Enable IAM Security
Complete the steps below to enable IAM Security in Prisma Cloud.
- Log in to the Prisma Cloud administrative console. Reference Access Prisma Cloud for more information.
- Onboard your AWS, Azure, or GCP accounts, where you manage IAM, to ensure Prisma Cloud can ingest your IAM data. In the case of Azure, this must be an Azure Active Directory tenant.
- Follow the appropriate onboarding instructions for your cloud environment.
- AWS: Select the AWS onboarding option that best meets your requirements.
- Azure: Azure uses Active Directory tenants to manage IAM. Select your Azure Active Directory tenant onboarding option.
- GCP: Choose your preferred GCP onboarding option.
- If you have already onboarded your cloud accounts, you may need to verify that you have granted the Prisma Cloud app/service account the additional permissions required for IAM Security.
- AWS: No additional permissions are required. The Terraform templates you used to onboard your cloud account include the required permissions.
- Azure: Verify Azure Application permissions.
- GCP: Grant permissions for ingesting Google Workspace Groups.Verify that you have onboarded with AWS CloudTrail so that you can receive excessive permissions alerts.
- Enable the IAM Security module.
- SelectSubscriptionto see all available options on your Prisma Cloud tenant.
- ClickLearn Moreunder the IAM Security icon.
- ClickStart 30 Day Trial, and then clickAgree & Submit.
You can try the IAM security module for free for 30-days to test out all of the features such as the IAM query, SSO integration, and out-of-the-box IAM policies. - Verify that IAM Security is enabled.
- Investigate with RQL.After IAM Security is successfully activated, RQL will be extended to include theiamquery. Enter the query below in theInvestigatetab to confirm that theiammodule has been enabled:config from iam where source.cloud.service.name = 'iam' and source.cloud.resource.type = 'user' and source.cloud.resource.name = 'my-user'A green check mark appears in the search field, to indicate that the RQL query is successful and the IAM module is enabled.
For more information, reference the IAM query documentation.
Grant permissions for Ingesting Google Workspace Groups
You must have administrator access to Google Workspace (GSuite) to grant Prisma Cloud Service Accounts the permissions to ingest data from groups on Google Workspace (GSuite). The permissions required for ingesting data on groups is either the predefined role
Group Reader
, or a custom role with groups:read
permission. Learn more about Google IAM Roles.- Log in to your Workspace.
- Create a new custom role or use the predefinedGroup Readerrole.
- Assign the role to the Prisma Cloud service account.
