Skip to main content

Automate AWS Cloud Organization Onboarding

To successfully onboard an AWS Organization in Prisma Cloud, create IAM Roles in your AWS Organization account and member accounts that has a trusted relationship with Prisma Cloud AWS Account. Prisma Cloud uses IAM Role ARN to AssumeRole in to your AWS Organization and member accounts and ingest various configurations and logs.

Recommended: Use Terraform to onboard AWS cloud accounts. Refer to AWS organization onboarding guide.

To Onboard using other automation tools(such as python, etc), follow the steps listed below:

A complete code example for AWS Cloud Organization Onboarding
import sys, time, requests, json, boto3, urllib.parse


# Function to wait till CloudFormation Stack is created
def wait_till_stack_created(cloud_formation_client, stack_name, state):
is_stack_created = False
retry_count = 0
max_retry_count = 6 # Increase If stack Creation is taking more time
status = None
while not is_stack_created or retry_count == max_retry_count:
if retry_count > max_retry_count:
break
retry_count = retry_count + 1
stack_summary = cloud_formation_client.describe_stacks(StackName=stack_name)
status = stack_summary['Stacks'][0]['StackStatus']
if status is not None:
if state != status:
print("Waiting for 30 sec while stack {} is {}".format(stack_name, state))
time.sleep(30)
continue
else:
is_stack_created = True
print(f"stack status is {status}")
return status

print(f"final stack status is {status}")
return status


base_url = "https://api.prismacloud.io"
customerName = None # optional. customerName which is tenant Name
username = "<username>"
password = "<password>"

# Prerequisite: Obtain an authorization token by Logging In.
login_url = f"{base_url}/login"

if customerName is not None:
login_payload = json.dumps({
"customerName": customerName,
"username": username,
"password": password
})
else:
login_payload = json.dumps({
"username": username,
"password": password
})

login_headers = {
'Content-Type': 'application/json'
}

response = requests.request("POST", login_url, headers=login_headers, data=login_payload, verify=False)

YOUR_TOKEN = response.json()['token']

# 1. Fetch Supported Features for cloud type and account type
supported_features_url = f"{base_url}/cas/v1/features/cloud/aws"
supported_features_payload = json.dumps({
"accountType": "organization"
})
supported_features_headers = {
'accept': 'application/json',
'content-type': 'application/json',
'x-redlock-auth': YOUR_TOKEN
}

response = requests.request("POST", supported_features_url, headers=supported_features_headers,
data=supported_features_payload, verify=False)

features = response.json()['supportedFeatures']
features.remove('Cloud Visibility Compliance and Governance') # Remove the default feature

# 2. Generate AWS CFT and create IAM Role
cft_template_gen_url = f"{base_url}/cas/v1/aws_template/presigned_url"

cft_template_gen_payload = json.dumps({
"accountId": "<accountId>",
"accountType": "organization",
"features": features
})
cft_template_gen_headers = {
'accept': 'application/json',
'content-type': 'application/json',
'x-redlock-auth': YOUR_TOKEN
}

response = requests.request("POST", cft_template_gen_url, headers=cft_template_gen_headers
, data=cft_template_gen_payload, verify=False)
response = response.json()
createStackLinkWithS3PresignedUrl = response['createStackLinkWithS3PresignedUrl']
# Extract urldecoded s3 cft link
s3_presigned_cft_link = urllib.parse.unquote(createStackLinkWithS3PresignedUrl.split("templateURL=")[-1])


# Intialize boto3 client, Provide aws access key and secret access key for the Organization to be onboarded
cloud_formation_client = boto3.client('cloudformation', aws_access_key_id="<aws_access_key_id>",
aws_secret_access_key="<aws_secret_access_key>")


# Provide the organizational root OU ID (prefix r-) to create IAM role for all the member accounts under the
# Organization,else provide a comma-separated list of OU IDs (prefix ou-)
OrganizationalUnitIds = "<OrganizationalUnitIds>"
stack_name = 'PrismaCloudOrganizationRole' # Change if needed
parameters = [
{
'ParameterKey': "PrismaCloudRoleName",
'ParameterValue': stack_name,
'UsePreviousValue': False,
},
{
'ParameterKey': "OrganizationalUnitIds",
'ParameterValue': OrganizationalUnitIds,
'UsePreviousValue': False,
}
]
capabilities = ['CAPABILITY_NAMED_IAM']

create_stack_resp = cloud_formation_client.create_stack(StackName=stack_name, TemplateURL=s3_presigned_cft_link,
Parameters=parameters, Capabilities=capabilities)

# Wait till stack is created.
sleep_time = 60*4 # Default wait time 4min
time.sleep(sleep_time)
stack_state = wait_till_stack_created(cloud_formation_client, stack_name, "CREATE_COMPLETE")

# Get IAM role If stack creation is complete
if stack_state == "CREATE_COMPLETE":
print(f"CREATED stack with name {stack_name}")
describe_stack_resp = cloud_formation_client.describe_stacks(StackName=stack_name)
stack_outputs = describe_stack_resp['Stacks'][0]['Outputs']
outputs = dict()
for output in stack_outputs:
key = output.get('OutputKey')
value = output.get('OutputValue')
outputs[key] = value

iam_role_arn = outputs.get('PrismaCloudRoleARN')
if iam_role_arn is None:
sys.exit(f"PrismaCloudRoleARN is not present in outputs for the stack: {stack_name}")

# Login again, In case if the token is expired
response = requests.request("POST", login_url, headers=login_headers, data=login_payload, verify=False)
YOUR_TOKEN = response.json()['token']

# 3. Onboard your AWS Organization to Prisma Cloud
save_account_url = f"{base_url}/cas/v1/aws_account"

save_account_payload = json.dumps({
"accountId": "<accountId>",
"accountType": "organization",
"enabled": True,
"groupIds": [
"<groupIds>"
],
"defaultAccountGroupId": "<defaultAccountGroupId>",
"name": "<Organization name to be added in prisma>",
"roleArn": iam_role_arn,
"features": [
{
"name": "Agentless Scanning",
"state": "enabled"
},
{
"name": "Auto Protect",
"state": "disabled"
},
{
"name": "Remediation",
"state": "disabled"
},
{
"name": "Serverless Function Scanning",
"state": "enabled"
},
],
"hierarchySelection": [
{
"displayName": "Root",
"nodeType": "ORG",
"resourceId": "root",
"selectionType": "ALL"
}
]
})
save_account_headers = {
'Content-Type': 'application/json',
'Accept': 'application/json',
'x-redlock-auth': YOUR_TOKEN
}

response = requests.request("POST", save_account_url, headers=save_account_headers, data=save_account_payload,
verify=False)

if response.status_code == 200:
print("Successfully onboarded organization")
else:
print(f"failed to Onboard organization. status_code: {response.status_code}")
print(f"failed to Onboard organization. response: {response.text}")
print(f"failed to Onboard organization. status: {response.headers.get('x-redlock-status')}")

Prerequisite: Obtain an authorization token by Logging In alt text

info
  • The token is only valid for 10 minutes, so refresh it alt text as needed if you believe your workflow might take longer than that.

  • The base url in this guide is a generic api.prismacloud.io. Replace it with yours accordingly.

There are three main steps to Onboard an AWS Organization

1. Fetch Supported Features for cloud type and account type

To get the list of supported features, call Fetch Supported Features alt text and refer to the supportedFeatures field in the response body.

NOTE: The supportedFeatures contain "Cloud Visibility Compliance and Governance" which is enabled by default. Hence, do not include this string as a feature in the request body param in any cloud account API(Like in Add AWS Cloud Account, Update AWS Cloud Account,Generate and Download the AWS CFT Template, etc).

Sample Request to get features for accountType: organization:

curl --request POST 'https://api.prismacloud.io/cas/v1/features/cloud/aws' \
--header 'accept: application/json' \
--header 'content-type: application/json' \
--header 'x-redlock-auth: <YOUR_TOKEN>' \
--data-raw '{
"accountType": "organization"
}'

Sample Response

{
"cloudType": "aws",
"deploymentType": "global",
"accountType": "organization",
"licenseType": "ENTERPRISE",
"supportedFeatures": [
"Agentless Scanning",
"Auto Protect",
"Cloud Visibility Compliance and Governance",
"Remediation",
"Serverless Function Scanning"
]
}

2. Generate AWS CFT and create IAM Role

There are two options here.

First option: via generating CFT s3 URL

Call the Generate the AWS CFT Template Link alt text to generate CFT on s3 storage. The CFT will include Prisma Cloud generated externalId and the permissions based on selected features.

Use the value of createStackLinkWithS3PresignedUrl property in the response to create IAM role via AWS CloudFormation stack.

For example, to get CFT Quick create Stack link for "accountType": "organization", and required features selected from the supported features API:

Sample Request

curl --request POST 'https://api.prismacloud.io/cas/v1/aws_template/presigned_url' \
--header 'accept: application/json' \
--header 'content-type: application/json' \
--header 'x-redlock-auth: <YOUR_TOKEN>' \
--data-raw '{
"accountId": "<accountId>",
"accountType": "organization",
"features": [
"Agentless Scanning",
"Auto Protect",
"Remediation",
"Serverless Function Scanning"
]
}'

Sample Response

{
"createStackLinkWithS3PresignedUrl":
"https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/create/review?stackName=PrismaCloudApp&templateURL=https%3A%2F%2Fonboarding-templates-app-s3.s3.amazonaws.com%2F806775452214917120%2F375187248419%2Fprisma-cloud-aws-iam-role-1268a9df-5f25-4585-be8c-3ebcc03b1d1d.template%3FX-Amz-Security-Token%3DIQoJb3JpZ2luX2VjEOj%252F%252F%252F%252F%252F%252F%252F%252F%252F%252FwEaCXVzLWVhc3QtMiJHMEUCIQC94GEu53jRfuZbrpIaWHTCofG27p2CGIE1ob0I0Us36AIgR0HNScAWkWTEQcChWWwEOO7%252BHLNaBC04UuD%252BFoaADqcqmgIIkv%252F%252F%252F%252F%252F%252F%252F%252F%252F%252FARAFGgwxODg2MTk5NDI3OTIiDG%252FM2%252FpFS97HXwnx0yruAR1VhsSiWGMF8AhNHRUHjcVfpdwa%252B4bJnpD4kgyK2anzh9TRaJILcTF384mg%252FkO71PYQYrOHzw3%252FyqRUGLmJ715%252FU9Lz%252BPynFx%252B6lx23M1CIvroaIBDqr9BFlcefepluy6xiso7oDMI46n8LCUBXUq5NGAcY4heDAVYXvwD5KSMiBytK%252Bct8r4G7R2bxrBm30GAkMhvPjEyhstrSFxheQqe3ZS429LYqpWgOoHiOFonn28R4NkJLEg027gPxpTKsqqiGysTymaDs4hHe7tRAG55L2YPsShoMe2SaWfTehivX%252BWbHO1%252FfIazMS7NPtqAwr%252Fv9nwY6nQEWKSoO7JUCkXAKDTIYrKV%252Bl5WG9YP2HLaL62OvMhicZE5lWLDeYL4%252Bo6qgCoH%252FxrbHAsY4LEmFNgxm2I%252FlK7KF6ugEsPHf33XnYgcN0a4VG7POoPyfk0RbNy6j002Guikcg3wieuROfF4NpnwrjvYfhbB2VM95Vpd1lhPRiqIxMJXIPNHwMQUu9t4ro6W0cRQUQVf5xpUBV1JC8%252BV1%26X-Amz-Algorithm%3DAWS4-HMAC-SHA256%26X-Amz-Date%3D20230301T163039Z%26X-Amz-SignedHeaders%3Dhost%26X-Amz-Expires%3D3597%26X-Amz-Credential%3DASIASX2U75OEE4QNMK7F%252F20230301%252Fus-east-2%252Fs3%252Faws4_request%26X-Amz-Signature%3D75b43898503df3d757e8512d90a58c6f1c6de00b209403aa21cd28704fed7dfe",
"externalId": "302bf9ab-b110-4588-8c8f-3bea9051a4d3"
}

Extract the S3 Presigned CFT URL

Extract the value of templateURL query string parameter from the createStackLinkWithS3PresignedUrl field of the response body.

In our case the encoded S3 CFT URL looks like this:

https%3A%2F%2Fonboarding-templates-app-s3.s3.amazonaws.com%2F806775452214917120%2F375187248419%2Fprisma-cloud-aws-iam-role-1268a9df-5f25-4585-be8c-3ebcc03b1d1d.template%3FX-Amz-Security-Token%3DIQoJb3JpZ2luX2VjEOj%252F%252F%252F%252F%252F%252F%252F%252F%252F%252FwEaCXVzLWVhc3QtMiJHMEUCIQC94GEu53jRfuZbrpIaWHTCofG27p2CGIE1ob0I0Us36AIgR0HNScAWkWTEQcChWWwEOO7%252BHLNaBC04UuD%252BFoaADqcqmgIIkv%252F%252F%252F%252F%252F%252F%252F%252F%252F%252FARAFGgwxODg2MTk5NDI3OTIiDG%252FM2%252FpFS97HXwnx0yruAR1VhsSiWGMF8AhNHRUHjcVfpdwa%252B4bJnpD4kgyK2anzh9TRaJILcTF384mg%252FkO71PYQYrOHzw3%252FyqRUGLmJ715%252FU9Lz%252BPynFx%252B6lx23M1CIvroaIBDqr9BFlcefepluy6xiso7oDMI46n8LCUBXUq5NGAcY4heDAVYXvwD5KSMiBytK%252Bct8r4G7R2bxrBm30GAkMhvPjEyhstrSFxheQqe3ZS429LYqpWgOoHiOFonn28R4NkJLEg027gPxpTKsqqiGysTymaDs4hHe7tRAG55L2YPsShoMe2SaWfTehivX%252BWbHO1%252FfIazMS7NPtqAwr%252Fv9nwY6nQEWKSoO7JUCkXAKDTIYrKV%252Bl5WG9YP2HLaL62OvMhicZE5lWLDeYL4%252Bo6qgCoH%252FxrbHAsY4LEmFNgxm2I%252FlK7KF6ugEsPHf33XnYgcN0a4VG7POoPyfk0RbNy6j002Guikcg3wieuROfF4NpnwrjvYfhbB2VM95Vpd1lhPRiqIxMJXIPNHwMQUu9t4ro6W0cRQUQVf5xpUBV1JC8%252BV1%26X-Amz-Algorithm%3DAWS4-HMAC-SHA256%26X-Amz-Date%3D20230301T163039Z%26X-Amz-SignedHeaders%3Dhost%26X-Amz-Expires%3D3597%26X-Amz-Credential%3DASIASX2U75OEE4QNMK7F%252F20230301%252Fus-east-2%252Fs3%252Faws4_request%26X-Amz-Signature%3D75b43898503df3d757e8512d90a58c6f1c6de00b209403aa21cd28704fed7dfe

After url decoding it, we get:

https://onboarding-templates-app-s3.s3.amazonaws.com/123456789012345678/123456789012/prisma-cloud-aws-iam-role-1268a9df-5f25-4585-be8c-3ebcc03b1d1d.template?X-Amz-Security-Token=IQoJb3JpZ2luX2VjEOj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMiJHMEUCIQC94GEu53jRfuZbrpIaWHTCofG27p2CGIE1ob0I0Us36AIgR0HNScAWkWTEQcChWWwEOO7%2BHLNaBC04UuD%2BFoaADqcqmgIIkv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAFGgwxODg2MTk5NDI3OTIiDG%2FM2%2FpFS97HXwnx0yruAR1VhsSiWGMF8AhNHRUHjcVfpdwa%2B4bJnpD4kgyK2anzh9TRaJILcTF384mg%2FkO71PYQYrOHzw3%2FyqRUGLmJ715%2FU9Lz%2BPynFx%2B6lx23M1CIvroaIBDqr9BFlcefepluy6xiso7oDMI46n8LCUBXUq5NGAcY4heDAVYXvwD5KSMiBytK%2Bct8r4G7R2bxrBm30GAkMhvPjEyhstrSFxheQqe3ZS429LYqpWgOoHiOFonn28R4NkJLEg027gPxpTKsqqiGysTymaDs4hHe7tRAG55L2YPsShoMe2SaWfTehivX%2BWbHO1%2FfIazMS7NPtqAwr%2Fv9nwY6nQEWKSoO7JUCkXAKDTIYrKV%2Bl5WG9YP2HLaL62OvMhicZE5lWLDeYL4%2Bo6qgCoH%2FxrbHAsY4LEmFNgxm2I%2FlK7KF6ugEsPHf33XnYgcN0a4VG7POoPyfk0RbNy6j002Guikcg3wieuROfF4NpnwrjvYfhbB2VM95Vpd1lhPRiqIxMJXIPNHwMQUu9t4ro6W0cRQUQVf5xpUBV1JC8%2BV1&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20230301T163039Z&X-Amz-SignedHeaders=host&X-Amz-Expires=3597&X-Amz-Credential=ASIASX2U75OEE4QNMK7F%2F20230301%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Signature=75b43898503df3d757e8512d90a58c6f1c6de00b209403aa21cd28704fed7dfe
Sample Python code snippet to extract the S3 Presigned CFT URL
import urllib.parse

# createStackLinkWithS3PresignedUrl from the API response.
createStackLinkWithS3PresignedUrl = "https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/create/review?stackName=PrismaCloudApp&templateURL=https%3A%2F%2Fonboarding-templates-app-s3.s3.amazonaws.com%2F806775452214917120%2F375187248419%2Fprisma-cloud-aws-iam-role-1268a9df-5f25-4585-be8c-3ebcc03b1d1d.template%3FX-Amz-Security-Token%3DIQoJb3JpZ2luX2VjEOj%252F%252F%252F%252F%252F%252F%252F%252F%252F%252FwEaCXVzLWVhc3QtMiJHMEUCIQC94GEu53jRfuZbrpIaWHTCofG27p2CGIE1ob0I0Us36AIgR0HNScAWkWTEQcChWWwEOO7%252BHLNaBC04UuD%252BFoaADqcqmgIIkv%252F%252F%252F%252F%252F%252F%252F%252F%252F%252FARAFGgwxODg2MTk5NDI3OTIiDG%252FM2%252FpFS97HXwnx0yruAR1VhsSiWGMF8AhNHRUHjcVfpdwa%252B4bJnpD4kgyK2anzh9TRaJILcTF384mg%252FkO71PYQYrOHzw3%252FyqRUGLmJ715%252FU9Lz%252BPynFx%252B6lx23M1CIvroaIBDqr9BFlcefepluy6xiso7oDMI46n8LCUBXUq5NGAcY4heDAVYXvwD5KSMiBytK%252Bct8r4G7R2bxrBm30GAkMhvPjEyhstrSFxheQqe3ZS429LYqpWgOoHiOFonn28R4NkJLEg027gPxpTKsqqiGysTymaDs4hHe7tRAG55L2YPsShoMe2SaWfTehivX%252BWbHO1%252FfIazMS7NPtqAwr%252Fv9nwY6nQEWKSoO7JUCkXAKDTIYrKV%252Bl5WG9YP2HLaL62OvMhicZE5lWLDeYL4%252Bo6qgCoH%252FxrbHAsY4LEmFNgxm2I%252FlK7KF6ugEsPHf33XnYgcN0a4VG7POoPyfk0RbNy6j002Guikcg3wieuROfF4NpnwrjvYfhbB2VM95Vpd1lhPRiqIxMJXIPNHwMQUu9t4ro6W0cRQUQVf5xpUBV1JC8%252BV1%26X-Amz-Algorithm%3DAWS4-HMAC-SHA256%26X-Amz-Date%3D20230301T163039Z%26X-Amz-SignedHeaders%3Dhost%26X-Amz-Expires%3D3597%26X-Amz-Credential%3DASIASX2U75OEE4QNMK7F%252F20230301%252Fus-east-2%252Fs3%252Faws4_request%26X-Amz-Signature%3D75b43898503df3d757e8512d90a58c6f1c6de00b209403aa21cd28704fed7dfe"

s3_presigned_cft_link = urllib.parse.unquote(createStackLinkWithS3PresignedUrl.split("templateURL=")[-1])

Use the extracted s3 link to create or update the IAM role using AWS CloudFormation Stack.

Provide a required OrganizationalUnitIds parameter in the CFT to create Organization stack. This will create member roles for the specified OrganizationalUnitIds. Specify the organizational root OU ID (prefix r-) to run it for all the accounts under the Organization, else provide a comma-separated list of OU IDs (prefix ou-). Refer to AWS Organization details Guide for more info.

Example: OrganizationalUnitIds = "r-abcd". "r-abcd" is the AWS organizational root OU ID for the ORG account which indicates that member roles should get created on all the accounts that the organization has access to.

info
  • The IAM roles created in member accounts will be of the format: <organization-iam-role-name>-member
Sample code snippet to create Cloudformation Stack using boto3
import boto3

# Extracted urldecoded s3 cft link from previous 2.1.b step
s3_urldecoded_cft_template_path = "https://onboarding-templates-app-s3.s3.amazonaws.com/123456789012345678/123456789012/prisma-cloud-aws-iam-role-1268a9df-5f25-4585-be8c-3ebcc03b1d1d.template?X-Amz-Security-Token=IQoJb3JpZ2luX2VjEOj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMiJHMEUCIQC94GEu53jRfuZbrpIaWHTCofG27p2CGIE1ob0I0Us36AIgR0HNScAWkWTEQcChWWwEOO7%2BHLNaBC04UuD%2BFoaADqcqmgIIkv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAFGgwxODg2MTk5NDI3OTIiDG%2FM2%2FpFS97HXwnx0yruAR1VhsSiWGMF8AhNHRUHjcVfpdwa%2B4bJnpD4kgyK2anzh9TRaJILcTF384mg%2FkO71PYQYrOHzw3%2FyqRUGLmJ715%2FU9Lz%2BPynFx%2B6lx23M1CIvroaIBDqr9BFlcefepluy6xiso7oDMI46n8LCUBXUq5NGAcY4heDAVYXvwD5KSMiBytK%2Bct8r4G7R2bxrBm30GAkMhvPjEyhstrSFxheQqe3ZS429LYqpWgOoHiOFonn28R4NkJLEg027gPxpTKsqqiGysTymaDs4hHe7tRAG55L2YPsShoMe2SaWfTehivX%2BWbHO1%2FfIazMS7NPtqAwr%2Fv9nwY6nQEWKSoO7JUCkXAKDTIYrKV%2Bl5WG9YP2HLaL62OvMhicZE5lWLDeYL4%2Bo6qgCoH%2FxrbHAsY4LEmFNgxm2I%2FlK7KF6ugEsPHf33XnYgcN0a4VG7POoPyfk0RbNy6j002Guikcg3wieuROfF4NpnwrjvYfhbB2VM95Vpd1lhPRiqIxMJXIPNHwMQUu9t4ro6W0cRQUQVf5xpUBV1JC8%2BV1&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20230301T163039Z&X-Amz-SignedHeaders=host&X-Amz-Expires=3597&X-Amz-Credential=ASIASX2U75OEE4QNMK7F%2F20230301%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Signature=75b43898503df3d757e8512d90a58c6f1c6de00b209403aa21cd28704fed7dfe"

stack_name = 'PrismaCloudOrganizationRole' # Change if needed

cloud_formation_client = boto3.client('cloudformation')
# Provide the organizational root OU ID (prefix r-) to create IAM role for all the member accounts under the Organization,
# else provide a comma-separated list of OU IDs (prefix ou-)
OrganizationalUnitIds = "<OrganizationalUnitIds>"
cloud_formation_client = boto3.client('cloudformation')
parameters = [
{
'ParameterKey': "PrismaCloudRoleName",
'ParameterValue': stack_name,
'UsePreviousValue': False,
},
{
'ParameterKey': "OrganizationalUnitIds",
'ParameterValue': OrganizationalUnitIds,
'UsePreviousValue': False,
}
]
capabilities = ['CAPABILITY_NAMED_IAM']

cloud_formation_client.create_stack(StackName=stack_name, TemplateURL=s3_urldecoded_cft_template_path,
Parameters=parameters, Capabilities=capabilities)

NOTE: The link is valid for one hour. Regenerate the link if it expires.

Second option: via obtaining CFT in the response

Use Generate and Download the AWS CFT Template alt text to get the CFT template in the response instead of an s3 link.

For example, To get CFT for the required features selected from the previous supported features API and for accountType: "organization"

Sample Request
curl --request POST 'https://api.prismacloud.io/cas/v1/aws_template' \
--header 'accept: */*' \
--header 'content-type: application/json' \
--header 'x-redlock-auth: <YOUR_TOKEN>' \
--data-raw '{
"accountId": "<accountId>",
"accountType": "organization",
"features": [
"Agentless Scanning",
"Auto Protect",
"Remediation",
"Serverless Function Scanning"
]
}'

The response will contain the actual CFT template. Save it with *.template extension and use it to create AWS cloudformation stack programmatically (e.g. using Boto3, Terraform)

Sample Response
{
"AWSTemplateFormatVersion": "2010-09-09",
"Mappings": {
"EventBridgeMap": {
"EventBridgeRuleNamePrefix": {
"Value": "prisma-cloud-eb-o-123456789012345678-*"
}
}
},
"Description": "Prisma Cloud IAM Role to set permissions",
"Metadata": {
"DownloadDate": "2023-03-16 00:41"
},
"Parameters": {
"PrismaCloudRoleName": {
"Type": "String",
"Description": "Provide an role ARN name (Example: PrismaCloudRole). Maximum 57 characters allowed",
"AllowedPattern": "[-_a-zA-Z0-9]+",
"Default": "PrismaCloudRole-123456789012345678",
"MaxLength": 57,
"MinLength": 1
},
"OrganizationalUnitIds": {
"Type": "CommaDelimitedList",
"Description": "Provide the organizational root OU ID (Prefix like: r-) if you want to run it for all the accounts under this Organization. Else provide a comma-separated list of OU ids(Prefix like: ou-).",
"AllowedPattern": "^(ou-|r-)[a-z0-9-]+(?:,( )*(ou-|r-)[a-z0-9-]+)*$"
}
},
"Resources": {
"PrismaCloudRoleStackSetMember": {
"Properties": {
"AutoDeployment": {
"RetainStacksOnAccountRemoval": "False",
"Enabled": "True"
},
"Capabilities": [
"CAPABILITY_NAMED_IAM"
],
"OperationPreferences": {
"FailureTolerancePercentage": 100,
"RegionConcurrencyType": "PARALLEL"
},
"Parameters": [
{
"ParameterKey": "PrismaCloudRoleName",
"ParameterValue": {
"Fn::Join": [
"",
[
{
"Ref": "PrismaCloudRoleName"
},
"-member"
]
]
}
}
],
"PermissionModel": "SERVICE_MANAGED",
"StackInstancesGroup": [
{
"DeploymentTargets": {
"OrganizationalUnitIds": {
"Ref": "OrganizationalUnitIds"
}
},
"Regions": [
{
"Ref": "AWS::Region"
}
]
}
],
"StackSetName": {
"Fn::Join": [
"",
[
"PrismaCloudRolesStackSetMember-",
{
"Ref": "AWS::StackName"
}
]
]
},
"TemplateBody": "{\n \"AWSTemplateFormatVersion\": \"2010-09-09\",\n \"Mappings\": {\n \"EventBridgeMap\": {\n \"EventBridgeRuleNamePrefix\": {\n \"Value\": \"prisma-cloud-eb-o-123456789012345678-*\"\n }\n }\n },\n \"Description\": \"Prisma Cloud IAM Role to set permissions\",\n \"Metadata\": {\n \"DownloadDate\": \"2023-03-16 00:41\"\n },\n \"Parameters\": {\n \"PrismaCloudRoleName\": {\n \"Type\": \"String\",\n \"Description\": \"Provide an role ARN name (Example: PrismaCloudRole). Maximum 64 characters allowed\",\n \"AllowedPattern\": \"[-_a-zA-Z0-9]+\",\n \"Default\": \"PrismaCloudRole-123456789012345678-member\",\n \"MaxLength\": 64,\n \"MinLength\": 1\n }\n },\n \"Resources\": {\n \"PrismaCloudRole\": {\n \"Type\": \"AWS::IAM::Role\",\n \"Properties\": {\n \"ManagedPolicyArns\": [\n {\n \"Fn::Join\": [\n \"\",\n [\n \"arn:aws:iam::aws:policy/SecurityAudit\"\n ]\n ]\n },\n {\n \"Fn::Join\": [\n \"\",\n [\n \"arn:aws:iam::\",\n {\n \"Ref\": \"AWS::AccountId\"\n },\n \":policy/\",\n \"prisma_cloud_1-123456789012345678\",\n \"-\",\n {\n \"Ref\": \"PrismaCloudRoleName\"\n }\n ]\n ]\n },\n {\n \"Fn::Join\": [\n \"\",\n [\n \"arn:aws:iam::\",\n {\n \"Ref\": \"AWS::AccountId\"\n },\n \":policy/\",\n \"prisma_cloud_2-123456789012345678\",\n \"-\",\n {\n \"Ref\": \"PrismaCloudRoleName\"\n }\n ]\n ]\n },\n {\n \"Fn::Join\": [\n \"\",\n [\n \"arn:aws:iam::\",\n {\n \"Ref\": \"AWS::AccountId\"\n },\n \":policy/\",\n \"prisma_cloud_3-123456789012345678\",\n \"-\",\n {\n \"Ref\": \"PrismaCloudRoleName\"\n }\n ]\n ]\n },\n {\n \"Fn::Join\": [\n \"\",\n [\n \"arn:aws:iam::\",\n {\n \"Ref\": \"AWS::AccountId\"\n },\n \":policy/\",\n \"prisma_cloud_4-123456789012345678\",\n \"-\",\n {\n \"Ref\": \"PrismaCloudRoleName\"\n }\n ]\n ]\n },\n {\n \"Fn::Join\": [\n \"\",\n [\n \"arn:aws:iam::\",\n {\n \"Ref\": \"AWS::AccountId\"\n },\n \":policy/\",\n \"prisma_cloud_5-123456789012345678\",\n \"-\",\n {\n \"Ref\": \"PrismaCloudRoleName\"\n }\n ]\n ]\n }\n ],\n \"MaxSessionDuration\": 43200,\n \"AssumeRolePolicyDocument\": {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": [\n \"arn:aws:iam::188619942792:root\"\n ]\n },\n \"Action\": [\n \"sts:AssumeRole\"\n ],\n \"Condition\": {\n \"StringEquals\": {\n \"sts:ExternalId\": \"Bhb\"\n }\n }\n }\n ]\n },\n \"RoleName\": {\n \"Ref\": \"PrismaCloudRoleName\"\n }\n },\n \"DependsOn\": [\n \"prismacloud5\",\n \"prismacloud1\",\n \"prismacloud2\",\n \"prismacloud3\",\n \"prismacloud4\"\n ]\n },\n \"prismacloud1\": {\n \"Type\": \"AWS::IAM::ManagedPolicy\",\n \"Properties\": {\n \"ManagedPolicyName\": {\n \"Fn::Join\": [\n \"\",\n [\n \"prisma_cloud_1-123456789012345678\",\n \"-\",\n {\n \"Ref\": \"PrismaCloudRoleName\"\n }\n ]\n ]\n },\n \"PolicyDocument\": {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"PrismaCloudFlowlogs1\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"logs:GetLogEvents\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"PrismaCloudAuditEventsCloudTrail1\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"cloudtrail:LookupEvents\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"PrismaCloudPCCAgentlessSSM6\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ssm:GetParameter\",\n \"ssm:GetParameters\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"PrismaCloudEBOrganizationManagementPermissions1\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"organizations:ListRoots\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"PrismaCloudPCCAgentlessSTS7\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"sts:DecodeAuthorizationMessage\",\n \"sts:GetCallerIdentity\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"PrismaCloudElasticBeanstalk4\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:GetObject\"\n ],\n \"Resource\": {\n \"Fn::Join\": [\n \"\",\n [\n \"arn:\",\n {\n \"Ref\": \"AWS::Partition\"\n },\n \":s3:::elasticbeanstalk-*/*\"\n ]\n ]\n }\n },\n {\n \"Sid\": \"PrismaCloudGuardduty1\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"guardduty:GetDetector\",\n \"guardduty:GetFindings\",\n \"guardduty:ListDetectors\",\n \"guardduty:ListFindings\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"PrismaCloudPCCAgentlessKMS5\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:CreateGrant\",\n \"kms:Decrypt\",\n \"kms:DescribeKey\",\n \"kms:Encrypt\",\n \"kms:GenerateDataKeyWithoutPlaintext\",\n \"kms:ReEncryptFrom\",\n \"kms:ReEncryptTo\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"PrismaCloudPCCAgentlessNetworkActions9\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:CreateInternetGateway\",\n \"ec2:CreateSubnet\",\n \"ec2:CreateVpc\"\n ],\n \"Condition\": {\n \"StringEquals\": {\n \"aws:RequestTag/created-by\": \"prismacloud-agentless-scan\"\n }\n },\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"PrismaCloudComputeAgentless1\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:CreateRoute\",\n \"ec2:DeleteNetworkInterface\",\n \"ec2:DescribeInternetGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n \"ec2:DescribeRouteTables\",\n \"ec2:DescribeVpcs\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"PrismaCloudPCCAgentlessServiceLinkedRole4\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n ],\n \"Condition\": {\n \"StringLike\": {\n \"iam:AWSServiceName\": \"spot.amazonaws.com\"\n }\n },\n \"Resource\": [\n {\n \"Fn::Join\": [\n \"\",\n [\n \"arn:\",\n {\n \"Ref\": \"AWS::Partition\"\n },\n \":iam::*:role/aws-service-role/spot.amazonaws.com/*\"\n ]\n ]\n }\n ]\n },\n {\n \"Sid\": \"PrismaCloudBridgecrew1\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"cloudformation:DescribeStackResources\",\n \"cloudformation:GetTemplate\",\n \"cloudformation:ListStacks\",\n \"lambda:GetEventSourceMapping\",\n \"lambda:GetFunction\",\n \"lambda:GetLayerVersion\",\n \"s3:ListBucket\",\n \"sns:GetSubscriptionAttributes\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"PrismaCloudEBRuleStatusPermissions3\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"cloudtrail:DescribeTrails\",\n \"cloudtrail:GetEventSelectors\",\n \"cloudtrail:GetTrailStatus\",\n \"ec2:DescribeRegions\",\n \"events:DescribeApiDestination\",\n \"events:DescribeConnection\",\n \"events:DescribeRule\",\n \"events:ListTargetsByRule\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"PrismaCloudPCCAgentlessRW3\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:CreateSnapshot\",\n \"ec2:CreateSnapshots\",\n \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstances\",\n \"ec2:DescribeSecurityGroups\",\n \"ec2:DescribeSnapshots\",\n \"ec2:DescribeSubnets\",\n \"ec2:DescribeVolumes\",\n \"ec2:RunInstances\",\n \"iam:SimulatePrincipalPolicy\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"PrismaCloudInspector1\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"inspector:DescribeAssessmentTemplates\",\n \"inspector:DescribeFindings\",\n \"inspector:DescribeRulesPackages\",\n \"inspector:ListAssessmentRunAgents\",\n \"inspector:ListAssessmentRuns\",\n \"inspector:ListAssessmentTemplates\",\n \"inspector:ListFindings\",\n \"inspector:ListRulesPackages\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"PrismaCloudEBRuleManagementPermissions2\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"events:DeleteRule\",\n \"events:DisableRule\",\n \"events:EnableRule\",\n \"events:PutRule\",\n \"events:RemoveTargets\"\n ],\n \"Resource\": [\n {\n \"Fn::Join\": [\n \"\",\n [\n \"arn:\",\n {\n \"Ref\": \"AWS::Partition\"\n },\n \":events:*:\",\n {\n \"Ref\": \"AWS::AccountId\"\n },\n \":rule/\",\n {\n \"Fn::FindInMap\": [\n \"EventBridgeMap\",\n \"EventBridgeRuleNamePrefix\",\n \"Value\"\n ]\n }\n ]\n ]\n }\n ]\n },\n {\n \"Sid\": \"PrismaCloudPCCAgentlessRM2\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:AttachInternetGateway\",\n \"ec2:CreateSubnet\",\n \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteSnapshot\",\n \"ec2:DeleteSubnet\",\n \"ec2:DeleteVpc\",\n \"ec2:DetachInternetGateway\",\n \"ec2:ModifySnapshotAttribute\",\n \"ec2:TerminateInstances\"\n ],\n \"Condition\": {\n \"StringEquals\": {\n \"ec2:ResourceTag/created-by\": \"prismacloud-agentless-scan\"\n }\n },\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"PrismaCloudComputeServerlessScan1\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:DescribeImages\",\n \"iam:GetPolicy\",\n \"iam:GetPolicyVersion\",\n \"iam:GetRole\",\n \"iam:GetRolePolicy\",\n \"iam:ListAttachedRolePolicies\",\n \"iam:ListRolePolicies\",\n \"iam:SimulatePrincipalPolicy\",\n \"kms:Decrypt\",\n \"lambda:DeleteLayerVersion\",\n \"lambda:GetFunction\",\n \"lambda:GetFunctionConfiguration\",\n \"lambda:GetLayerVersion\",\n \"lambda:ListFunctions\",\n \"lambda:ListLayerVersions\",\n \"lambda:ListLayers\",\n \"lambda:PublishLayerVersion\",\n \"lambda:UpdateFunctionConfiguration\"\n ],\n \"Resource\": \"*\"\n }\n ]\n }\n }\n },\n \"prismacloud2\": {\n \"Type\": \"AWS::IAM::ManagedPolicy\",\n \"Properties\": {\n \"ManagedPolicyName\": {\n \"Fn::Join\": [\n \"\",\n [\n \"prisma_cloud_2-123456789012345678\",\n \"-\",\n {\n \"Ref\": \"PrismaCloudRoleName\"\n }\n ]\n ]\n },\n \"PolicyDocument\": {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"PrismaCloudPCCAgentlessTags8\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:CreateTags\"\n ],\n \"Condition\": {\n \"StringEquals\": {\n \"aws:RequestTag/created-by\": \"prismacloud-agentless-scan\"\n }\n },\n \"Resource\": [\n {\n \"Fn::Join\": [\n \"\",\n [\n \"arn:\",\n {\n \"Ref\": \"AWS::Partition\"\n },\n \":ec2:*::snapshot/*\"\n ]\n ]\n },\n {\n \"Fn::Join\": [\n \"\",\n [\n \"arn:\",\n {\n \"Ref\": \"AWS::Partition\"\n },\n \":ec2:*:*:instance/*\"\n ]\n ]\n },\n {\n \"Fn::Join\": [\n \"\",\n [\n \"arn:\",\n {\n \"Ref\": \"AWS::Partition\"\n },\n \":ec2:*:*:vpc/*\"\n ]\n ]\n },\n {\n \"Fn::Join\": [\n \"\",\n [\n \"arn:\",\n {\n \"Ref\": \"AWS::Partition\"\n },\n \":ec2:*:*:subnet/*\"\n ]\n ]\n },\n {\n \"Fn::Join\": [\n \"\",\n [\n \"arn:\",\n {\n \"Ref\": \"AWS::Partition\"\n },\n \":ec2:*:*:internet-gateway/*\"\n ]\n ]\n },\n {\n \"Fn::Join\": [\n \"\",\n [\n \"arn:\",\n {\n \"Ref\": \"AWS::Partition\"\n },\n \":ec2:*:*:volume/*\"\n ]\n ]\n }\n ]\n },\n {\n \"Sid\": \"PrismaCloudRemediation1\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"acm:UpdateCertificateOptions\",\n \"cloudtrail:StartLogging\",\n \"cloudtrail:UpdateTrail\",\n \"ec2:ModifyImageAttribute\",\n \"ec2:ModifySnapshotAttribute\",\n \"ec2:ModifySubnetAttribute\",\n \"ec2:RevokeSecurityGroupEgress\",\n \"ec2:RevokeSecurityGroupIngress\",\n \"ecs:UpdateClusterSettings\",\n \"eks:UpdateClusterConfig\",\n \"elasticache:ModifyReplicationGroup\",\n \"elasticloadbalancing:ModifyLoadBalancerAttributes\",\n \"iam:UpdateAccountPasswordPolicy\",\n \"kms:EnableKeyRotation\",\n \"lambda:UpdateFunctionConfiguration\",\n \"rds:ModifyDBCluster\",\n \"rds:ModifyDBClusterSnapshotAttribute\",\n \"rds:ModifyDBInstance\",\n \"rds:ModifyDBSnapshotAttribute\",\n \"rds:ModifyEventSubscription\",\n \"redshift:ModifyCluster\",\n \"s3:PutBucketAcl\",\n \"s3:PutBucketPublicAccessBlock\",\n \"s3:PutBucketVersioning\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"PrismaCloudComputeDiscovery1\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"apigateway:GET\",\n \"cloudfront:ListDistributions\",\n \"cloudwatch:DescribeAlarms\",\n \"ec2:DescribeTags\",\n \"elasticloadbalancing:DescribeListenerCertificates\",\n \"elasticloadbalancing:DescribeListeners\",\n \"elasticloadbalancing:DescribeRules\",\n \"elasticloadbalancing:DescribeTargetGroups\",\n \"events:ListRules\",\n \"iam:GetPolicy\",\n \"iam:GetPolicyVersion\",\n \"iam:GetRole\",\n \"iam:GetRolePolicy\",\n \"iam:ListAttachedRolePolicies\",\n \"iam:ListRolePolicies\",\n \"kms:Decrypt\",\n \"lambda:GetFunction\",\n \"lambda:GetFunctionConfiguration\",\n \"lambda:GetFunctionUrlConfig\",\n \"lambda:GetPolicy\",\n \"lambda:ListAliases\",\n \"lambda:ListEventSourceMappings\",\n \"lambda:ListFunctions\",\n \"logs:DescribeSubscriptionFilters\",\n \"s3:GetBucketNotification\",\n \"secretsmanager:GetSecretValue\",\n \"ssm:GetParameter\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"PrismaCloudComputeAutoProtect1\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:AuthorizeSecurityGroupEgress\",\n \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateSecurityGroup\",\n \"ec2:CreateTags\",\n \"ec2:DeleteSecurityGroup\",\n \"ec2:DescribeImages\",\n \"ec2:DescribeInstanceTypeOfferings\",\n \"ec2:DescribeInstances\",\n \"ec2:DescribeSecurityGroups\",\n \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n \"ec2:RevokeSecurityGroupEgress\",\n \"ec2:RunInstances\",\n \"ec2:TerminateInstances\",\n \"ecr:BatchCheckLayerAvailability\",\n \"ecr:BatchGetImage\",\n \"ecr:DescribeImageScanFindings\",\n \"ecr:DescribeImages\",\n \"ecr:DescribeRepositories\",\n \"ecr:GetAuthorizationToken\",\n \"ecr:GetDownloadUrlForLayer\",\n \"ecr:GetLifecyclePolicy\",\n \"ecr:GetLifecyclePolicyPreview\",\n \"ecr:GetRepositoryPolicy\",\n \"ecr:ListImages\",\n \"ecr:ListTagsForResource\",\n \"lambda:GetFunctionConfiguration\",\n \"lambda:GetLayerVersion\",\n \"logs:GetQueryResults\",\n \"logs:StartQuery\",\n \"securityhub:BatchImportFindings\",\n \"ssm:CancelCommand\",\n \"ssm:CreateAssociation\",\n \"ssm:DescribeInstanceInformation\",\n \"ssm:ListCommandInvocations\",\n \"ssm:SendCommand\"\n ],\n \"Resource\": \"*\"\n }\n ]\n }\n }\n },\n \"prismacloud3\": {\n \"Type\": \"AWS::IAM::ManagedPolicy\",\n \"Properties\": {\n \"ManagedPolicyName\": {\n \"Fn::Join\": [\n \"\",\n [\n \"prisma_cloud_3-123456789012345678\",\n \"-\",\n {\n \"Ref\": \"PrismaCloudRoleName\"\n }\n ]\n ]\n },\n \"PolicyDocument\": {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"PrismaCloudConfig3\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"memorydb:DescribeClusters\",\n \"memorydb:DescribeParameterGroups\",\n \"memorydb:DescribeParameters\",\n \"memorydb:ListTags\",\n \"mobiletargeting:GetApps\",\n \"mobiletargeting:GetEmailChannel\",\n \"mobiletargeting:GetSmsChannel\",\n \"mq:DescribeBroker\",\n \"mq:ListBrokers\",\n \"organizations:DescribeAccount\",\n \"organizations:DescribeOrganization\",\n \"organizations:DescribeOrganizationalUnit\",\n \"organizations:DescribePolicy\",\n \"organizations:ListAccounts\",\n \"organizations:ListAccountsForParent\",\n \"organizations:ListChildren\",\n \"organizations:ListOrganizationalUnitsForParent\",\n \"organizations:ListParents\",\n \"organizations:ListPolicies\",\n \"organizations:ListPoliciesForTarget\",\n \"organizations:ListRoots\",\n \"organizations:ListTagsForResource\",\n \"qldb:DescribeLedger\",\n \"qldb:ListLedgers\",\n \"qldb:ListTagsForResource\",\n \"quicksight:DescribeAccountSettings\",\n \"quicksight:ListDataSets\",\n \"quicksight:ListDataSources\",\n \"quicksight:ListTagsForResource\",\n \"ram:GetResourceShares\",\n \"ram:ListPrincipals\",\n \"ram:ListResources\",\n \"rds:DescribeDBClusterParameterGroups\",\n \"rds:DescribeDBClusterParameters\",\n \"rds:DescribeDBClusterSnapshotAttributes\",\n \"rds:DescribeDBClusterSnapshots\",\n \"rds:DescribeDBClusters\",\n \"rds:DescribeDBInstances\",\n \"rds:DescribeDBParameterGroups\",\n \"rds:DescribeDBParameters\",\n \"rds:DescribeDBSnapshotAttributes\",\n \"rds:DescribeDBSnapshots\",\n \"rds:DescribeEventSubscriptions\",\n \"rds:DescribeOptionGroups\",\n \"rds:ListTagsForResource\",\n \"redshift:DescribeClusterParameters\",\n \"redshift:DescribeClusters\",\n \"redshift:DescribeLoggingStatus\",\n \"route53:ListHostedZones\",\n \"route53:ListQueryLoggingConfigs\",\n \"route53:ListResourceRecordSets\",\n \"route53:ListTagsForResource\",\n \"route53domains:GetDomainDetail\",\n \"route53domains:ListDomains\",\n \"route53domains:ListTagsForDomain\",\n \"route53resolver:ListResolverQueryLogConfigAssociations\",\n \"route53resolver:ListResolverQueryLogConfigs\",\n \"route53resolver:ListTagsForResource\",\n \"s3:DescribeJob\",\n \"s3:GetAccessPoint\",\n \"s3:GetAccessPointPolicy\",\n \"s3:GetAccessPointPolicyStatus\",\n \"s3:GetAccountPublicAccessBlock\",\n \"s3:GetBucketAcl\",\n \"s3:GetBucketCORS\",\n \"s3:GetBucketLocation\",\n \"s3:GetBucketLogging\",\n \"s3:GetBucketOwnershipControls\",\n \"s3:GetBucketPolicy\",\n \"s3:GetBucketPolicyStatus\",\n \"s3:GetBucketPublicAccessBlock\",\n \"s3:GetBucketTagging\",\n \"s3:GetBucketVersioning\",\n \"s3:GetBucketWebsite\",\n \"s3:GetEncryptionConfiguration\",\n \"s3:GetJobTagging\",\n \"s3:GetLifecycleConfiguration\",\n \"s3:GetReplicationConfiguration\",\n \"s3:ListAccessPoints\",\n \"s3:ListAllMyBuckets\",\n \"s3:ListJobs\",\n \"sagemaker:DescribeDomain\",\n \"sagemaker:DescribeEndpoint\",\n \"sagemaker:DescribeEndpointConfig\",\n \"sagemaker:DescribeModel\",\n \"sagemaker:DescribeNotebookInstance\",\n \"sagemaker:DescribeTrainingJob\",\n \"sagemaker:DescribeUserProfile\",\n \"sagemaker:ListDomains\",\n \"sagemaker:ListEndpointConfigs\",\n \"sagemaker:ListEndpoints\",\n \"sagemaker:ListModels\",\n \"sagemaker:ListNotebookInstances\",\n \"sagemaker:ListTags\",\n \"sagemaker:ListTrainingJobs\",\n \"sagemaker:ListUserProfiles\",\n \"secretsmanager:DescribeSecret\",\n \"secretsmanager:GetResourcePolicy\",\n \"secretsmanager:ListSecrets\",\n \"ses:GetIdentityDkimAttributes\",\n \"ses:GetIdentityPolicies\",\n \"ses:ListIdentities\",\n \"ses:ListIdentityPolicies\",\n \"shield:GetSubscriptionState\",\n \"shield:ListProtectionGroups\",\n \"shield:ListProtections\",\n \"shield:ListResourcesInProtectionGroup\",\n \"shield:ListTagsForResource\",\n \"sns:GetTopicAttributes\",\n \"sns:ListPlatformApplications\",\n \"sns:ListSubscriptions\",\n \"sns:ListTagsForResource\",\n \"sns:ListTopics\",\n \"sqs:GetQueueAttributes\",\n \"sqs:ListQueueTags\",\n \"sqs:ListQueues\",\n \"ssm:DescribeAssociation\",\n \"ssm:DescribeDocument\",\n \"ssm:DescribeDocumentPermission\",\n \"ssm:DescribeInstanceInformation\",\n \"ssm:DescribeParameters\",\n \"ssm:GetDocument\",\n \"ssm:GetInventory\",\n \"ssm:GetParameters\",\n \"ssm:ListAssociations\",\n \"ssm:ListDocuments\",\n \"ssm:ListTagsForResource\",\n \"sso:DescribePermissionSet\",\n \"sso:ListAccountAssignments\",\n \"sso:ListAccountsForProvisionedPermissionSet\",\n \"sso:ListInstances\",\n \"sso:ListPermissionSets\",\n \"states:DescribeStateMachine\",\n \"states:ListStateMachines\",\n \"states:ListTagsForResource\",\n \"storagegateway:DescribeCachediSCSIVolumes\",\n \"storagegateway:DescribeGatewayInformation\",\n \"storagegateway:DescribeNFSFileShares\",\n \"storagegateway:DescribeSMBFileShares\",\n \"storagegateway:DescribeSMBSettings\",\n \"storagegateway:DescribeTapes\",\n \"storagegateway:ListFileShares\",\n \"storagegateway:ListGateways\",\n \"storagegateway:ListTapes\",\n \"storagegateway:ListVolumes\",\n \"transcribe:ListLanguageModels\",\n \"transcribe:ListTagsForResource\",\n \"transfer:DescribeAccess\",\n \"transfer:DescribeServer\",\n \"transfer:ListAccesses\",\n \"transfer:ListServers\",\n \"translate:GetTerminology\",\n \"translate:ListTerminologies\",\n \"waf-regional:GetLoggingConfiguration\",\n \"waf-regional:GetWebACL\",\n \"waf-regional:ListResourcesForWebACL\",\n \"waf-regional:ListTagsForResource\",\n \"waf-regional:ListWebACLs\",\n \"waf:GetLoggingConfiguration\",\n \"waf:GetWebACL\",\n \"waf:ListTagsForResource\",\n \"waf:ListWebACLs\",\n \"wafv2:GetLoggingConfiguration\",\n \"wafv2:GetWebACL\",\n \"wafv2:ListResourcesForWebACL\",\n \"wafv2:ListTagsForResource\",\n \"wafv2:ListWebACLs\",\n \"workspaces:DescribeIpGroups\",\n \"workspaces:DescribeTags\",\n \"workspaces:DescribeWorkspaceBundles\",\n \"workspaces:DescribeWorkspaceDirectories\",\n \"workspaces:DescribeWorkspaces\",\n \"xray:GetEncryptionConfig\"\n ],\n \"Resource\": \"*\"\n }\n ]\n }\n }\n },\n \"prismacloud4\": {\n \"Type\": \"AWS::IAM::ManagedPolicy\",\n \"Properties\": {\n \"ManagedPolicyName\": {\n \"Fn::Join\": [\n \"\",\n [\n \"prisma_cloud_4-123456789012345678\",\n \"-\",\n {\n \"Ref\": \"PrismaCloudRoleName\"\n }\n ]\n ]\n },\n \"PolicyDocument\": {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"PrismaCloudConfig1\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"access-analyzer:GetAnalyzer\",\n \"access-analyzer:ListAnalyzers\",\n \"account:GetAlternateContact\",\n \"acm-pca:GetPolicy\",\n \"acm-pca:ListCertificateAuthorities\",\n \"acm-pca:ListTags\",\n \"acm:DescribeCertificate\",\n \"acm:ListCertificates\",\n \"acm:ListTagsForCertificate\",\n \"airflow:GetEnvironment\",\n \"airflow:ListEnvironments\",\n \"amplify:ListApps\",\n \"apigateway:GET\",\n \"appflow:DescribeFlow\",\n \"appflow:ListFlows\",\n \"appmesh:DescribeMesh\",\n \"appmesh:DescribeVirtualGateway\",\n \"appmesh:ListMeshes\",\n \"appmesh:ListTagsForResource\",\n \"appmesh:ListVirtualGateways\",\n \"apprunner:DescribeAutoScalingConfiguration\",\n \"apprunner:DescribeCustomDomains\",\n \"apprunner:DescribeService\",\n \"apprunner:ListAutoScalingConfigurations\",\n \"apprunner:ListServices\",\n \"apprunner:ListTagsForResource\",\n \"appstream:DescribeFleets\",\n \"appstream:DescribeImages\",\n \"appstream:DescribeStacks\",\n \"appstream:DescribeUsageReportSubscriptions\",\n \"appstream:ListTagsForResource\",\n \"appsync:GetGraphqlApi\",\n \"appsync:ListGraphqlApis\",\n \"aps:DescribeLoggingConfiguration\",\n \"aps:ListWorkspaces\",\n \"athena:GetWorkGroup\",\n \"athena:ListWorkGroups\",\n \"autoscaling:DescribeAutoScalingGroups\",\n \"autoscaling:DescribeLaunchConfigurations\",\n \"backup:GetBackupVaultAccessPolicy\",\n \"backup:ListBackupVaults\",\n \"backup:ListTags\",\n \"batch:DescribeComputeEnvironments\",\n \"chime:GetVoiceConnectorLoggingConfiguration\",\n \"chime:ListVoiceConnectors\",\n \"cloud9:DescribeEnvironmentMemberships\",\n \"cloud9:DescribeEnvironments\",\n \"cloud9:ListEnvironments\",\n \"cloud9:ListTagsForResource\",\n \"cloudformation:DescribeStackResources\",\n \"cloudformation:DescribeStacks\",\n \"cloudformation:GetStackPolicy\",\n \"cloudformation:GetTemplate\",\n \"cloudformation:ListStackResources\",\n \"cloudformation:ListStacks\",\n \"cloudfront:GetDistribution\",\n \"cloudfront:GetDistributionConfig\",\n \"cloudfront:ListDistributions\",\n \"cloudfront:ListOriginAccessControls\",\n \"cloudfront:ListTagsForResource\",\n \"cloudsearch:DescribeDomains\",\n \"cloudtrail:DescribeTrails\",\n \"cloudtrail:GetEventSelectors\",\n \"cloudtrail:GetTrailStatus\",\n \"cloudtrail:ListTags\",\n \"cloudwatch:DescribeAlarms\",\n \"cloudwatch:DescribeInsightRules\",\n \"cloudwatch:ListTagsForResource\",\n \"codeartifact:DescribeDomain\",\n \"codeartifact:DescribeRepository\",\n \"codeartifact:GetDomainPermissionsPolicy\",\n \"codeartifact:GetRepositoryPermissionsPolicy\",\n \"codeartifact:ListDomains\",\n \"codeartifact:ListRepositories\",\n \"codeartifact:ListTagsForResource\",\n \"codebuild:BatchGetProjects\",\n \"codebuild:ListProjects\",\n \"codepipeline:GetPipeline\",\n \"codepipeline:ListPipelines\",\n \"codepipeline:ListTagsForResource\",\n \"cognito-identity:DescribeIdentityPool\",\n \"cognito-identity:ListIdentityPools\",\n \"cognito-identity:ListTagsForResource\",\n \"cognito-idp:ListResourcesForWebACL\",\n \"cognito-idp:ListTagsForResource\",\n \"cognito-idp:ListUserPools\",\n \"config:DescribeConfigRules\",\n \"config:DescribeConfigurationRecorderStatus\",\n \"config:DescribeConfigurationRecorders\",\n \"config:DescribeDeliveryChannels\",\n \"config:GetComplianceDetailsByConfigRule\",\n \"config:ListTagsForResource\",\n \"connect:ListInstanceAttributes\",\n \"connect:ListInstanceStorageConfigs\",\n \"connect:ListInstances\",\n \"databrew:DescribeJob\",\n \"databrew:ListJobs\",\n \"datapipeline:DescribePipelines\",\n \"datapipeline:GetPipelineDefinition\",\n \"datapipeline:ListPipelines\",\n \"datasync:DescribeLocationEfs\",\n \"datasync:DescribeLocationFsxLustre\",\n \"datasync:DescribeLocationFsxOntap\",\n \"datasync:DescribeLocationFsxOpenZfs\",\n \"datasync:DescribeLocationFsxWindows\",\n \"datasync:DescribeLocationHdfs\",\n \"datasync:DescribeLocationNfs\",\n \"datasync:DescribeLocationObjectStorage\",\n \"datasync:DescribeLocationS3\",\n \"datasync:DescribeLocationSmb\",\n \"datasync:ListLocations\",\n \"datasync:ListTagsForResource\",\n \"datasync:ListTasks\",\n \"dax:DescribeClusters\",\n \"dax:ListTags\",\n \"devops-guru:DescribeServiceIntegration\",\n \"directconnect:DescribeConnections\",\n \"directconnect:DescribeDirectConnectGateways\",\n \"directconnect:DescribeVirtualInterfaces\",\n \"dms:DescribeCertificates\",\n \"dms:DescribeEndpoints\",\n \"dms:DescribeReplicationInstances\",\n \"dms:ListTagsForResource\",\n \"ds:DescribeDirectories\",\n \"ds:ListTagsForResource\",\n \"dynamodb:DescribeTable\",\n \"dynamodb:ListTables\",\n \"dynamodb:ListTagsOfResource\",\n \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n \"ec2:DescribeClientVpnAuthorizationRules\",\n \"ec2:DescribeClientVpnEndpoints\",\n \"ec2:DescribeDhcpOptions\",\n \"ec2:DescribeFlowLogs\",\n \"ec2:DescribeImages\",\n \"ec2:DescribeInstanceAttribute\",\n \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n \"ec2:DescribeKeyPairs\",\n \"ec2:DescribeManagedPrefixLists\",\n \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkAcls\",\n \"ec2:DescribeNetworkInterfaceAttribute\",\n \"ec2:DescribeNetworkInterfaces\",\n \"ec2:DescribeRegions\",\n \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n \"ec2:DescribeSnapshotAttribute\",\n \"ec2:DescribeSnapshots\",\n \"ec2:DescribeSubnets\",\n \"ec2:DescribeTags\",\n \"ec2:DescribeTransitGatewayAttachments\",\n \"ec2:DescribeTransitGatewayRouteTables\",\n \"ec2:DescribeTransitGatewayVpcAttachments\",\n \"ec2:DescribeTransitGateways\",\n \"ec2:DescribeVolumes\",\n \"ec2:DescribeVpcEndpointServiceConfigurations\",\n \"ec2:DescribeVpcEndpointServices\",\n \"ec2:DescribeVpcEndpoints\",\n \"ec2:DescribeVpcPeeringConnections\",\n \"ec2:DescribeVpcs\",\n \"ec2:DescribeVpnConnections\",\n \"ec2:DescribeVpnGateways\",\n \"ec2:GetEbsEncryptionByDefault\",\n \"ec2:GetManagedPrefixListEntries\",\n \"ec2:SearchTransitGatewayRoutes\",\n \"ecr-public:DescribeRepositories\",\n \"ecr-public:GetRepositoryCatalogData\",\n \"ecr-public:GetRepositoryPolicy\",\n \"ecr-public:ListTagsForResource\",\n \"ecr:DescribeImages\",\n \"ecr:DescribePullThroughCacheRules\",\n \"ecr:DescribeRegistry\",\n \"ecr:DescribeRepositories\",\n \"ecr:GetLifecyclePolicy\",\n \"ecr:GetRegistryPolicy\",\n \"ecr:GetRegistryScanningConfiguration\",\n \"ecr:GetRepositoryPolicy\",\n \"ecr:ListTagsForResource\",\n \"ecs:DescribeClusters\"\n ],\n \"Resource\": \"*\"\n }\n ]\n }\n }\n },\n \"prismacloud5\": {\n \"Type\": \"AWS::IAM::ManagedPolicy\",\n \"Properties\": {\n \"ManagedPolicyName\": {\n \"Fn::Join\": [\n \"\",\n [\n \"prisma_cloud_5-123456789012345678\",\n \"-\",\n {\n \"Ref\": \"PrismaCloudRoleName\"\n }\n ]\n ]\n },\n \"PolicyDocument\": {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"PrismaCloudConfig2\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ecs:DescribeContainerInstances\",\n \"ecs:DescribeServices\",\n \"ecs:DescribeTaskDefinition\",\n \"ecs:DescribeTasks\",\n \"ecs:ListClusters\",\n \"ecs:ListContainerInstances\",\n \"ecs:ListServices\",\n \"ecs:ListTagsForResource\",\n \"ecs:ListTaskDefinitions\",\n \"ecs:ListTasks\",\n \"eks:DescribeCluster\",\n \"eks:DescribeFargateProfile\",\n \"eks:DescribeNodegroup\",\n \"eks:ListClusters\",\n \"eks:ListFargateProfiles\",\n \"eks:ListNodegroups\",\n \"eks:ListTagsForResource\",\n \"elasticache:DescribeCacheClusters\",\n \"elasticache:DescribeCacheEngineVersions\",\n \"elasticache:DescribeCacheSubnetGroups\",\n \"elasticache:DescribeReplicationGroups\",\n \"elasticache:DescribeReservedCacheNodes\",\n \"elasticache:DescribeSnapshots\",\n \"elasticache:ListTagsForResource\",\n \"elasticbeanstalk:DescribeConfigurationSettings\",\n \"elasticbeanstalk:DescribeEnvironmentResources\",\n \"elasticbeanstalk:DescribeEnvironments\",\n \"elasticbeanstalk:ListTagsForResource\",\n \"elasticfilesystem:DescribeFileSystemPolicy\",\n \"elasticfilesystem:DescribeFileSystems\",\n \"elasticfilesystem:DescribeMountTargetSecurityGroups\",\n \"elasticfilesystem:DescribeMountTargets\",\n \"elasticfilesystem:DescribeTags\",\n \"elasticloadbalancing:DescribeListeners\",\n \"elasticloadbalancing:DescribeLoadBalancerAttributes\",\n \"elasticloadbalancing:DescribeLoadBalancerPolicies\",\n \"elasticloadbalancing:DescribeLoadBalancers\",\n \"elasticloadbalancing:DescribeSSLPolicies\",\n \"elasticloadbalancing:DescribeTags\",\n \"elasticloadbalancing:DescribeTargetGroups\",\n \"elasticloadbalancing:DescribeTargetHealth\",\n \"elasticmapreduce:DescribeCluster\",\n \"elasticmapreduce:DescribeSecurityConfiguration\",\n \"elasticmapreduce:GetBlockPublicAccessConfiguration\",\n \"elasticmapreduce:ListClusters\",\n \"elasticmapreduce:ListSecurityConfigurations\",\n \"es:DescribeElasticsearchDomains\",\n \"es:ListDomainNames\",\n \"es:ListTags\",\n \"events:ListEventBuses\",\n \"events:ListRules\",\n \"events:ListTagsForResource\",\n \"events:ListTargetsByRule\",\n \"firehose:DescribeDeliveryStream\",\n \"firehose:ListDeliveryStreams\",\n \"firehose:ListTagsForDeliveryStream\",\n \"forecast:DescribeAutoPredictor\",\n \"forecast:DescribeDataset\",\n \"forecast:DescribePredictor\",\n \"forecast:ListDatasets\",\n \"forecast:ListPredictors\",\n \"forecast:ListTagsForResource\",\n \"fsx:DescribeFileSystems\",\n \"glacier:GetVaultAccessPolicy\",\n \"glacier:GetVaultLock\",\n \"glacier:ListTagsForVault\",\n \"glacier:ListVaults\",\n \"globalaccelerator:DescribeAcceleratorAttributes\",\n \"globalaccelerator:ListAccelerators\",\n \"globalaccelerator:ListTagsForResource\",\n \"glue:GetConnection\",\n \"glue:GetConnections\",\n \"glue:GetDataCatalogEncryptionSettings\",\n \"glue:GetDatabases\",\n \"glue:GetSecurityConfigurations\",\n \"grafana:DescribeWorkspace\",\n \"grafana:DescribeWorkspaceAuthentication\",\n \"grafana:ListWorkspaces\",\n \"guardduty:GetDetector\",\n \"guardduty:GetFindings\",\n \"guardduty:GetMasterAccount\",\n \"guardduty:ListDetectors\",\n \"guardduty:ListFindings\",\n \"iam:GenerateCredentialReport\",\n \"iam:GenerateServiceLastAccessedDetails\",\n \"iam:GetAccountAuthorizationDetails\",\n \"iam:GetAccountPasswordPolicy\",\n \"iam:GetAccountSummary\",\n \"iam:GetCredentialReport\",\n \"iam:GetGroupPolicy\",\n \"iam:GetOpenIDConnectProvider\",\n \"iam:GetPolicyVersion\",\n \"iam:GetRole\",\n \"iam:GetRolePolicy\",\n \"iam:GetSAMLProvider\",\n \"iam:GetServiceLastAccessedDetails\",\n \"iam:GetUserPolicy\",\n \"iam:ListAccessKeys\",\n \"iam:ListAttachedGroupPolicies\",\n \"iam:ListAttachedRolePolicies\",\n \"iam:ListAttachedUserPolicies\",\n \"iam:ListEntitiesForPolicy\",\n \"iam:ListGroupPolicies\",\n \"iam:ListGroups\",\n \"iam:ListGroupsForUser\",\n \"iam:ListInstanceProfilesForRole\",\n \"iam:ListMFADeviceTags\",\n \"iam:ListMFADevices\",\n \"iam:ListOpenIDConnectProviders\",\n \"iam:ListPolicies\",\n \"iam:ListPolicyTags\",\n \"iam:ListPolicyVersions\",\n \"iam:ListRolePolicies\",\n \"iam:ListRoleTags\",\n \"iam:ListRoles\",\n \"iam:ListSAMLProviderTags\",\n \"iam:ListSAMLProviders\",\n \"iam:ListSSHPublicKeys\",\n \"iam:ListServerCertificateTags\",\n \"iam:ListServerCertificates\",\n \"iam:ListUserPolicies\",\n \"iam:ListUserTags\",\n \"iam:ListUsers\",\n \"iam:ListVirtualMFADevices\",\n \"identitystore:ListGroupMemberships\",\n \"identitystore:ListGroups\",\n \"identitystore:ListUsers\",\n \"inspector:DescribeAssessmentTemplates\",\n \"inspector:DescribeFindings\",\n \"inspector:DescribeRulesPackages\",\n \"inspector:ListAssessmentRunAgents\",\n \"inspector:ListAssessmentRuns\",\n \"inspector:ListAssessmentTemplates\",\n \"inspector:ListFindings\",\n \"inspector:ListRulesPackages\",\n \"iot:DescribeAccountAuditConfiguration\",\n \"iot:DescribeDomainConfiguration\",\n \"iot:ListDomainConfigurations\",\n \"iot:ListTagsForResource\",\n \"kafka:ListClusters\",\n \"kendra:DescribeIndex\",\n \"kendra:ListTagsForResource\",\n \"kinesis:DescribeStream\",\n \"kinesis:ListStreams\",\n \"kinesis:ListTagsForStream\",\n \"kinesisanalytics:DescribeApplication\",\n \"kinesisanalytics:ListApplications\",\n \"kinesisanalytics:ListTagsForResource\",\n \"kinesisvideo:DescribeNotificationConfiguration\",\n \"kinesisvideo:ListStreams\",\n \"kinesisvideo:ListTagsForStream\",\n \"kms:DescribeKey\",\n \"kms:GetKeyPolicy\",\n \"kms:GetKeyRotationStatus\",\n \"kms:ListAliases\",\n \"kms:ListKeyPolicies\",\n \"kms:ListKeys\",\n \"kms:ListResourceTags\",\n \"lakeformation:GetDataLakeSettings\",\n \"lambda:GetFunctionUrlConfig\",\n \"lambda:GetLayerVersionPolicy\",\n \"lambda:GetPolicy\",\n \"lambda:ListCodeSigningConfigs\",\n \"lambda:ListFunctions\",\n \"lambda:ListLayerVersions\",\n \"lambda:ListLayers\",\n \"lambda:ListTags\",\n \"lex:DescribeBot\",\n \"lex:DescribeBotVersion\",\n \"lex:GetBot\",\n \"lex:GetBotVersions\",\n \"lex:GetBots\",\n \"lex:ListBotVersions\",\n \"lex:ListBots\",\n \"lex:ListTagsForResource\",\n \"lightsail:GetInstances\",\n \"logs:DescribeLogGroups\",\n \"logs:DescribeLogStreams\",\n \"logs:DescribeMetricFilters\",\n \"logs:DescribeSubscriptionFilters\",\n \"logs:GetLogEvents\",\n \"logs:ListTagsLogGroup\",\n \"macie2:GetClassificationExportConfiguration\",\n \"macie2:GetFindingsPublicationConfiguration\",\n \"macie2:GetMacieSession\",\n \"macie2:GetRevealConfiguration\",\n \"mediastore:GetContainerPolicy\",\n \"mediastore:GetCorsPolicy\",\n \"mediastore:ListContainers\",\n \"mediastore:ListTagsForResource\"\n ],\n \"Resource\": \"*\"\n }\n ]\n }\n }\n }\n },\n \"Outputs\": {\n \"PrismaCloudRoleARN\": {\n \"Description\": \"Information about the value\",\n \"Value\": {\n \"Fn::GetAtt\": [\n \"PrismaCloudRole\",\n \"Arn\"\n ]\n }\n }\n }\n}"
},
"Type": "AWS::CloudFormation::StackSet"
},
"PrismaCloudRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:aws:iam::aws:policy/SecurityAudit"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":policy/",
"prisma_cloud_1-123456789012345678",
"-",
{
"Ref": "PrismaCloudRoleName"
}
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":policy/",
"prisma_cloud_2-123456789012345678",
"-",
{
"Ref": "PrismaCloudRoleName"
}
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":policy/",
"prisma_cloud_3-123456789012345678",
"-",
{
"Ref": "PrismaCloudRoleName"
}
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":policy/",
"prisma_cloud_4-123456789012345678",
"-",
{
"Ref": "PrismaCloudRoleName"
}
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":policy/",
"prisma_cloud_5-123456789012345678",
"-",
{
"Ref": "PrismaCloudRoleName"
}
]
]
}
],
"MaxSessionDuration": 43200,
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::188619942792:root"
]
},
"Action": [
"sts:AssumeRole"
],
"Condition": {
"StringEquals": {
"sts:ExternalId": "a1ea8fe3-85d8-4ed9-93da-02d68670bc61"
}
}
}
]
},
"RoleName": {
"Ref": "PrismaCloudRoleName"
}
},
"DependsOn": [
"prismacloud5",
"prismacloud1",
"prismacloud2",
"prismacloud3",
"prismacloud4"
]
},
"prismacloud1": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"ManagedPolicyName": {
"Fn::Join": [
"",
[
"prisma_cloud_1-123456789012345678",
"-",
{
"Ref": "PrismaCloudRoleName"
}
]
]
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PrismaCloudFlowlogs1",
"Effect": "Allow",
"Action": [
"logs:GetLogEvents"
],
"Resource": "*"
},
{
"Sid": "PrismaCloudAuditEventsCloudTrail1",
"Effect": "Allow",
"Action": [
"cloudtrail:LookupEvents"
],
"Resource": "*"
},
{
"Sid": "PrismaCloudPCCAgentlessSSM6",
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters"
],
"Resource": "*"
},
{
"Sid": "PrismaCloudEBOrganizationManagementPermissions1",
"Effect": "Allow",
"Action": [
"organizations:ListRoots"
],
"Resource": "*"
},
{
"Sid": "PrismaCloudPCCAgentlessSTS7",
"Effect": "Allow",
"Action": [
"sts:DecodeAuthorizationMessage",
"sts:GetCallerIdentity"
],
"Resource": "*"
},
{
"Sid": "PrismaCloudElasticBeanstalk4",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::elasticbeanstalk-*/*"
]
]
}
},
{
"Sid": "PrismaCloudGuardduty1",
"Effect": "Allow",
"Action": [
"guardduty:GetDetector",
"guardduty:GetFindings",
"guardduty:ListDetectors",
"guardduty:ListFindings"
],
"Resource": "*"
},
{
"Sid": "PrismaCloudPCCAgentlessKMS5",
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:ReEncryptFrom",
"kms:ReEncryptTo"
],
"Resource": "*"
},
{
"Sid": "PrismaCloudPCCAgentlessNetworkActions9",
"Effect": "Allow",
"Action": [
"ec2:CreateInternetGateway",
"ec2:CreateSubnet",
"ec2:CreateVpc"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/created-by": "prismacloud-agentless-scan"
}
},
"Resource": "*"
},
{
"Sid": "PrismaCloudComputeAgentless1",
"Effect": "Allow",
"Action": [
"ec2:CreateRoute",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRouteTables",
"ec2:DescribeVpcs"
],
"Resource": "*"
},
{
"Sid": "PrismaCloudPCCAgentlessServiceLinkedRole4",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Condition": {
"StringLike": {
"iam:AWSServiceName": "spot.amazonaws.com"
}
},
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::*:role/aws-service-role/spot.amazonaws.com/*"
]
]
}
]
},
{
"Sid": "PrismaCloudBridgecrew1",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStackResources",
"cloudformation:GetTemplate",
"cloudformation:ListStacks",
"lambda:GetEventSourceMapping",
"lambda:GetFunction",
"lambda:GetLayerVersion",
"s3:ListBucket",
"sns:GetSubscriptionAttributes"
],
"Resource": "*"
},
{
"Sid": "PrismaCloudEBRuleStatusPermissions3",
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetTrailStatus",
"ec2:DescribeRegions",
"events:DescribeApiDestination",
"events:DescribeConnection",
"events:DescribeRule",
"events:ListTargetsByRule"
],
"Resource": "*"
},
{
"Sid": "PrismaCloudPCCAgentlessRW3",
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateSnapshots",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:RunInstances",
"iam:SimulatePrincipalPolicy"
],
"Resource": "*"
},
{
"Sid": "PrismaCloudInspector1",
"Effect": "Allow",
"Action": [
"inspector:DescribeAssessmentTemplates",
"inspector:DescribeFindings",
"inspector:DescribeRulesPackages",
"inspector:ListAssessmentRunAgents",
"inspector:ListAssessmentRuns",
"inspector:ListAssessmentTemplates",
"inspector:ListFindings",
"inspector:ListRulesPackages"
],
"Resource": "*"
},
{
"Sid": "PrismaCloudEBRuleManagementPermissions2",
"Effect": "Allow",
"Action": [
"events:DeleteRule",
"events:DisableRule",
"events:EnableRule",
"events:PutRule",
"events:RemoveTargets"
],
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":events:*:",
{
"Ref": "AWS::AccountId"
},
":rule/",
{
"Fn::FindInMap": [
"EventBridgeMap",
"EventBridgeRuleNamePrefix",
"Value"
]
}
]
]
}
]
},
{
"Sid": "PrismaCloudPCCAgentlessRM2",
"Effect": "Allow",
"Action": [
"ec2:AttachInternetGateway",
"ec2:CreateSubnet",
"ec2:DeleteInternetGateway",
"ec2:DeleteSnapshot",
"ec2:DeleteSubnet",
"ec2:DeleteVpc",
"ec2:DetachInternetGateway",
"ec2:ModifySnapshotAttribute",
"ec2:TerminateInstances"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/created-by": "prismacloud-agentless-scan"
}
},
"Resource": "*"
},
{
"Sid": "PrismaCloudComputeServerlessScan1",
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:SimulatePrincipalPolicy",
"kms:Decrypt",
"lambda:DeleteLayerVersion",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:GetLayerVersion",
"lambda:ListFunctions",
"lambda:ListLayerVersions",
"lambda:ListLayers",
"lambda:PublishLayerVersion",
"lambda:UpdateFunctionConfiguration"
],
"Resource": "*"
}
]
}
}
},
"prismacloud2": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"ManagedPolicyName": {
"Fn::Join": [
"",
[
"prisma_cloud_2-123456789012345678",
"-",
{
"Ref": "PrismaCloudRoleName"
}
]
]
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PrismaCloudPCCAgentlessTags8",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/created-by": "prismacloud-agentless-scan"
}
},
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ec2:*::snapshot/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ec2:*:*:instance/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ec2:*:*:vpc/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ec2:*:*:subnet/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ec2:*:*:internet-gateway/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ec2:*:*:volume/*"
]
]
}
]
},
{
"Sid": "PrismaCloudRemediation1",
"Effect": "Allow",
"Action": [
"acm:UpdateCertificateOptions",
"cloudtrail:StartLogging",
"cloudtrail:UpdateTrail",
"ec2:ModifyImageAttribute",
"ec2:ModifySnapshotAttribute",
"ec2:ModifySubnetAttribute",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ecs:UpdateClusterSettings",
"eks:UpdateClusterConfig",
"elasticache:ModifyReplicationGroup",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"iam:UpdateAccountPasswordPolicy",
"kms:EnableKeyRotation",
"lambda:UpdateFunctionConfiguration",
"rds:ModifyDBCluster",
"rds:ModifyDBClusterSnapshotAttribute",
"rds:ModifyDBInstance",
"rds:ModifyDBSnapshotAttribute",
"rds:ModifyEventSubscription",
"redshift:ModifyCluster",
"s3:PutBucketAcl",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketVersioning"
],
"Resource": "*"
},
{
"Sid": "PrismaCloudComputeDiscovery1",
"Effect": "Allow",
"Action": [
"apigateway:GET",
"cloudfront:ListDistributions",
"cloudwatch:DescribeAlarms",
"ec2:DescribeTags",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetGroups",
"events:ListRules",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"kms:Decrypt",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:GetFunctionUrlConfig",
"lambda:GetPolicy",
"lambda:ListAliases",
"lambda:ListEventSourceMappings",
"lambda:ListFunctions",
"logs:DescribeSubscriptionFilters",
"s3:GetBucketNotification",
"secretsmanager:GetSecretValue",
"ssm:GetParameter"
],
"Resource": "*"
},
{
"Sid": "PrismaCloudComputeAutoProtect1",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DeleteSecurityGroup",
"ec2:DescribeImages",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:RevokeSecurityGroupEgress",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImageScanFindings",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:ListTagsForResource",
"lambda:GetFunctionConfiguration",
"lambda:GetLayerVersion",
"logs:GetQueryResults",
"logs:StartQuery",
"securityhub:BatchImportFindings",
"ssm:CancelCommand",
"ssm:CreateAssociation",
"ssm:DescribeInstanceInformation",
"ssm:ListCommandInvocations",
"ssm:SendCommand"
],
"Resource": "*"
}
]
}
}
},
"prismacloud3": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"ManagedPolicyName": {
"Fn::Join": [
"",
[
"prisma_cloud_3-123456789012345678",
"-",
{
"Ref": "PrismaCloudRoleName"
}
]
]
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PrismaCloudConfig3",
"Effect": "Allow",
"Action": [
"memorydb:DescribeClusters",
"memorydb:DescribeParameterGroups",
"memorydb:DescribeParameters",
"memorydb:ListTags",
"mobiletargeting:GetApps",
"mobiletargeting:GetEmailChannel",
"mobiletargeting:GetSmsChannel",
"mq:DescribeBroker",
"mq:ListBrokers",
"organizations:DescribeAccount",
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribePolicy",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListChildren",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListParents",
"organizations:ListPolicies",
"organizations:ListPoliciesForTarget",
"organizations:ListRoots",
"organizations:ListTagsForResource",
"qldb:DescribeLedger",
"qldb:ListLedgers",
"qldb:ListTagsForResource",
"quicksight:DescribeAccountSettings",
"quicksight:ListDataSets",
"quicksight:ListDataSources",
"quicksight:ListTagsForResource",
"ram:GetResourceShares",
"ram:ListPrincipals",
"ram:ListResources",
"rds:DescribeDBClusterParameterGroups",
"rds:DescribeDBClusterParameters",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBSnapshotAttributes",
"rds:DescribeDBSnapshots",
"rds:DescribeEventSubscriptions",
"rds:DescribeOptionGroups",
"rds:ListTagsForResource",
"redshift:DescribeClusterParameters",
"redshift:DescribeClusters",
"redshift:DescribeLoggingStatus",
"route53:ListHostedZones",
"route53:ListQueryLoggingConfigs",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"route53domains:GetDomainDetail",
"route53domains:ListDomains",
"route53domains:ListTagsForDomain",
"route53resolver:ListResolverQueryLogConfigAssociations",
"route53resolver:ListResolverQueryLogConfigs",
"route53resolver:ListTagsForResource",
"s3:DescribeJob",
"s3:GetAccessPoint",
"s3:GetAccessPointPolicy",
"s3:GetAccessPointPolicyStatus",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetJobTagging",
"s3:GetLifecycleConfiguration",
"s3:GetReplicationConfiguration",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets",
"s3:ListJobs",
"sagemaker:DescribeDomain",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeModel",
"sagemaker:DescribeNotebookInstance",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeUserProfile",
"sagemaker:ListDomains",
"sagemaker:ListEndpointConfigs",
"sagemaker:ListEndpoints",
"sagemaker:ListModels",
"sagemaker:ListNotebookInstances",
"sagemaker:ListTags",
"sagemaker:ListTrainingJobs",
"sagemaker:ListUserProfiles",
"secretsmanager:DescribeSecret",
"secretsmanager:GetResourcePolicy",
"secretsmanager:ListSecrets",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityPolicies",
"ses:ListIdentities",
"ses:ListIdentityPolicies",
"shield:GetSubscriptionState",
"shield:ListProtectionGroups",
"shield:ListProtections",
"shield:ListResourcesInProtectionGroup",
"shield:ListTagsForResource",
"sns:GetTopicAttributes",
"sns:ListPlatformApplications",
"sns:ListSubscriptions",
"sns:ListTagsForResource",
"sns:ListTopics",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags",
"sqs:ListQueues",
"ssm:DescribeAssociation",
"ssm:DescribeDocument",
"ssm:DescribeDocumentPermission",
"ssm:DescribeInstanceInformation",
"ssm:DescribeParameters",
"ssm:GetDocument",
"ssm:GetInventory",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListDocuments",
"ssm:ListTagsForResource",
"sso:DescribePermissionSet",
"sso:ListAccountAssignments",
"sso:ListAccountsForProvisionedPermissionSet",
"sso:ListInstances",
"sso:ListPermissionSets",
"states:DescribeStateMachine",
"states:ListStateMachines",
"states:ListTagsForResource",
"storagegateway:DescribeCachediSCSIVolumes",
"storagegateway:DescribeGatewayInformation",
"storagegateway:DescribeNFSFileShares",
"storagegateway:DescribeSMBFileShares",
"storagegateway:DescribeSMBSettings",
"storagegateway:DescribeTapes",
"storagegateway:ListFileShares",
"storagegateway:ListGateways",
"storagegateway:ListTapes",
"storagegateway:ListVolumes",
"transcribe:ListLanguageModels",
"transcribe:ListTagsForResource",
"transfer:DescribeAccess",
"transfer:DescribeServer",
"transfer:ListAccesses",
"transfer:ListServers",
"translate:GetTerminology",
"translate:ListTerminologies",
"waf-regional:GetLoggingConfiguration",
"waf-regional:GetWebACL",
"waf-regional:ListResourcesForWebACL",
"waf-regional:ListTagsForResource",
"waf-regional:ListWebACLs",
"waf:GetLoggingConfiguration",
"waf:GetWebACL",
"waf:ListTagsForResource",
"waf:ListWebACLs",
"wafv2:GetLoggingConfiguration",
"wafv2:GetWebACL",
"wafv2:ListResourcesForWebACL",
"wafv2:ListTagsForResource",
"wafv2:ListWebACLs",
"workspaces:DescribeIpGroups",
"workspaces:DescribeTags",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaces",
"xray:GetEncryptionConfig"
],
"Resource": "*"
}
]
}
}
},
"prismacloud4": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"ManagedPolicyName": {
"Fn::Join": [
"",
[
"prisma_cloud_4-123456789012345678",
"-",
{
"Ref": "PrismaCloudRoleName"
}
]
]
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PrismaCloudConfig1",
"Effect": "Allow",
"Action": [
"access-analyzer:GetAnalyzer",
"access-analyzer:ListAnalyzers",
"account:GetAlternateContact",
"acm-pca:GetPolicy",
"acm-pca:ListCertificateAuthorities",
"acm-pca:ListTags",
"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:ListTagsForCertificate",
"airflow:GetEnvironment",
"airflow:ListEnvironments",
"amplify:ListApps",
"apigateway:GET",
"appflow:DescribeFlow",
"appflow:ListFlows",
"appmesh:DescribeMesh",
"appmesh:DescribeVirtualGateway",
"appmesh:ListMeshes",
"appmesh:ListTagsForResource",
"appmesh:ListVirtualGateways",
"apprunner:DescribeAutoScalingConfiguration",
"apprunner:DescribeCustomDomains",
"apprunner:DescribeService",
"apprunner:ListAutoScalingConfigurations",
"apprunner:ListServices",
"apprunner:ListTagsForResource",
"appstream:DescribeFleets",
"appstream:DescribeImages",
"appstream:DescribeStacks",
"appstream:DescribeUsageReportSubscriptions",
"appstream:ListTagsForResource",
"appsync:GetGraphqlApi",
"appsync:ListGraphqlApis",
"aps:DescribeLoggingConfiguration",
"aps:ListWorkspaces",
"athena:GetWorkGroup",
"athena:ListWorkGroups",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"backup:GetBackupVaultAccessPolicy",
"backup:ListBackupVaults",
"backup:ListTags",
"batch:DescribeComputeEnvironments",
"chime:GetVoiceConnectorLoggingConfiguration",
"chime:ListVoiceConnectors",
"cloud9:DescribeEnvironmentMemberships",
"cloud9:DescribeEnvironments",
"cloud9:ListEnvironments",
"cloud9:ListTagsForResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:GetStackPolicy",
"cloudformation:GetTemplate",
"cloudformation:ListStackResources",
"cloudformation:ListStacks",
"cloudfront:GetDistribution",
"cloudfront:GetDistributionConfig",
"cloudfront:ListDistributions",
"cloudfront:ListOriginAccessControls",
"cloudfront:ListTagsForResource",
"cloudsearch:DescribeDomains",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetTrailStatus",
"cloudtrail:ListTags",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeInsightRules",
"cloudwatch:ListTagsForResource",
"codeartifact:DescribeDomain",
"codeartifact:DescribeRepository",
"codeartifact:GetDomainPermissionsPolicy",
"codeartifact:GetRepositoryPermissionsPolicy",
"codeartifact:ListDomains",
"codeartifact:ListRepositories",
"codeartifact:ListTagsForResource",
"codebuild:BatchGetProjects",
"codebuild:ListProjects",
"codepipeline:GetPipeline",
"codepipeline:ListPipelines",
"codepipeline:ListTagsForResource",
"cognito-identity:DescribeIdentityPool",
"cognito-identity:ListIdentityPools",
"cognito-identity:ListTagsForResource",
"cognito-idp:ListResourcesForWebACL",
"cognito-idp:ListTagsForResource",
"cognito-idp:ListUserPools",
"config:DescribeConfigRules",
"config:DescribeConfigurationRecorderStatus",
"config:DescribeConfigurationRecorders",
"config:DescribeDeliveryChannels",
"config:GetComplianceDetailsByConfigRule",
"config:ListTagsForResource",
"connect:ListInstanceAttributes",
"connect:ListInstanceStorageConfigs",
"connect:ListInstances",
"databrew:DescribeJob",
"databrew:ListJobs",
"datapipeline:DescribePipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:ListPipelines",
"datasync:DescribeLocationEfs",
"datasync:DescribeLocationFsxLustre",
"datasync:DescribeLocationFsxOntap",
"datasync:DescribeLocationFsxOpenZfs",
"datasync:DescribeLocationFsxWindows",
"datasync:DescribeLocationHdfs",
"datasync:DescribeLocationNfs",
"datasync:DescribeLocationObjectStorage",
"datasync:DescribeLocationS3",
"datasync:DescribeLocationSmb",
"datasync:ListLocations",
"datasync:ListTagsForResource",
"datasync:ListTasks",
"dax:DescribeClusters",
"dax:ListTags",
"devops-guru:DescribeServiceIntegration",
"directconnect:DescribeConnections",
"directconnect:DescribeDirectConnectGateways",
"directconnect:DescribeVirtualInterfaces",
"dms:DescribeCertificates",
"dms:DescribeEndpoints",
"dms:DescribeReplicationInstances",
"dms:ListTagsForResource",
"ds:DescribeDirectories",
"ds:ListTagsForResource",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeClientVpnAuthorizationRules",
"ec2:DescribeClientVpnEndpoints",
"ec2:DescribeDhcpOptions",
"ec2:DescribeFlowLogs",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeManagedPrefixLists",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGatewayRouteTables",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeTransitGateways",
"ec2:DescribeVolumes",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribeVpcEndpointServices",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetManagedPrefixListEntries",
"ec2:SearchTransitGatewayRoutes",
"ecr-public:DescribeRepositories",
"ecr-public:GetRepositoryCatalogData",
"ecr-public:GetRepositoryPolicy",
"ecr-public:ListTagsForResource",
"ecr:DescribeImages",
"ecr:DescribePullThroughCacheRules",
"ecr:DescribeRegistry",
"ecr:DescribeRepositories",
"ecr:GetLifecyclePolicy",
"ecr:GetRegistryPolicy",
"ecr:GetRegistryScanningConfiguration",
"ecr:GetRepositoryPolicy",
"ecr:ListTagsForResource",
"ecs:DescribeClusters"
],
"Resource": "*"
}
]
}
}
},
"prismacloud5": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"ManagedPolicyName": {
"Fn::Join": [
"",
[
"prisma_cloud_5-123456789012345678",
"-",
{
"Ref": "PrismaCloudRoleName"
}
]
]
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PrismaCloudConfig2",
"Effect": "Allow",
"Action": [
"ecs:DescribeContainerInstances",
"ecs:DescribeServices",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTasks",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"ecs:ListServices",
"ecs:ListTagsForResource",
"ecs:ListTaskDefinitions",
"ecs:ListTasks",
"eks:DescribeCluster",
"eks:DescribeFargateProfile",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListFargateProfiles",
"eks:ListNodegroups",
"eks:ListTagsForResource",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheEngineVersions",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeReplicationGroups",
"elasticache:DescribeReservedCacheNodes",
"elasticache:DescribeSnapshots",
"elasticache:ListTagsForResource",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:ListTagsForResource",
"elasticfilesystem:DescribeFileSystemPolicy",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeTags",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:DescribeSecurityConfiguration",
"elasticmapreduce:GetBlockPublicAccessConfiguration",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListSecurityConfigurations",
"es:DescribeElasticsearchDomains",
"es:ListDomainNames",
"es:ListTags",
"events:ListEventBuses",
"events:ListRules",
"events:ListTagsForResource",
"events:ListTargetsByRule",
"firehose:DescribeDeliveryStream",
"firehose:ListDeliveryStreams",
"firehose:ListTagsForDeliveryStream",
"forecast:DescribeAutoPredictor",
"forecast:DescribeDataset",
"forecast:DescribePredictor",
"forecast:ListDatasets",
"forecast:ListPredictors",
"forecast:ListTagsForResource",
"fsx:DescribeFileSystems",
"glacier:GetVaultAccessPolicy",
"glacier:GetVaultLock",
"glacier:ListTagsForVault",
"glacier:ListVaults",
"globalaccelerator:DescribeAcceleratorAttributes",
"globalaccelerator:ListAccelerators",
"globalaccelerator:ListTagsForResource",
"glue:GetConnection",
"glue:GetConnections",
"glue:GetDataCatalogEncryptionSettings",
"glue:GetDatabases",
"glue:GetSecurityConfigurations",
"grafana:DescribeWorkspace",
"grafana:DescribeWorkspaceAuthentication",
"grafana:ListWorkspaces",
"guardduty:GetDetector",
"guardduty:GetFindings",
"guardduty:GetMasterAccount",
"guardduty:ListDetectors",
"guardduty:ListFindings",
"iam:GenerateCredentialReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetAccountAuthorizationDetails",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetCredentialReport",
"iam:GetGroupPolicy",
"iam:GetOpenIDConnectProvider",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetSAMLProvider",
"iam:GetServiceLastAccessedDetails",
"iam:GetUserPolicy",
"iam:ListAccessKeys",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroupPolicies",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListInstanceProfilesForRole",
"iam:ListMFADeviceTags",
"iam:ListMFADevices",
"iam:ListOpenIDConnectProviders",
"iam:ListPolicies",
"iam:ListPolicyTags",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListRoleTags",
"iam:ListRoles",
"iam:ListSAMLProviderTags",
"iam:ListSAMLProviders",
"iam:ListSSHPublicKeys",
"iam:ListServerCertificateTags",
"iam:ListServerCertificates",
"iam:ListUserPolicies",
"iam:ListUserTags",
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"identitystore:ListGroupMemberships",
"identitystore:ListGroups",
"identitystore:ListUsers",
"inspector:DescribeAssessmentTemplates",
"inspector:DescribeFindings",
"inspector:DescribeRulesPackages",
"inspector:ListAssessmentRunAgents",
"inspector:ListAssessmentRuns",
"inspector:ListAssessmentTemplates",
"inspector:ListFindings",
"inspector:ListRulesPackages",
"iot:DescribeAccountAuditConfiguration",
"iot:DescribeDomainConfiguration",
"iot:ListDomainConfigurations",
"iot:ListTagsForResource",
"kafka:ListClusters",
"kendra:DescribeIndex",
"kendra:ListTagsForResource",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:ListTagsForStream",
"kinesisanalytics:DescribeApplication",
"kinesisanalytics:ListApplications",
"kinesisanalytics:ListTagsForResource",
"kinesisvideo:DescribeNotificationConfiguration",
"kinesisvideo:ListStreams",
"kinesisvideo:ListTagsForStream",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListKeyPolicies",
"kms:ListKeys",
"kms:ListResourceTags",
"lakeformation:GetDataLakeSettings",
"lambda:GetFunctionUrlConfig",
"lambda:GetLayerVersionPolicy",
"lambda:GetPolicy",
"lambda:ListCodeSigningConfigs",
"lambda:ListFunctions",
"lambda:ListLayerVersions",
"lambda:ListLayers",
"lambda:ListTags",
"lex:DescribeBot",
"lex:DescribeBotVersion",
"lex:GetBot",
"lex:GetBotVersions",
"lex:GetBots",
"lex:ListBotVersions",
"lex:ListBots",
"lex:ListTagsForResource",
"lightsail:GetInstances",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:DescribeMetricFilters",
"logs:DescribeSubscriptionFilters",
"logs:GetLogEvents",
"logs:ListTagsLogGroup",
"macie2:GetClassificationExportConfiguration",
"macie2:GetFindingsPublicationConfiguration",
"macie2:GetMacieSession",
"macie2:GetRevealConfiguration",
"mediastore:GetContainerPolicy",
"mediastore:GetCorsPolicy",
"mediastore:ListContainers",
"mediastore:ListTagsForResource"
],
"Resource": "*"
}
]
}
}
}
},
"Outputs": {
"PrismaCloudRoleARN": {
"Description": "Information about the value",
"Value": {
"Fn::GetAtt": [
"PrismaCloudRole",
"Arn"
]
}
}
}
}

Provide a required OrganizationalUnitIds parameter in the CFT to create Organization stack. This will create member roles for the specified OrganizationalUnitIds. Specify the organizational root OU ID (prefix r-) to run it for all the accounts under the Organization, else provide a comma-separated list of OU IDs (prefix ou-). Refer to AWS Organization details Guide for more info.

Example: OrganizationalUnitIds = "r-abcd". "r-abcd" is the AWS organizational root OU ID for the ORG account which indicates that member roles should get created on all the accounts that the organization has access to.

info
  • The IAM roles created in member accounts will be of the format: <organization-iam-role-name>-member

3. Onboard your AWS Organization to Prisma Cloud

Invoke the Add AWS Cloud Account alt text with the IAM Role ARN created in the previous step, required features state, and other payload.

The "Cloud Visibility Compliance and Governance" value of the features property in the request body is enabled by default. Hence, do not include this in the features field. An empty features list indicates that the default capabilities under "Cloud Visibility Compliance and Governance" are enabled.

A sample request to onboard an AWS Organization
curl -v --request POST 'https://api.prismacloud.io/cas/v1/aws_account' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'x-redlock-auth: <YOUR_TOKEN>' \
--data-raw '{
"accountId": "<accountId>",
"accountType": "organization",
"enabled": true,
"groupIds": [
"<groupId>"
],
"defaultAccountGroupId": "<default-groupId-for-organization-and-member_accounts>",
"name": "<Organization name to be added in prisma>",
"roleArn": "<iam-role-arn>",
"features": [
{
"name": "Agentless Scanning",
"state": "enabled"
},
{
"name": "Auto Protect",
"state": "disabled"
},
{
"name": "Remediation",
"state": "disabled"
},
{
"name": "Serverless Function Scanning",
"state": "enabled"
}
],
"hierarchySelection": [
{
"displayName": "Root",
"nodeType": "ORG",
"resourceId": "root",
"selectionType": "ALL"
}
]
}'

Sample Response

  200 (Success)