AWS Monitoring Issues

Service Control Policies

Service Control Policies (SCPs) serve as organization policies to manage permissions within an organization, providing central control over maximum permissions for all accounts. SCPs are designed to ensure compliance with access control guidelines by defining limits on actions delegated to IAM users and roles in affected accounts.

• Issues: Limited capability of Prisma Cloud DSPM in organizations due to SCPs.

• Symptom: In some organizations, SCPs may restrict the functionality of Prisma Cloud DSPM.

• Solution: Try the following solutions to solve SCP issues:

1. Identification

   • Confirm the existence of SCPs affecting the organization's accounts.

   • Verify if Prisma Cloud DSPM's capabilities are restricted by SCPs.

2. Review SCP Configuration

   • Access the SCP configuration settings for the organization.

   • Identify the specific SCP that affects Prisma Cloud DSPM.

3. Update SCP for Prisma Cloud DSPM

   • Modify the SCP to allow necessary access for the Prisma Cloud DSPM role.

   • Adjust permissions within the SCP to align with the operational requirements of Prisma Cloud DSPM.

4. Validation

   • Confirm the changes made to the SCP for Prisma Cloud DSPM.

   • Test Prisma Cloud DSPM's operations to ensure that the desired capabilities are restored.

5. Documentation

   • Document the changes made to the SCP and the resolution process.

   • Update internal documentation regarding SCP configurations to reflect the adjustments for Prisma Cloud DSPM.

Additional Resources
Refer to AWS Service Control Policies for a comprehensive understanding of SCPs and their configuration options.

Quota Issues

Virtual Private Cloud (VPC) Quota Exceeded

• Issue: AWS account has reached the limit on the concurrent number of VPCs per region at any given time. 

• Symptom: Error message is generated when the quota for the permissible number of VPCs reaches the limit.

• Solution: In the AWS Console, increase the number of VPCs per region, for more information refer to Amazon VPC quotas.

Elastic IP Addresses Quota Exceeded

• Issue: AWS account has reached the limit on the concurrent number of Elastic IP addresses per region at any given time. 

• Symptom: Error message is generated when the quota for the permissible number of Elastic IP addresses reaches the limit.

• Solution: In the AWS Console, increase the number of Elastic IP addresses per region, for more information refer to Amazon Elastic IP addresses quotas.

S3 Bucket Quota Exceeded

• Issue: AWS account has reached the limit on the concurrent number of S3 buckets. 

• Symptom: Error message is generated when the quota for the permissible number of S3 buckets reaches the limit.

• Solution: In the AWS Console, increase the number of S3 buckets, for more information refer to Bucket Restrictions and Limitations.

EventBridge Rule Invocation Throttled

• Issue: AWS account has reached the limit on the EventBridge invocations per second. 

• Symptom: Error message is generated when the quota for the number of invocations per second reaches the limit set per region.

• Solution: In the AWS Console, increase the number of “Invocations throttle limit in transactions per second” for the affected region. for more information refer to Amazon EventBridge quotas.

IAM Misconfiguration

Failure to assume Role

• Issue: Prisma Cloud DSPM uses a set of roles and permissions to perform data discovery and classification. We have encountered an issue utilizing those roles and permissions. 

• Symptom: Error message is generated when failing to assume a role.

• Solution: Validate the following:

  • The role presented in the issue details exists in the account.

  • The trust relationship between the above role and the user role is configured correctly.

  • The above role has all the permissions listed as the required permissions for Prisma Cloud DSPM.

DDR Permissions Out of Date

• Issue: Prisma Cloud DSPM uses a set of permissions to access Event Bridge to operate the DDR capability as needed. We have encountered an issue where the current permissions provided appears to be out-of-date which prevents Prisma Cloud DSPM from fully operating its’ Data Detection and Response capability.

• Symptom: Error message is generated when failing to access Event Bridge.

• Solution: To resolve the issue by updating the permissions, follow these steps:

  • In Prisma Cloud DSPM, click Preferences. The Integrations tab opens by default.

  • In the Cloud Platforms section, go to the AWS thumbnail, and click Configure. The AWS Connected Accounts window opens.

  • To update the permissions for a specific account, click Update Required to run the update.

Missing permissions on the KMS

• Issue: Prisma Cloud DSPM utilizes the AWS KMS to access encrypted information. We have encountered an issue utilizing a KMS key for a Redshift instance. 

• Symptom: Error message is generated when failing to use the KMS key.

• Solution: Follow the following steps:

  1. Add an alias to the KMS key

     1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.

     2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

     3. In the navigation pane, choose Customer managed keys.

     4. In the table, choose the key ID according to the KMS Key ARN that appeared on the error page. Then, on the KMS key detail page, choose the Aliases tab.

        If a KMS key has multiple aliases, the Aliases column in the table displays one alias and an alias summary, such as (+n more). Choosing the alias summary takes you directly to the Aliases tab on the KMS key detail page.

     5. On the Aliases tab, choose Create alias. Enter “dig-security-redshift” as the alias name and choose Create alias.

  2. Add a tag to the KMS key

     1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.

     2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

     3. In the navigation pane, choose Customer managed keys.

     4. In the table, choose the key ID according to the KMS Key ARN that appeared on the error page.

     5. Select the check box next to the alias of a KMS key.

     6. Choose Key actions, Add or edit tags.

     7. On the details page for KMS key, choose the Tags tab.

        1. To create your first tag, choose Create tag, type the tag key “dig-security” and the tag value “true”, and then choose Save.

        2. To add a tag, choose Edit, choose Add tag, type a tag key “dig-security” and the tag value “true”, and then choose Save.

        3. To save your changes, choose Save changes.

  3. Update the KMS key policy

     1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.

     2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

     3. In the navigation pane, choose Customer managed keys.

     4. In the table, choose the key ID according to the KMS Key ARN that appeared on the error page.

     5. Choose the Key policy tab.

     6. Choose Edit.

     7. Add the policy statement that appeared on the error page.

     8. To save your changes, choose Save changes.