Begin Scanning an Amazon Web Services App

Configure your Amazon Web Services account to connect to Prisma SaaS to begin scanning resources to identify policy violations and incidents.
Prisma SaaS has deprecated support for the Amazon Web Services app. To continue monitoring your resources deployed on AWS, try Prisma Cloud.
Before you can begin monitoring an Amazon Web Services app, you must configure Prisma SaaS policy, user, and (optional) an Amazon bucket for CloudTrail to log events in. As you configure your Amazon Web Services account, note the following values required to complete the setup of the Amazon Web Services app on Prisma SaaS:
Item
Description
AWS account ID
Required to enable the Amazon Web Services Bucket created in CloudTrail.
Access key ID
Grants Prisma SaaS permission to access Amazon Web Services.
Secret access key
The administrator root access key used to configure IAM services.
CloudTrail bucket name (or full path if the CloudTrail feature is already enabled)
Enables the Amazon Web Services app to log management and data events to a CloudTrail bucket of your choice.
Region
The monitored CloudTrail region.
To begin monitoring an Amazon Web Services app:
  1. Prepare your Amazon Web Services account to work with Prisma SaaS.
    1. Log in to the AWS Console (aws.amazon.com).
    2. Select
      Services
      Security, Identity & Compliance
      IAM
      .
    3. Configure the Prisma SaaS policy to connect to the Amazon Web Services app.
      1. Select
        Policies
        Create policy
        and then select
        Create Your Own Policy
        .
      2. Enter the
        Policy Name
        as
        prisma-saas-aws-policy
        and provide an optional description of the policy.
      3. Copy and paste the following configuration into the
        Policy Document
        section:
        { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeSecurityGroups", "ec2:DescribeImages", "ec2:DescribeVolumes", "iam:List*", "iam:Get*", "kms:ListKeys", "kms:DescribeKey", "kms:GetKeyRotationStatus", "cloudtrail:GetTrailStatus", "cloudtrail:DescribeTrails", "cloudtrail:LookupEvents", "cloudtrail:ListTags", "cloudtrail:ListPublicKeys", "cloudtrail:GetEventSelectors" ], "Resource": "*" } ] }
      4. Click
        Create Policy
        .
    4. Configure the account Prisma SaaS will use to access the Amazon Web Services logs:
      1. Select
        Users
        Add user
        .
      2. Enter the username as
        prisma-saas-aws_ec2_and_iam-user
        .
      3. To generate an access key ID and secret access key for Prisma SaaS to use to access the Amazon Web Services service, enable
        Programmatic access
        .
      4. Select
        Next: Permissions
        .
      5. Select
        Attach existing policies directly
        and select the policy
        prisma-saas-aws_ec2_and_iam-policy
        .
      6. Search for and select the check box next to the policy you created in the previous step.
      7. Click
        Next: Review
        Create User
        .
        amazon-s3-create-user.png
        Note your
        Access key ID
        and
        Secret access key
        .
      8. Click
        Close
        .
    5. (
      Optional
      ) If you have CloudTrail logging enabled for all regions, skip this step, if not, configure CloudTrail logging. This feature enables the Amazon Web Services app to log management and data events to a CloudTrail bucket of your choice.
      1. To copy your AWS account ID into memory, click on your username at the top right, select the Account number, and press
        Ctrl-C
        . You will need the number later in this procedure.
      2. Select
        Services
        Management Tools
        CloudTrail
        Trails
        Add new trail
        .
      3. Enter the Trail name
        prisma-saas-aws_ec2_and_iam-trail
        .
      4. Set
        Apply trail to all Regions
        to
        Yes
        .
      5. To create a bucket in which CloudTrail will store management and data event logs, enter the
        S3 bucket
        name as
        prisma-saas-aws_EC2
        <AWS account ID>
        in the
        Storage location
        area.
        amazon-s3-trail-summary.png
        Take note of the AWS bucket (CloudTrail bucket name).
    6. Click
      Create
      .
  2. Add the Amazon Web Services app to Prisma SaaS.
    1. From the Prisma SaaS
      Dashboard
      ,
      Add a Cloud App
      .
    2. Select
      Amazon Web Services
      .
      amazon-aws-tile-frame-prod.png
    3. Configure your Amazon Web Services settings. There are two methods to set up the Amazon Web Services app on Prisma SaaS based on whether you already had CloudTrail logging set up in your AWS account or if you set it up per the instructions in this procedure.
      • New CloudTrail configuration
        1. Click
          Connect to Account
          .
          aws-keys.png
        2. Enter the
          Access Key ID
          ,
          Secret Access Key
          , and the
          AWS Account ID
          , you noted in the previous steps.
    4. Click
      OK
      .
      Prisma SaaS adds the Amazon Web Services app to the list of Cloud Apps.
  3. (Optional)
    Give a descriptive name to this app instance and specify an incident reviewer.
    1. Select the Amazon Web Services link on the Cloud Apps list.
    2. Enter a descriptive
      Name
      to differentiate this instance of Amazon Web Services from other instances you are managing.
  4. Add policy rules.
    When you add a new cloud app, Prisma SaaS automatically monitors the app against the default data patterns and displays the match occurrences. As a best practice, consider the business use of your app to determine whether you want to Add a New Asset Rule to look for incidents unique to the new app.
  5. (Optional)
    Configure or edit a data pattern.
    When you add a new cloud app, Prisma SaaS automatically monitors the app against the default data patterns and displays the match occurrences. You can Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.
  6. Start monitoring the new Amazon Web Services app for risks.
    1. Select
      Settings
      Cloud Apps & Scan Settings
      .
    2. In the Cloud Apps row that corresponds to the new Amazon Web Services app, select
      Actions
      Start Scanning
      .
      Prisma SaaS starts monitoring all assets in the associated Amazon Web Services app and begins identifying incidents. Depending on the number of Amazon Web Services assets, it may take some time for the service to complete the process of discovering all assets and users. However, as soon as you begin to see this information populating on the Prisma SaaS
      Dashboard
      , you can begin to Assess Incidents.
  7. Monitor the results.
    As Prisma SaaS starts monitoring files and matching them against enabled policy rules, Monitor Scan Results on the Dashboard to verify that your policy rules are effective. Monitoring the progress during the discovery phase allows you to Fine-Tune Policy to modify the match criteria and ensure better results.

Recommended For You