Prisma Cloud can evaluate the security posture of your cloud estate. This is done by comparing your cloud assets to policy and alerting on deviations.
The cloud operations team has already tuned the environment to meet security requirements and conform to policy. It’s been quiet for several weeks, but today, Prisma Cloud is generating alerts and policy violations.
To determine why, the cloud operations team might want to check the Prisma Cloud audit logs to see if anything’s changed. But the team doesn’t want to log into yet another console to get more information about their AWS environment. Mature cloud security solutions should be able eliminate friction between cloud practitioners and cloud operations teams.
If your organization is using AWS CloudTrail Lake for auditing, you can use Prisma Cloud to enrich AWS CloudTrail data by creating a custom integration and using native functionality within Prisma Cloud to send events to AWS.
AWS CloudTrail Lake is a managed data lake in AWS used for storing and analyzing AWS activity for audit and security purposes. AWS CloudTrail Lake allows you to aggregate and immutably store logs for search and analysis — and it offers the ability to import events from non-AWS sources. By setting up a custom integration, cloud operations teams can use their AWS CloudTrail lake queries to get information from Prisma Cloud.
This post provides an overview of the process on how to deploy a custom integration and ingest Prisma Cloud audit events in AWS CloudTrail Lake.
At a high level, the integration will look like this:
Prisma Cloud will integrate with Amazon SQS and emit audit event messages. Amazon SQS will trigger an AWS Lambda function to format and send the messages to AWS CloudTrail Lake using a custom integration. The solution will use a built-in capability of AWS CloudTrail Lake to validate the integrity of the message before ingestion. If messages can’t be processed and ingested, they’ll be sent to a dead-letter queue for reprocessing and (optionally) an alert will be generated in CloudWatch alerts.
Note that all the assets in the integration will reside in your AWS account, giving you full control to administer and modify them as required.
Before proceeding, obtain the ARN of the IAM role your organization used to onboard the AWS account into Prisma Cloud:
An AWS CloudFormation template will be used to deploy and configure the resources described. To deploy the CloudFormation, follow these steps:
Step 1: Log in to your target AWS Account. This will be where AWS CloudTrail Lake and the SQS integration are configured.
Step 2: Click the quick create link. This defaults to region “us-east-1” - change to a different region if desired.
Step 3: Update the required parameters, described below:
Step 4: Default values have been generated for the following parameters, but feel free to update them if desired:
Step 5: Check the “I acknowledge that AWS CloudFormation might create IAM resources” at the bottom.
Step 6: Click “Create stack”
Step 7: When stack creation completes, check the output tabs and note the PrismaCloudIntegrationQueueURL value, required for the next step.
After deploying the CloudFormation, the next steps are to create the Amazon SQS integration within Prisma Cloud and configure audit logs to send to it.
Prisma Cloud provides a native integration to Amazon SQS. Detailed instructions can be found in our documentation, and we give a brief overview of what’s required here:
Step 1: The CloudFormation deployed in the previous step created the Amazon SQS queue required for the integration, so if you’re following along with the detailed instructions in our documentation, you can start at “Step 4 >> Set up Amazon SQS integration in Prisma Cloud.”
Step 2: Log in to Prisma Cloud.
Step 3: Select Settings, then Integrations.
Step 4: Click Add Integration and then select Amazon SQS.
Step 5: Enter the following information:
Step 6: Click Next.
Step 7: Test the integration and ensure it can connect.
Step 8: Save the integration.
To configure Prisma Cloud to send audit logs to the newly created SQS integration:
After deploying and configuring the solution, new audit events within Prisma Cloud should start populating inside of AWS CloudTrail Lake. To validate:
Once you have confirmed audit data is flowing into the CloudTrail event data store, you can begin to query it. Below is a sample query (be sure to replace the data store ID with the appropriate value):
There are several considerations to be aware of when deploying this solution:
Amazon SQS | AWS Lambda | Amazon CloudWatch | AWS CloudTrail
Integrating Prisma Cloud and AWS CloudTrail Lake enables organizations to maintain a consistent view of their security posture, significantly improving their ability to detect and address security issues promptly on AWS. By following the steps outlined in this blog post, you can achieve this integration and enjoy the benefits of a unified security management solution.
We encourage you to continue exploring the capabilities of Prisma Cloud and AWS CloudTrail Lake, and consider implementing this integration to enhance your organization's security posture on AWS.
If you haven’t tried Prisma Cloud, we invite you to take it for a test drive. Discover how Prisma Cloud can evaluate the security posture of your cloud estate with a free 30-day trial.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.