Cross-Account Role CFT Permissions for Cloud NGFW
Table of Contents
Expand all | Collapse all
-
- About Cloud NGFW for AWS
- Getting Started from the AWS Marketplace
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for AWS Pricing
- Cloud NGFW Credit Distribution and Management
- Cloud NGFW for AWS Free Trial
- Cloud NGFW for AWS Limits and Quotas
- Subscribe to Cloud NGFW for AWS
- Locate Your Cloud NGFW for AWS Serial Number
- Cross-Account Role CFT Permissions for Cloud NGFW
- Invite Users to Cloud NGFW for AWS
- Manage Cloud NGFW for AWS Users
- Deploy Cloud NGFW for AWS with the AWS Firewall Manager
- Enable Programmatic Access
- Terraform Support for Cloud NGFW AWS
- Provision Cloud NGFW Resources to your AWS CFT
- Configure Automated Account Onboarding
- Usage Explorer
- Create a Support Case
- Cloud NGFW for AWS Certifications
- Cloud NGFW for AWS Privacy and Data Protection
-
-
- Prepare for Panorama Integration
- Link the Cloud NGFW to Palo Alto Networks Management
- Unlink the Cloud NGFW from Palo Alto Networks Management
- Associate a Linked Panorama to the Cloud NGFW Resource
- Use Panorama for Cloud NGFW Policy Management
- View Cloud NGFW Logs and Activity in Panorama
- View Cloud NGFW Logs in Strata Logging Service
- Tag Based Policies
- Configure Zone-based Policy Rules
- Enterprise Data Loss Prevention (E-DLP) Integration with Cloud NGFW for AWS
-
- Strata Cloud Manager Policy Management
Cross-Account Role CFT Permissions for Cloud NGFW
Cloud NGFW for AWS requires permissions to access AWS accounts, read VPC info,
create/manage endpoints, access logging destinations, and decrypt traffic.
Cloud NGFW requires permissions to access
information and resources associated with your AWS accounts. When
you onboard an AWS account, a CloudFormation Template (CFT) is provided
to help you enable the permissions. When you deploy the CFT, it
creates a cross-account IAM role in your AWS account. This IAM role
provides Cloud NGFW with the permissions necessary to read VPC information
required to create and manage endpoints, send logs to logging destinations,
and access certificates in the AWS Secrets Manager for traffic decryption.
Endpoint Configuration
The cross-account
IAM role requires permissions to read information about your VPC
resources, allowing you to configure NGFW endpoints in your AWS
environment.
{ "Sid": "Allow Cloud NGFW to read VPC resources", "Effect": "Allow", "Action": [ # The first four permission are the minimum needed "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeAvailabilityZones "ec2:DescribeVpcEndpoints", ], "Resource": "*" }
Endpoint Creation
(Optional)
You can configure Cloud NGFW to create and manage NGFW endpoints
in your AWS account. If you choose not to configure there permissions,
you must manually create NGFW endpoints after deploying your NGFW.
{ "Sid": "Allow Cloud NGFW to manage NGFW endpoints", "Effect": "Allow", "Action": [ "ec2:deleleVpcEndpoints" "ec2:CreateVpcEndpoints" ], "Resource": "*" }
Logging and Metric Management
(Optional)
The cross-account role includes permissions required for logging
and metrics management. The template does not create the logging
destinations; instead, it provides the necessary permissions to
access the specified logging destinations. You must create the logging
destinations you specify in the template.
The template provides the default value PaloAltoCloudNGFW for a Cloudwatch
Namespace and Kinesis Date Firehose. The template does not provide a default value
for an S3 Bucket. You can replace the default value with the value of a
corresponding logging destination in your AWS account.
{ "Sid": "Allow Cloud NGFW access to one Cloudwatch Namespace", "Effect": "Allow", "Resource": "*", "Action": "cloudwatch:PutMetricData", "Condition": { "StringEquals": { "cloudwatch:namespace": "PaloAltoCloudNGFW" } } }{ "Sid":"Allow Cloud NGFW access to write logs in one LogGroup", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ "arn:aws:logs:*:*:log-group:PaloAltoCloudNGFW" "arn:aws:logs:*:*:log-group:PaloAltoCloudNGFW:log-stream:*" ], }{ "Sid": "Optionally, Allow Cloud NGFW to write logs to one S3 bucket", "Effect": "Allow", "Action": [ "s3:putObject" ], "Resource": [ # this is proposal #1 - name is coded based on externalid "arn:aws:s3:::<PaloAltoCloudNGFW-ExternalD>/*" # this is proposal #2 - name is provided by customer in CFT. 'arn:aws:s3:::${S3Bucket}/*' ] }{ "Sid": " Optionally, Allow Cloud NGFW to write logs to Streams", "Effect": "Allow", "Action": [ "firehose:putRecordBatch" ], "Resource": [ "arn:aws:kinesis:region:account:deliveryStream/PaloAltoCloudNGFW*" ], }
Decryption
(Optional) The cross-account
role includes permissions for Cloud NGFW to retrieve certificates
from the Secrets Manager in your AWS account and use it to decrypt
traffic flowing through your NGFW. These permissions use the attribute-based
access control (ABAC) mechanism by specifying a tag for access.
These permissions are optional and you can choose not to configure
them when you deploy the template.
{ "Sid": "Allow Cloud NGFW to pick up certificates", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/PaloAltoCloudNGFW": "true" } } }
Account Monitoring
(Optional) The existing CloudFormation template (CFT) of your onboarded AWS
account can have Account Monitoring permissions added to it.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeVpcs", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeInstances", "ec2:DescribeVpcEndpoints", "ec2:DescribeSubnets", "ec2:DescribeManagedPrefixLists", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTags" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:GetManagedPrefixListAssociations", "ec2:GetManagedPrefixListEntries" ], "Resource": [ "arn:aws:ec2:*:*:prefix-list/*" ], "Effect": "Allow" } ] }