Enable IAM Security

Complete the steps below to enable IAM Security in Prisma Cloud.
  1. Log in to the Prisma Cloud administrative console. Reference Access Prisma Cloud for more information.
  2. Onboard your AWS, Azure, or GCP accounts, where you manage IAM, to ensure Prisma Cloud can ingest your IAM data. In the case of Azure, this must be an Azure Active Directory tenant.
    • Follow the appropriate onboarding instructions for your cloud environment.
    • If you have already onboarded your cloud accounts, you may need to verify that you have granted the Prisma Cloud app/service account the additional permissions required for IAM Security.
      • AWS: No additional permissions are required. The Terraform templates you used to onboard your cloud account include the required permissions.
      • GCP: Grant permissions for ingesting Google Workspace Groups.
        Verify that you have onboarded with AWS CloudTrail so that you can receive excessive permissions alerts.
  3. Enable the IAM Security module.
    1. Select
      to see all available options on your Prisma Cloud tenant.
    2. Click
      Learn More
      under the IAM Security icon.
    3. Click
      Start 30 Day Trial
      , and then click
      Agree & Submit
      You can try the IAM security module for free for 30-days to test out all of the features such as the IAM query, SSO integration, and out-of-the-box IAM policies.
    4. Verify that IAM Security is enabled.
  4. Investigate with RQL.
    After IAM Security is successfully activated, RQL will be extended to include the
    query. Enter the query below in the
    tab to confirm that the
    module has been enabled:
    config from iam where source.cloud.service.name = 'iam' and source.cloud.resource.type = 'user' and source.cloud.resource.name = 'my-user'
    A green check mark appears in the search field, to indicate that the RQL query is successful and the IAM module is enabled.
    For more information, reference the IAM query documentation.

Grant permissions for Ingesting Google Workspace Groups

You must have administrator access to Google Workspace (GSuite) to grant Prisma Cloud Service Accounts the permissions to ingest data from groups on Google Workspace (GSuite). The permissions required for ingesting data on groups is either the predefined role
Group Reader
, or a custom role with
permission. Learn more about Google IAM Roles.
  1. Log in to your Workspace.
  2. Create a new custom role or use the predefined
    Group Reader
  3. Assign the role to the Prisma Cloud service account.

Recommended For You