1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Prisma Cloud IAM Security
    6. Integrate Prisma Cloud with AWS IAM Identity Center

    Integrate Prisma Cloud with AWS IAM Identity Center

    To provide effective permissions calculation in the IAM Security module, Prisma Cloud integrates with the Identity Provider (IdP) service, AWS IAM Identity Center, to ingest Single Sign-On (SSO) data. Complete this integration to gain better visibility into the entities accessing your cloud resources, by using the IAM query to list effective permissions of AWS IAM Identity Center users across your cloud accounts.
    Prisma Cloud requires the following additional permissions to support AWS IAM Identity Center integration:
    • sso:ListInstances
    • sso:ListPermissionSets
    • sso:ListAccountForProvisionedPermissionSet
    • sso:ListAccountAssignments
    • sso:DescribePermissionSets
    • identitystore:ListUsers
    • identitystore:ListGroupMemberships
    • identitystore:ListGroups
    If you are using a CloudFormation template for AWS account onboarding no additional action is required. The required permissions are part of the CloudFormation onboarding template.

    Adding Required Permissions for Existing Accounts

    To Update an Onboarded AWS account, and add the required permissions, rerun the last updated version of the CloudFormation onboarding template for the respective AWS account.
    Optionally, you can also follow the steps to manually add these permissions to the role assumed by the Prisma Cloud user.

    Run IAM Queries

    After AWS IAM Identity Center is integrated with Prisma Cloud, you can view the results of IAM queries for the AWS IAM Identity Center and gain visibility and governance into your cloud environment. Follow the steps below to run IAM queries for AWS IAM Identity Center:
    1. From the Prisma Cloud console, click
      Investigate
      .
    2. Enter the following RQL query on the Investigate tab.
      config from iam where source.idp.service = 'AWS Identity Center'
    3. The query will return a list of all the AWS IAM Identity Center users in your cloud account.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo