Integrate Prisma Cloud with AWS IAM Identity Center

To provide effective permissions calculation in the IAM Security module, Prisma Cloud integrates with the Identity Provider (IdP) service, AWS IAM Identity Center, to ingest Single Sign-On (SSO) data. Complete this integration to gain better visibility into the entities accessing your cloud resources, by using the IAM query to list effective permissions of AWS IAM Identity Center users across your cloud accounts.
Prisma Cloud requires the following additional permissions to support AWS IAM Identity Center integration:
  • sso:ListInstances
  • sso:ListPermissionSets
  • sso:ListAccountForProvisionedPermissionSet
  • sso:ListAccountAssignments
  • sso:DescribePermissionSets
  • identitystore:ListUsers
  • identitystore:ListGroupMemberships
  • identitystore:ListGroups
If you are using a CloudFormation template for AWS account onboarding no additional action is required. The required permissions are part of the CloudFormation onboarding template.

Adding Required Permissions for Existing Accounts

To Update an Onboarded AWS account, and add the required permissions, rerun the last updated version of the CloudFormation onboarding template for the respective AWS account.
Optionally, you can also follow the steps to manually add these permissions to the role assumed by the Prisma Cloud user.

Run IAM Queries

After AWS IAM Identity Center is integrated with Prisma Cloud, you can view the results of IAM queries for the AWS IAM Identity Center and gain visibility and governance into your cloud environment. Follow the steps below to run IAM queries for AWS IAM Identity Center:
  1. From the Prisma Cloud console, click
    Investigate
    .
  2. Enter the following RQL query on the Investigate tab.
    config from iam where source.idp.service = 'AWS Identity Center'
  3. The query will return a list of all the AWS IAM Identity Center users in your cloud account.

Recommended For You