Enable IAM Security

You can enable the IAM Security module on Prisma Cloud in a couple of clicks, because it requires the same permissions you provided when onboarding your AWS account, GCP account, or Azure subscription on Prisma Cloud. It does not require new permissions to get all of the effective permissions calculations and the write events.
  1. Log in to the Prisma Cloud administrative console.
  2. Onboard your AWS, Azure, or GCP account on Prisma Cloud.
  3. Enable the IAM Security module.
    1. Select
      Subscription
      to see the options you have available on your Prisma Cloud tenant.
    2. Click
      Learn More
      under the IAM Security icon.
    3. Click
      Start 30 Day Trial
      , and then click
      Agree & Submit
      .
      You can try the IAM Security module for free for 30-days to test out all of the features such as the IAM query, SSO integration, and out-of-the-box IAM policies.
    4. Verify that your installation was successful.
  4. Investigate with RQL.
    After the IAM Security module has been successfully activated, RQL will be extended to include the
    iam
    query. Enter the query in the
    Investigate
    tab to confirm that the
    iam
    module has been enabled:
    config from iam where source.cloud.service.name = 'iam' and source.cloud.resource.type = 'user' and source.cloud.resource.name = 'my-user'
    After the RQL has been rendered successfully, a green check mark will appear in the search field.
    Read the documentation for more information on how to use the
    iam
    query.

Grant permissions for Ingesting Google Workspace Groups

To grant the Prisma Cloud Service Account permissions to ingest data on groups from Google Workspace (GSuite), you must have administrator access to Google Workspace (GSuite). The permissions required for ingesting data on groups is either the predefined role
Group Reader
, or a custom role with
groups:read
permission (https://admin.google.com/u/1/ac/roles).
  1. Log in to Workspace.
  2. Create a new custom role or use the predefined
    Group Reader
    role.
  3. Assign the role to the Prisma Cloud service account.

Recommended For You