AWS Monitoring Issues

Service Control Policies

Service Control Policies (SCPs) serve as organization policies to manage permissions within an organization, providing central control over maximum permissions for all accounts. SCPs are designed to ensure compliance with access control guidelines by defining limits on actions delegated to IAM users and roles in affected accounts.

• Issues: Limited capability of Prisma Cloud DSPM in organizations due to SCPs.
• Symptom: In some organizations, SCPs may restrict the functionality of Prisma Cloud DSPM.
• Solution: Try the following solutions to solve SCP issues:

1. Identification
   • Confirm the existence of SCPs affecting the organization's accounts.
   • Verify if Prisma Cloud DSPM's capabilities are restricted by SCPs.
2. Review SCP Configuration
   • Access the SCP configuration settings for the organization.
   • Identify the specific SCP that affects Prisma Cloud DSPM.
3. Update SCP for Prisma Cloud DSPM
   • Modify the SCP to allow necessary access for the Prisma Cloud DSPM role.
   • Adjust permissions within the SCP to align with the operational requirements of Prisma Cloud DSPM.
4. Validation
   • Confirm the changes made to the SCP for Prisma Cloud DSPM.
   • Test Prisma Cloud DSPM's operations to ensure that the desired capabilities are restored.
5. Documentation
   • Document the changes made to the SCP and the resolution process.
   • Update internal documentation regarding SCP configurations to reflect the adjustments for Prisma Cloud DSPM.

Additional Resources

Refer to AWS Service Control Policies for a comprehensive understanding of SCPs and their configuration options.

Quota Issues

Virtual Private Cloud (VPC) Quota Exceeded

• Issue: AWS account has reached the limit on the concurrent number of VPCs per region at any given time.
• Symptom: Error message is generated when the quota for the permissible number of VPCs reaches the limit.
• Solution: In the AWS Console, increase the number of VPCs per region, for more information refer to Amazon VPC quotas.

Elastic IP Addresses Quota Exceeded

• Issue: AWS account has reached the limit on the concurrent number of Elastic IP addresses per region at any given time.
• Symptom: Error message is generated when the quota for the permissible number of Elastic IP addresses reaches the limit.
• Solution: In the AWS Console, increase the number of Elastic IP addresses per region, for more information refer to Amazon Elastic IP addresses quotas.

S3 Bucket Quota Exceeded

• Issue: AWS account has reached the limit on the concurrent number of S3 buckets.
• Symptom: Error message is generated when the quota for the permissible number of S3 buckets reaches the limit.
• Solution: In the AWS Console, increase the number of S3 buckets, for more information refer to Bucket Restrictions and Limitations.

EventBridge Rule Invocation Throttled

• Issue: AWS account has reached the limit on the EventBridge invocations per second.
• Symptom: Error message is generated when the quota for the number of invocations per second reaches the limit set per region.
• Solution: In the AWS Console, increase the number of “Invocations throttle limit in transactions per second” for the affected region. for more information refer to Amazon EventBridge quotas.

IAM Misconfiguration

Failure to assume Role

• Issue: Prisma Cloud DSPM uses a set of roles and permissions to perform data discovery and classification. We have encountered an issue utilizing those roles and permissions.
• Symptom: Error message is generated when failing to assume a role.
• Solution: Validate the following:
  1. The role presented in the issue details exists in the account.
  2. The trust relationship between the above role and the user role is configured correctly.
  3. The above role has all the permissions listed as the required permissions for Prisma Cloud DSPM.

DDR Permissions Out of Date

• Issue: Prisma Cloud DSPM uses a set of permissions to access Event Bridge to operate the DDR capability as needed. We have encountered an issue where the current permissions provided appears to be out-of-date which prevents Prisma Cloud DSPM from fully operating its’ Data Detection and Response capability.
• Symptom: Error message is generated when failing to access Event Bridge.
• Solution: To resolve the issue by updating the permissions, follow these steps:
  1. In Prisma Cloud DSPM, click Preferences. The Integrations tab opens by default.
  2. In the Cloud Platforms section, go to the AWS thumbnail, and click Configure. The AWS Connected Accounts window opens.
  3. To update the permissions for a specific account, click Update Required to run the update.

Missing permissions on the KMS

• Issue: Prisma Cloud DSPM utilizes the AWS KMS to access encrypted information. We have encountered an issue utilizing a KMS key for a Redshift instance.
• Symptom: Error message is generated when failing to use the KMS key.
• Solution: Follow the following steps:

1. Add an alias to the KMS key
   1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.
   2. To change the AWS Region, use the Region selector in the upper-right corner of the page.
   3. In the navigation pane, choose Customer managed keys.
   4. In the table, choose the key ID according to the KMS Key ARN that appeared on the error page. Then, on the KMS key detail page, choose the Aliases tab.
      If a KMS key has multiple aliases, the Aliases column in the table displays one alias and an alias summary, such as (+n more). Choosing the alias summary takes you directly to the Aliases tab on the KMS key detail page.
   5. On the Aliases tab, choose Create alias. Enter “dig-security-redshift” as the alias name and choose Create alias.
2. Add a tag to the KMS key
   1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.
   2. To change the AWS Region, use the Region selector in the upper-right corner of the page.
   3. In the navigation pane, choose Customer managed keys.
   4. In the table, choose the key ID according to the KMS Key ARN that appeared on the error page.
   5. Select the check box next to the alias of a KMS key.
   6. Choose Key actions, Add or edit tags.
   7. On the details page for KMS key, choose the Tags tab.
      1. To create your first tag, choose Create tag, type the tag key “dig-security” and the tag value “true”, and then choose Save.
      2. To add a tag, choose Edit, choose Add tag, type a tag key “dig-security” and the tag value “true”, and then choose Save.
      3. To save your changes, choose Save changes.
3. Update the KMS key policy
   1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.
   2. To change the AWS Region, use the Region selector in the upper-right corner of the page.
   3. In the navigation pane, choose Customer managed keys.
   4. In the table, choose the key ID according to the KMS Key ARN that appeared on the error page.
   5. Choose the Key policy tab.
   6. Choose Edit.
   7. Add the policy statement that appeared on the error page.
   8. To save your changes, choose Save changes.

Cloud Resources

VM failed to communicate with Prisma Cloud console

• Issue: Prisma Cloud DSPM uses VMs running scanner engines to perform classification. Each VM must transmit constant status and updates to the Prisma Cloud console . We have encountered an issue where one or more VMs has failed to transmit such information.
• Symptom: Error message is generated when the VM (that is spun up in the private subnet) is trying to communicate with the Prisma Cloud console.
• Solution: Validate the following:
  1. A security group is properly configured as described in the documentation.
  2. A NAT Gateway is properly configured as described in the documentation.
  3. A route table rule redirecting traffic from private subnet to a NAT Gateway exists.
  4. If using an internet Gateway:
     1. Make sure it is properly configured as described in the documentation.
     2. Make sure that a route table rule redirecting traffic to the Internet Gateway exists (in the route table associated with the public subnet).
  5. If you are still experiencing the issue, please contact Prisma Cloud support.

VM failed to communicate with Audit Storage

• Issue: Prisma Cloud DSPM uses VMs running scanner engines to perform classification, and the classification results are stored within a dedicated audit storage. We have encountered an issue where communication between a VM and an audit bucket has failed.
• Symptom: Error message is generated when the VM (that is spun up in the private subnet) is trying to communicate with the audit bucket.
• Solution: Validate the following:
  1. A security group is properly configured as described in the documentation.
  2. If you are still experiencing the issue, please contact Prisma Cloud support.

Resource Not Found

• Issue: Prisma Cloud DSPM uses a set of networking resources to initiate scanner engines and perform classification. We have encountered an issue where a required resource is missing which prevents normal operations.
• Symptom: Error message is generated when trying to identify the required resources.
• Solution: Validate the following:
  1. All resources were created as described in the documentation.
  2. The resource IDs provided in the custom deployment form match the actual resources in the corresponding region.
  3. If you are still experiencing the issue, please contact Prisma Cloud support.

Handling Default EBS Encryption

If you have Default EBS Encryption enabled, you would need to add the permissions for Prisma Cloud DSPM to use the encryption key to spin up EC2 instances.

Note that the Default EBS Encryption feature is per-region per orchestrator account. so this process needs to be done for each one of them.

To check if you have Default EBS Encryption enabled, follow the these steps:

1. Open the Amazon EC2 console.
2. In the navigation bar, select the Region.
3. In the upper-right corner, choose "Data protection and security"
4. Under "EBS encryption" section you can see the Default encryption key.

To add the required permissions to the KMS, follow these steps:

1. Search for the relevant KMS Id in the KMS navigation page.
2. Add the following statement to the KMS resource-policy:

{
      "Sid": "Allow access for DigSecurityOrchestratorRole",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<Account-ID>:role/DigSecurityOrchestratorRole"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Get*",
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
}