How to configure network flow logs ingesting from S3 bucket in Prisma Cloud

Properly configured Prisma Cloud to ingest network data from an AWS S3 bucket.

• Amazon Web Services
• Prisma Cloud

Refer to the Configure Flow Logs From Amazon S3 for the newer version of this article

Prerequisites and Requirements
AWS:   You will need to set up an S3 bucket as a destination of VPC flow log in AWS
Prisma: On-boarded AWS account


Step 1: Configure a new s3 bucket* for the VPC to send flow logs




Step 2: Configure Flow Logs** for Amazon VPC.





Step 3: Click Settings > Providers > Cloud Account > View Account in Prisma Cloud.


Step 4: Then navigate to Threat Detection > Flow Logs > S3 > Configure to update Flow Logs to S3



Step 5: Configure 'logging account' with a unique account name and Account ID that is the same as your AWS account ID with s3 flow logs configured. Then Configure S3 bucket on Prisma Cloud. Be sure to type the bucket name exactly as is on AWS and select the proper region as well.

(OPTIONAL): You can also type in the path within the bucket if you have a specific structure. Lastly, if you enabled encryption on your bucket you can supply the key here as well.



Step 6: Download the logging account template and create a Cloud Formation Stack *** in AWS with the downloaded template. 



You will then be prompted to create a unique name for your stack followed by optional steps being able to set tags and permissions for the stack. All other configurations here are optional as well.

Once your stack is created, you will need to get the ARN from AWS to use on Prisma Cloud.



Step 7: Once you've validated your role from Step 5 you will then be prompted to select your bucket(s) that will have network data and you will need to validate them as well. If validation is unsuccessful you will need to double-check bucket names and regions.