Onboarding AWS

Overview

Prisma Cloud DSPM Orchestrator is used to securely detect and classify sensitive information in your environment, while keeping your data in the organization. You can integrate all of your AWS accounts with Prisma Cloud DSPM and monitor them using Orchestrator. You can either use a single Orchestrator to monitor all accounts, or use multiple Orchestrators in case separation between environments is required.

Onboard Prisma Cloud DSPM Orchestrator to Your AWS Environment

When integrating an AWS account with Prisma Cloud DSPM for the first time, you need to approve the installation of Orchestrator in your account to enable Prisma Cloud DSPM to monitor your environment.

1. Sign in to your Prisma Cloud DSPM account.
2. From the left menu, select Settings. 
3. Under Integrations, from the AWS option, click Configure.
   
4. Select Add New and then Add single account.
5. There are two options available for connecting a new AWS account, either by using CloudFormation or by using Terraform.
   Click a link below according to your chosen option:
   • Add a new AWS account using CloudFormation
   • Add a new AWS account using Terraform

Add a new account using CloudFormation

1. After you have chosen to connect a new single account, sign in to the AWS account you want to onboard.
   Notes

   • Ensure your account has the permissions to create an IAM role and run a CloudFormation script.
   • Ensure your account has administrator privileges and a configured multi-region CloudTrail.
2. Choose the location of the orchestrator for the account. Either use an existing Orchestrator (select the required Orchestrator from the dropdown menu) or deploy a new Orchestrator in this account.
3. In the Generate Template drop down, select CloudFormation. 
   
4. The Add AWS Account pop-up window opens. Click Open to be redirected to your AWS account or copy the template link to the address bar.
5. Click Done to close the pop-up or leave it open.A stack is automatically created and starts to run. This process usually takes less than five minutes.

   
   

   
   Once the stack finishes running, the new account is listed under Connected Accounts in your AWS configuration page.

Add a new account using Terraform

When you initially integrate a Terraform-managed AWS account with Prisma Cloud DSPM, it is essential to grant approval for the installation of Orchestrator within your account. This step is crucial to enable Prisma Cloud DSPM to effectively scan your data.

1. After you have chosen to add a new single account, choose the location of the orchestrator for the account. Either use an existing Orchestrator (select the required Orchestrator from the dropdown menu) or deploy a new Orchestrator in this account.
2. In the Generate Template drop down, select Terraform to generate a Terraform module.
   
   
3. Click Copy to copy the Terraform module, and click Done.
   Important: Do not modify the Terraform module. If the module is modified, Prisma Cloud DSPM cannot provide seamless updates and manage permissions.
4. Insert the Terraform module into your Terraform pipeline.
5. Run the Terraform module. After the module has successfully run, your Terraform-managed AWS account is automatically onboarded into Prisma Cloud DSPM, and listed under Connected Accounts in your AWS configuration page.

Connect additional AWS accounts

After adding a first AWS account and installing Orchestrator in it, you can add more AWS accounts that you want to be monitored by Prisma Cloud DSPM. You can either add an existing Orchestrator to monitor all accounts, or install a new Orchestrator for each account.

1. Add a new account as described above.
2. Select whether you want to use an existing Orchestrator (in which case, you can select the required Orchestrator from the dropdown menu) or deploy a new Orchestrator in this account.
3. Click Generate Template, and add an account by using CloudFormation or Terraform. When added, the new account is listed under Connected Accounts in your AWS configuration page.

If you encounter any scanning issues, refer to the Troubleshooting page.