Overview

Prisma Cloud DSPM Orchestrator is used to securely detect and classify sensitive information in your environment, while keeping your data in the organization. You can integrate all of your AWS accounts with Prisma Cloud DSPM and monitor them using Orchestrator. You can either use a single Orchestrator to monitor all accounts, or use multiple Orchestrators in case separation between environments is required.

NOTE: Prisma Cloud DSPM automatically attempts to apply environment labels to projects that are not labeled to the best of its ability.

Onboard Prisma Cloud DSPM Orchestrator to Your AWS Environment

When integrating an AWS account with Prisma Cloud DSPM for the first time, you need to approve the installation of Orchestrator in your account to enable Prisma Cloud DSPM to monitor your environment.

1. Sign in to your Prisma Cloud DSPM account.
2. Go to Preferences > Integrations.
3. Navigate to the AWS option, click Configure.
   
4. Select Add New  and then Add single account.
5. There are two options available for connecting a new AWS account, either by using CloudFormation or by using Terraform.
   Click a link below according to your chosen option:
   • Add a new AWS account using CloudFormation
   • Add a new AWS account using Terraform

Add a new account using CloudFormation

1. After you have chosen to connect a new single account, sign in to the AWS account you want to onboard.
   NOTE:
   • Ensure your account has the permissions to create an IAM role and run a CloudFormation script.
   • Ensure your account has administrator privileges and a configured multi-region CloudTrail.
2. Choose the location of the orchestrator for the account. Either use an existing Orchestrator (select the required Orchestrator from the dropdown menu) or deploy a new Orchestrator in this account.
3. In the Generate Template drop down, select CloudFormation.
   
4. The Add AWS Account pop-up window opens. Click Open to be redirected to your AWS account or copy the template link to the address bar.
5. Click Done to close the pop-up or leave it open.

A stack is automatically created and starts to run. This process usually takes less than five minutes.

After the stack finishes running, the new account is listed under Connected Accounts in your AWS configuration page.

Add a new account using Terraform

When you initially integrate a Terraform-managed AWS account with Prisma Cloud DSPM, it is essential to grant approval for the installation of Orchestrator within your account. This step is crucial to enable Prisma Cloud DSPM to effectively scan your data.

1. After you have chosen to add a new single account, choose the location of the orchestrator for the account. Either use an existing Orchestrator (select the required Orchestrator from the dropdown menu) or deploy a new Orchestrator in this account.
2. In the Generate Template drop down, select Terraform to generate a Terraform module.
   
   
3. Click Copy to copy the Terraform module, and click Done.
   Important: Do not modify the Terraform module. If the module is modified, Prisma Cloud DSPM cannot provide seamless updates and manage permissions.
4. Insert the Terraform module into your Terraform pipeline.
5. Run the Terraform module. After the module has successfully run, your Terraform-managed AWS account is automatically onboarded into Prisma Cloud DSPM, and listed under Connected Accounts in your AWS configuration page.

Onboard Prisma Cloud DSPM Orchestrator Using Custom Network Resources

This option allows customers to input their own network resources instead of relying on the default resources provided by the platform. It also simplifies the process for customers who want to maintain control over their network infrastructure.

• The system validates the information provided and allows customers to make adjustments, such as adding or removing regions.
• When selecting custom network resources, a different template is applied with reduced permissions because fewer actions are required.

IMPORTANT NOTE: Once an account has been onboarded using either the standard or custom deployment method, it cannot be onboarded again using the other method. For example, if you have onboarded an orchestrator account using the standard method and wish to switch to a custom deployment, you must first offboard the account and then re-onboard it using the desired deployment method. This ensures a smooth transition and avoids conflicts between onboarding types.

To connect a new account:

1. Sign in to your Prisma Cloud DSPM account.
2. Go to Preferences > Integrations.
3. Navigate to the AWS option, click Configure.
4. Select Add New and then Add single account.
   
5. In the Connect New Account window, do the following:
   1. Select I want an orchestrator deployed in this account.
   2. Click Advanced Options.
   3. Select Use Custom Network Resources.
   4. Click Generate Template, and select Cloud Formation or Terraform, depending on your deployment preferences.
      
6. After clicking Generate Template, the Custom Network Resources template opens.
   1. Use the template to provide the necessary configurations for each required region, including VPC, private subnets, and security groups. Some inputs are mandatory, while others are optional.
   2. If you have multiple regions, configure each region separately.
   3. Click Save.
      
   4. The newly created account is added to the Connected Accounts list. The Custom label indicates the account has been created using custom network resources.
      

To edit the configurations:

1. In the Connect Accounts window, navigate to the custom account you want to edit.
2. Choose one of the following methods to edit the configuration:
3. Click the Custom button, and then click Edit configuration.
   
4. Click the cog icon and select Custom Network Resources.
   
5. Edit the configuration as required, and click Save.

Note: In case of an error, see the error details for more information and troubleshooting procedures. You can click the “Revalidate” button to run the validation process after fixing the issue.

Custom Deployment Resources

To facilitate scanning operations within the customer environment, Prisma Cloud DSPM requires multiple resources in the designated orchestrator account. These resources facilitate communication between the AWS orchestrator account and Prisma Cloud DSPM, and store classification results.

Required Resources

Prisma Cloud DSPM requires several network resources to be configured in the EC2 instances setup used to classify data and the Prisma Cloud Console.

For each region where data assets reside, the following resources are required:

• VPC
  • Purpose: Hosts and manages all Prisma Cloud DSPM resources.
  • Requirements:
    • CIDR: At least 1024 addresses in the specified CIDR.
      Recommended value: 10.0.0.0/22
  • Mandatory input in the DPSM console

IMPORTANT NOTE:
AWS offers a user-friendly VPC creation wizard that streamlines the process of setting up a VPC, allowing you to create all necessary resources with just a few clicks (except for Security Groups). To get started, simply navigate to the VPC page, select Create VPC, and then choose VPC and more. This makes the setup process quicker and more efficient, without the need for manual configuration of individual components.

• Security Groups
  • HTTPS Security Group
    • Purpose: allowing VMs to communicate with DSPM backend.
    • Mandatory input in the DSPM console
    • Requirements:
      • VPC: ID of the newly created VPC.
      • Outbound rule:
        • Type: HTTPS (Port 443)
        • Destination: Anywhere-IPv4
  • On-premise Fileshare Security Group (optional)
  • Should be set only if on-premise Fileshare scanning is required.
  • Optional input in the DSPM console
    • Requirements:
      • VPC: ID of the newly created VPC.
      • Outbound rule:
        • Type: SMB (Port 445)
        • Destination: <fileshare_ip>/32
  • EFS Security Group (optional)
  • Should be set only if EFS scanning is required.
    • Optional input in the DSPM console
    • Requirements:
      • VPC: ID of the newly created VPC.
      • Outbound rule:
        • Type: NFS (Port 2049)
        • Destination: Anywhere-IPv4

• Private Subnet
  • Purpose: Hosts the scanner VMs.
  • Requirements:
    • CIDR: At least 256 addresses in the specified CIDR.
      Recommended value: 10.0.0.0/24
    • Availability Zone: The same as the Public Subnet
  • Mandatory input in the DSPM console

Recommended Resources

Prisma Cloud DSPM requires egress communication between the EC2 instances used to classify data and the Prisma Cloud Console.

Make sure to allow connectivity to the following domains and IPs:

• EU:
  • 52.48.123.3
  • 99.80.210.235
  • 34.247.249.123
  • orchestrator.dig.security
• US:
  • 54.225.205.121
  • 18.214.146.232
  • 3.93.120.3
  • orchestrator.prod-use1.dig.security

Below you will find the recommended resources used to establish such communication, although other network enabling resources will suffice.

• Internet Gateway / Transit Gateway / Any other setup for providing internet access
  • Purpose: Provides network connectivity from scanner VMs to the Prisma Cloud DSPM backend. Scanner VMs should be able to access the internet in order to send events to the Prisma Cloud DSPM backend.
  • Association: Attached to the VPC.

• NAT Gateway
  • Purpose: Provides outbound internet access for scanner VMs in the Private Subnet.
  • Requirements:
    • Subnet: ID of the newly created Public Subnet
    • Elastic IP allocation ID: The newly created Elastic IP Address
  • Association: The newly created Elastic IP Address.

• Private Route Table
  • Purpose: Routes traffic from and to scanner VMs.
  • Routes:
    • CIDR: 0.0.0.0/0
    • Destination: NAT Gateway ID
  • Association: ID of the newly created Private Subnet.

• Public Subnet
  • Requirements:
    • CIDR: At least 256 addresses in the specified CIDR.

Recommended value: 10.0.1.0/24

• • • Availability Zone: The same as the Private Subnet

• Public Route Table
  • Purpose: Routes traffic to the Internet Gateway.
  • Routes:
    • CIDR: 0.0.0.0/0
    • Destination: Internet Gateway ID
  • Association: ID of the newly created Public Subnet.

• VPC Endpoints
  • S3 VPC Endpoint:
    • Purpose: Securing and reducing costs for S3 traffic.
    • Requirements:
      • VPC ID: ID of the newly created VPC.
      • Endpoint Type: Gateway.
      • AWS Service: com.amazonaws.<region>.s3
      • Route Tables: ID of the newly created Private Route Table
  • OpenSearch VPC Endpoint (optional):
    • Purpose: allowing VMs to communicate with Opensearch Serverless from a different VPC.
    • Requirements:
      • VPC ID: ID of the newly created VPC.
      • Subnets: ID of the newly created private-subnet for the VPC.
      • Security Groups: Create a new security group with the following properties:
        • VPC: ID of the newly created VPC.
        • Outbound rule:
          • Type: HTTPS (Port 443)
          • Destination: Anywhere-IPv4
        • Inbound rule:
          • Type: HTTPS (Port 443)
          • Source: The newly-created HTTPS Security group ID that allows VMs to communicate with DSPM backend.

Connect additional AWS accounts

After adding a first AWS account and installing Orchestrator in it, you can add more AWS accounts that you want to be monitored by Prisma Cloud DSPM. You can either add an existing Orchestrator to monitor all accounts, or install a new Orchestrator for each account.

1. Add a new account as described above.
2. Select whether you want to use an existing Orchestrator (in which case, you can select the required Orchestrator from the dropdown menu) or deploy a new Orchestrator in this account.
3. Click Generate Template, and add an account by using CloudFormation or Terraform. When added, the new account is listed under Connected Accounts in your AWS configuration page.

If you encounter any scanning issues, refer to the Troubleshooting page.