Enable IAM Security

Activate the IAM Security module in Prisma ™ Cloud so that you have Cloud Infrastructure Entitlement Management (CIEM) functionality.
You can enable the IAM Security module on Prisma Cloud in a couple of clicks, because it requires the same permissions you provided when onboarding your AWS account, GCP account, or Azure subscription on Prisma Cloud. It does not require new permissions to get all of the effective permissions calculations and the write events.
  1. Log in to the Prisma Cloud administrative console.
  2. Onboard your AWS, Azure, or GCP account on Prisma Cloud.
    Verify that you have onboarded with AWS CloudTrail so that you receive excessive permissions alerts.
  3. Enable the IAM Security module.
    1. Select
      to see the options you have available on your Prisma Cloud tenant.
    2. Click
      Learn More
      under the IAM Security icon.
    3. Click
      Start 30 Day Trial
      , and then click
      Agree & Submit
    4. Verify that your installation was successful.
  4. Investigate with RQL.
    After the IAM Security module has been successfully activated, RQL will be extended to include the
    query. Enter the query in the
    tab to confirm that the
    module has been enabled:
    config from iam where source.cloud.service.name = 'iam' and source.cloud.resource.type = 'user' and source.cloud.resource.name = 'my-user'
    After the RQL has been rendered successfully, a green check mark will appear in the search field.
    Read the documentation for more information on how to use the

Grant permissions for Ingesting Google Workspace Groups

To grant the Prisma Cloud Service Account permissions to ingest data on groups from Google Workspace (GSuite), you must have administrator access to Google Workspace (GSuite). The permissions required for ingesting data on groups is either the predefined role
Group Reader
, or a custom role with
permission (https://admin.google.com/u/1/ac/roles).
  1. Log in to Workspace.
  2. Create a new custom role or use the predefined
    Group Reader
  3. Assign the role to the Prisma Cloud service account.

Recommended For You