab. Copy and paste the
      AWS Management External ID
      and
      SNS Endpoint URL
      values from your Prisma Cloud console in the corresponding AWS Management Console fields.
      The CloudFormation template defaults to N. Virginia. You must change it to the region where your AWS Account is before you create the stack.
    3. Select
      I acknowledge that AWS CloudFormation might create IAM resources with custom names
      and
      Create stack
      .
      Wait for the CREATE_COMPLETE status.
    4. Copy the
      PrismaCloudARN
      and
      PrismaCloudSNSARN
      values from the
      Outputs
      tab in the AWS Management Console.
    5. Paste
      PrismaCloudARN
      and
      PrismaCloudSNSARN
      in the Prisma Cloud Configure Data Security screen.
    6. Next
      .
  3. Configure the AWS Member Account.
    1. Download the
      CloudFormation
      member template.
      Complete the onscreen instructions to create the StackSet.
    2. StackSet deployment will deploy the stack to all member accounts associated with the master account. On the AWS management console, select
      Services
      CloudFormation
      StackSets
      Create StackSet
      for the member account.
    3. Upload the template file and click
      Next
      .
    4. Enter a StackSet name. In Parameters, enter the value for the member
      ExternalId
      .
      Create an
      ExternalId
      by using a combination of letters, numbers, and/or hyphens. For example,
      Test-number-123
      ,
      05dd1aca-244a-447c-ab1e-aac935fd3348
      , and
      12345-test-abc
      are all valid member
      ExternalIds
      . The
      PrismaCloudRoleName
      is auto-populated but you have the option to modify it as long as it contains
      Org
      within the string.
    5. Under
      Execution configuration
      , select
      Active
      or
      Inactive
      , and click
      Next
      .
      For faster deployment, it is recommended you select
      Active
      .
    6. Under
      Add stacks to stack set
      , select
      Deploy new stacks
      option.
    7. Under
      Accounts
      , choose your preferred accounts or organizational units in which you want to enable Data Security.
    8. In Specify regions, select one region.
      Make sure that the region you select is enabled on all accounts within your AWS Organization. If you select a region that is disabled, the template cannot deploy resources within the region and will fail with errors.
    9. In Deployment Options:
      • Under
        Maximum concurrent accounts
        , select
        Percentage
        and set it to
        100
        .
      • Under
        Failure tolerance
        , select
        Percentage
        and set it to
        100
        .
      • Keep the default option of
        Sequential
        under
        Region Concurrency
        .
    10. Click
      Next
      , and review the configuration.
    11. Select
      I acknowledge that AWS CloudFormation might create IAM resources with custom names
      and
      Submit
      .
      The StackSet creation is initiated. Wait for the SUCCEEDED status.
      When the process completes, stacks will be created for all the member accounts associated with this master account and are listed under
      Stack instances
      on the AWS management console.
    12. Under
      Parameters
      , copy the values for
      ExternalID
      and
      PrismaCloudRoleName
      .
  4. Configure the AWS Member Account on Prisma Cloud.
    1. Paste the
      ExternalID
      and
      PrismaCloudRoleName
      in to Prisma Cloud.
    2. Select
      I confirm that the CFT StackSet has successfully created the Prisma Cloud member role in each member account.
      and click
      Next
      .
  5. Select
    Configure Scan
    option and
    Save
    .
  6. You will see a success status message on successful data security configuration of your AWS organization account. Click
    Done
    to see Data Security enabled on the AWS Cloud Account Overview page.
    If the
    Data Security unsuccessfully configured
    error displays, see Troubleshoot Data Security Errors.
  7. You can verify the configuration on the
    Settings
    Data
    Scan Settings
    page.

Recommended For You