Troubleshoot Data Security Errors
Review this section for information on how to resolve some common errors when you use Data Security on Prisma Cloud.
Troubleshoot Azure Subscriptions
Enable Estimates for Azure
- Prisma Cloud leverages Azure Blob Inventory and creates an inventory policy to process estimates in Azure. In order to provide the permissions that Prisma Cloud requires to create the inventory policy, you need to:
- Re-deploy the CFT with new permission and provide the AppID and Secret.
- Enable the following permission on the existing App:"Microsoft.Storage/storageAccounts/inventoryPolicies/"
- Once the permissions are provided, Prisma Cloud creates an inventory policy to generate a report based on the frequency setting on the Data Settings page.
- If the frequency is set to None, Prisma Cloud does not create a blob inventory policy.
- If the frequency is set to Daily or Weekly, Prisma Cloud creates a blob inventory policy named prisma_cloud_data_security using the specified frequency setting.
- As a part of the policy, you will see additional folders and files being created daily or weekly depending on the frequency selected. To lower your costs, you can choose to:
- Create storage account lifecycle policy to recycle blob inventory reports and delete old reports.
- Change the report frequency to None, if you no longer need it. The report frequency is a global setting, any change you make is applied to all the onboarded accounts that have data security enabled.
- Go to the individual storage account and disable blob inventory policy named prisma_cloud_data_security.
Permissions Required to Create APP Registration Manually
- If you want to create APP registration manually, Prisma Cloud requires the following permissions:
- "Microsoft.Storage/storageAccounts/read"
- "Microsoft.Resources/subscriptions/resourceGroups/read"
- "Reader and Data Access"
- "Storage Blob Data Reader"
- The optional permissions are:
- "Microsoft.EventGrid/eventSubscriptions/*"
- "Microsoft.Storage/storageAccounts/inventoryPolicies/*"
Unable to Access Storage Account
- Verify that the following permissions were granted to Prisma Cloud APP registration:
- "Microsoft.Storage/storageAccounts/read"
- "Microsoft.Resources/subscriptions/read"
- "Microsoft.Resources/subscriptions/resourceGroups/read"
- "Microsoft.Management/managementGroups/subscriptions/read"
- Check if there is any access policy on the resource groups that blocks access.
Unable to Create Event Grid Subscriptions
- Although event grid subscription permissions is optional, Prisma Cloud cannot do forward scan or storage account size estimation without those permissions, which keeps monitoring subscription or storage accounts for future changes.
- Confirm the following permission has been granted to Prisma Cloud APP registration:"Microsoft.EventGrid/eventSubscriptions/*"
- Make sureMicrosoft.EventGridis registered in Resource providers in your subscriptions.
- Create event grid subscription manually and check if there is any policy that blocks event grid subscription creation.
- Make sure the following permissions or Storage Blob Data Reader has been granted to Prisma Cloud APP registration:
- "Microsoft.Storage/storageAccounts/blobServices/containers/read"
- "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
- "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
Access Blocked Due to Network ACL
- IfDisabled, Prisma Cloud won’t be able to access data.
- IfEnabled from selected virtual networks and IP addressesis selected, you need to add Prisma Cloud public IPs to allow list by:
- Downloading the bash script generated by Prisma Cloud, and executing it on your Azure cloud console.
- Configuring IPs provided by Prisma Cloud one at a time on each storage account.
If your account is in US, add the following IPs:
- 20.121.153.41
- 20.121.153.87
- 20.121.153.100
- 52.226.252.199
- 20.121.153.105
- 52.226.252.38
- 20.119.0.19
- 3.128.230.117
- 3.14.212.156
- 3.22.23.119
If your account is in EU, add the following IPs:
- 20.113.10.157
- 20.113.11.130
- 20.113.12.29
- 20.113.12.30
- 20.79.228.76
- 20.113.9.21
- 20.79.107.0
- 3.64.66.135
- 18.198.52.216
- 3.127.191.112
Azure Subscription Missing Permissions
- After configuring data security for your Azure Subscription account, if you see missing permissions Network ACLs error message, it is because you have enabled access to a storage account from a selected network and IP address. To fix this issue, you can download the script and run it on cloud shell or manually add the following IPs to each storage account Network ACL:
- If your account is in EU:
- 20.113.9.21
- 20.79.107.0
- 3.64.66.135
- 3.127.191.112
- 18.198.52.216
- 20.79.228.76
- 20.113.10.157
- 20.113.11.130
- 20.113.12.29
- 20.113.12.30
- If your account is in US:
- 3.14.212.156
- 3.22.23.119
- 3.128.230.117
- 20.119.0.19
- 20.121.153.41
- 20.121.153.87
- 20.121.153.100
- 20.121.153.105
- 52.226.252.38
- 52.226.252.199
Troubleshoot AWS Accounts
Size Estimation Missing Permissions
To estimate the storage size, Prisma Cloud requires permissions for configuring the Inventory configuration. The inventory configuration lists the objects and metadata associated with each object within the S3 bucket that you want to scan using Prisma Cloud Data Security. Without those permissions, the data cannot be retrieved and the Configuration Status column displays
Missing Permissions
. To fix this issue, you must first grant the Prisma Cloud role the following permissions:- s3:GetObject
- s3:ListObjects
- s3:PutInventoryConfiguration
- s3:GetBucketAcl
- s3:GetBucketpolicy
- s3:GetBucketLocation
After you grant the permissions, Prisma Cloud checks every 6 hours the status of buckets that have the permission issue and then resolves it on finding the correct permissions.
If most buckets in the account are missing permissions, see AWS Buckets Missing Permissions.
If a specific bucket in an account is missing permission, check bucket policy. If the Prisma Cloud UI shows s3:GetBucketLocation, all permissions are missing. In both cases validate the bucket policy to see if any Deny policy is preventing Prisma Cloud from accessing the objects.
If there is only one s3:GetObject missing permission, it is most probably because the objects are encrypted with Customer Managed Key (CMK) and Prisma Cloud does not have access to CMK. See S3:GetObject Missing Permission to provide access to Prisma Cloud to CMK.
AWS Buckets Missing Permissions
After you onboard your AWS account, if all the buckets in the account show
Missing Permissions
on the Scan Settings
page, it is most probably because the AWS master account contains the Service Control Policy (SCP) that prevents access to the us-east-1 and us-east-2 regions.Prisma Cloud needs access to:
- us-east-1 region to list all the S3 buckets regardless of the region of the buckets (s3:ListBuckets) and
- us-east-2 region to do a get bucket location call in all the S3 buckets regardless of the region (s3:GetBucketLocation).
To fix this issue, change the SCP to allow access the Prisma Cloud Data Security role for the member accounts within the organization. Use the following ArnNotLike condition to exempt the required Prisma Cloud Data Security role from the Deny policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAllOutsideEU", "Effect": "Deny", "NotAction": [ "a4b:*", "acm:*", "aws-marketplace-management:*", "aws-marketplace:*", "aws-portal:*", "budgets:*", "ce:*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": [ "eu-central-1", "eu-west-1" ] }, "ArnNotLike": { "aws:PrincipalARN": [ "arn:aws:iam::*:role/PrismaCloudStorageMemberReadRole" ] } } } ] }
See Deny access to AWS based on the requested AWS Region for more details.
S3:GetObject Missing Permission
The s3:GetObject missing permission is most probably because the objects in your S3 buckets are encrypted with Customer Managed Key (CMK) and Prisma Cloud does not have access to the CMK. To fix this issue, provide access to Prisma Cloud by following the steps listed below.
The steps vary depending on whether the CMK is located within the same AWS account or a different one.
- When the CMK is in the same AWS account that you’re onboarding, the Prisma Cloud role needs additional permissions to access the key. Add the following statement to the Prisma Cloud role and update the resources array with all the CMK ARNs:{ "Sid": "AllowPrismaCloudToAccessKeys", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": ["arn:aws:kms:ap-south-123456789101:key/3269f3d0-1820-407f-b67e-73acdd9243f4"]}When the CMK is in a different AWS account than the one that you’re onboarding, you need to first add the following policy statement to all the CMKs that are used for encryption and update thePrincipal AWSfield with the Prisma Cloud ARN:{ "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::726893731529:role/PrismaCloudReadOnlyRoleWithDLP" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }PrismaCloudReadOnlyRoleWithDLP refers to the Prisma Cloud Role ARN that you added to enable Data Security on Prisma Cloud. This role needs additional permissions to access the key. Add the following statement to the Prisma Cloud role and update the resources array with all the CMK ARNs:{ "Sid": "AllowPrismaCloudToAccessKeys", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": ["arn:aws:kms:ap-south-123456789101:key/3269f3d0-1820-407f-b67e-73acdd9243f4"]}Validation Script FailedWhile configuringForward Scan, if the script fails on clickingValidate Setup, set up AWS CloudTrail & SNS manually to resolve this issue.
- Setup AWS CloudTrail & SNS.
- Create new CloudTrail or use an existing CloudTrail.You can store AWS CloudTrail event logs within the S3 bucket in the same account that you are onboarding to Prisma Cloud for Data Security scanning. If you do not want to store AWS CloudTrail event logs within the S3 bucket in the same account, see Provide Prisma Cloud Role with Access to Common S3 Bucket.Prisma Cloud will not ingest CloudTrail buckets.
- SelectWrite-onlyevents to save cost.You can also exclude logs for AWS KMS actions, set Log AWS KMS events asNobecause it generates a large number of events and Prisma Cloud Data Security does not use this event data.
- Select all S3 buckets in your accountorAdd S3 bucketfor only specific buckets.SelectWriteevents only.
- Add your S3 bucket.Create New or Use an existing S3 bucket.
- SelectAdvanced.
- Select your SNS preferences.Send SNS notification for every log file delivery - Yes, and select the SNS topic you created earlier when you created the stack. It was named PrismaCloudSNS in this example.
- ClickCreate.
- Confirm that the CloudTrail bucket is created.
- Create bucket policy to enable Prisma Cloud to read from your CloudTrail bucket.
- ClickNext.
- On Prisma Cloud, clickValidate Setupand continue with step 5 to enable Data Security on your AWS account.
Most Popular
