Why is AWS Cloud Account status showing "Warning" (missing AWS Glacier permissions) in Prisma Cloud?

Why is AWS Cloud Account status showing "Warning" (missing AWS Glacier permissions) in Prisma Cloud?

9365
Created On 04/09/19 19:48 PM - Last Modified 03/14/22 19:57 PM


Question


The specified AWS account's Prisma Cloud role has glacier:Get.* permissions in the policy. Why is Prisma Cloud displaying this warning message?

No changes were made to the AWS environment. However, the Cloud Account status is "Warning" (see below screenshot):

User-added image

Environment


Prisma Cloud
AWS

Answer


The glacier:Get.* permissions are considered too broad, and we require more granular permissions. The recommended action is to add the following 4 permissions to the policy for the Prisma Cloud Role in AWS.

glacier:GetDataRetrievalPolicy, 
glacier:GetVaultAccessPolicy, 
glacier:GetVaultLock, 
glacier:GetVaultNotifications

Users can manually update the AWS account or onboard with Terraform template.

This is documented in the Release Notes--04/05/2019:

AWS CloudFormation Template Permissions

The CloudFormation templates for creating Prisma Cloud AWS Policy and role for enabling permissions to the Prisma Cloud service have been updated to be more granular for Amazon Glacier. The permission glacier:Get*
is replaced with these:
glacier:GetDataRetrievalPolicy
glacier:GetVaultAccessPolicy
glacier:GetVaultLock
glacier:GetVaultNotifications

You can update these permissions manually or onboard with Terraform template.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLUoCAO&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language