Troubleshoot Data Security Errors

Azure Subscription Missing Permissions

After configuring data security for your Azure Subscription account, if you see missing permissions error message, it’s because you have enabled access to storage account from a selected network and IP address. To fix this issue, add the following IPs to the firewall allow list:
  • 3.128.230.117
  • 3.14.212.156
  • 3.22.23.119

Size Estimation Missing Permissions

To estimate the storage size, Prisma Cloud requires permissions for configuring the Inventory configuration. The inventory configuration lists the objects and metadata associated with each object within the S3 bucket that you want to scan using Prisma Cloud Data Security. Without those permissions, the data cannot be retrieved and the Configuration Status column displays
Missing Permissions
. To fix this issue, you must first grant the Prisma Cloud role the following permissions:
  • s3:GetObject
  • s3:ListObjects
  • s3:PutInventoryConfiguration
  • s3:GetBucketAcl
  • s3:GetBucketpolicy
  • s3:GetBucketLocation
After you grant the permissions, Prisma Cloud checks every 6 hours the status of buckets that have the permission issue and then resolves it on finding the correct permissions.
If most buckets in the account are missing permissions, see AWS Buckets Missing Permissions.
If a specific bucket in an account is missing permission, check bucket policy. If the Prisma Cloud UI shows
s3:GetBucketLocation
, all permissions are missing. In both cases validate the bucket policy to see if any Deny policy is preventing Prisma Cloud from accessing the objects.
If there is only one
s3:GetObject
missing permission, it is most probably because the objects are encrypted with Customer Managed Key (CMK) and Prisma Cloud does not have access to CMK. See S3:GetObject Missing Permission to provide access to Prisma Cloud to CMK.

AWS Buckets Missing Permissions

After you onboard your AWS account, if all the buckets in the account show
Missing Permissions
on the
Scan Settings
page, it is most probably because the AWS master account contains the Service Control Policy (SCP) that prevents access to the
us-east-1
and
us-east-2
regions.
Prisma Cloud needs access to:
  • us-east-1
    region to list all the S3 buckets regardless of the region of the buckets (
    s3:ListBuckets
    ) and
  • us-east-2
    region to do a get bucket location call in all the S3 buckets regardless of the region (
    s3:GetBucketLocation
    ).
To fix this issue, change the SCP to allow access the Prisma Cloud Data Security role for the member accounts within the organization. Use the following
ArnNotLike
condition to exempt the required Prisma Cloud Data Security role from the Deny policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAllOutsideEU", "Effect": "Deny", "NotAction": [ "a4b:*", "acm:*", "aws-marketplace-management:*", "aws-marketplace:*", "aws-portal:*", "budgets:*", "ce:*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": [ "eu-central-1", "eu-west-1" ] }, "ArnNotLike": { "aws:PrincipalARN": [ "arn:aws:iam::*:role/PrismaCloudStorageMemberReadRole" ] } } } ] }

S3:GetObject Missing Permission

The
s3:GetObject
missing permission is most probably because the objects in your S3 buckets are encrypted with Customer Managed Key (CMK) and Prisma Cloud does not have access to the CMK. To fix this issue, provide access to Prisma Cloud by following the steps listed below.
The steps vary depending on whether the CMK is located within the same AWS account or a different one.
  • When the CMK is in the same AWS account that you’re onboarding, the Prisma Cloud role needs additional permissions to access the key. Add the following statement to the Prisma Cloud role and update the resources array with all the CMK ARNs:
    { "Sid": "AllowPrismaCloudToAccessKeys", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": ["arn:aws:kms:ap-south-123456789101:key/3269f3d0-1820-407f-b67e-73acdd9243f4"]}
  • When the CMK is in a different AWS account than the one that you’re onboarding, you need to first add the following policy statement to all the CMKs that are used for encryption and update the
    Principal AWS
    field with the Prisma Cloud ARN:
    { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::726893731529:role/PrismaCloudReadOnlyRoleWithDLP" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }
    PrismaCloudReadOnlyRoleWithDLP
    refers to the Prisma Cloud Role ARN that you added to enable Data Security on Prisma Cloud. This role needs additional permissions to access the key. Add the following statement to the Prisma Cloud role and update the resources array with all the CMK ARNs:
    { "Sid": "AllowPrismaCloudToAccessKeys", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": ["arn:aws:kms:ap-south-123456789101:key/3269f3d0-1820-407f-b67e-73acdd9243f4"]}

CloudTrail is not Configured to Send Notification to SNS Topic

After onboarding your cloud account on Prisma Cloud, if the connection to storage failed because of a CloudTrail configuration error, the following error displays:
See
Youtube video to fix the error.

Validation Script Failed

While configuring
Forward Scan
, if the script fails on clicking
Validate Setup
, set up AWS CloudTrail & SNS manually to resolve this issue.
  1. Setup AWS CloudTrail & SNS.
    1. Create new CloudTrail or use an existing CloudTrail.
      You can store AWS CloudTrail event logs within the S3 bucket in the same account that you are onboarding to Prisma Cloud for Data Security scanning. If you do not want to store AWS CloudTrail event logs within the S3 bucket in the same account, see Provide Prisma Cloud Role with Access to Common S3 Bucket.
      Prisma Cloud will not ingest CloudTrail buckets.
    2. Select
      Write-only
      events to save cost.
      You can also exclude logs for AWS KMS actions, set Log AWS KMS events as
      No
      because it generates a large number of events and Prisma Cloud Data Security does not use this event data.
    3. Select all S3 buckets in your account
      or
      Add S3 bucket
      for only specific buckets.
      Select
      Write
      events only.
    4. Add your S3 bucket.
      Create New or Use an existing S3 bucket.
    5. Select
      Advanced
      .
    6. Select your SNS preferences.
      Send SNS notification for every log file delivery - Yes
      , and select the SNS topic you created earlier when you created the stack. It was named PrismaCloudSNS in this example.
    7. Click
      Create
      .
    8. Confirm that the CloudTrail bucket is created.
    9. Create bucket policy to enable Prisma Cloud to read from your CloudTrail bucket.
    10. Click
      Next
      .
    11. On Prisma Cloud, click
      Validate Setup
      and continue with step 5 to enable Data Security on your AWS account.

Recommended For You