Multiple AWS Account Security with Prisma Cloud and AWS Control Tower

Mar 02, 2021
5 minutes

In cloud operations, multiple account setup, management, and governance can be complex, time-consuming, and a significant bottleneck to operations speed and innovation.

To help speed innovation and reduce operational complexity, Palo Alto Networks is proud to announce that Prisma® Cloud – the Cloud Native Security Platform and cybersecurity partner of choice – has added support for Amazon Web Services (AWS) Control Tower for easier AWS setup, governance and security of multi-account AWS environments.


Cloud Native Security Challenges

Cloud is set to become the dominant computing model, according to the State of Cloud Native Security 2020 survey, with enterprises now running 46 percent of their workloads in the cloud and expecting to reach 64 percent in the next 18 months. As cloud adoption accelerates, organizations look to trim the number of tools they use to reduce complexity (State of Cloud Native Security 2020). Now is the time to address this urgent cloud operations challenge by adopting an effective multiple account management strategy with cloud security and governance executed through a single and trusted cloud native console.


How Prisma Cloud and AWS Control Tower Work Together

The high number of workloads operating in the cloud, along with the high number of teams working in the cloud, requires provisioning automation and configuration tooling to better secure and manage cloud environments without costly expertise. Prisma Cloud has helped 70 percent of the Fortune 500 move with confidence to the cloud, and further monitors and helps secure more than 1.8 billion cloud workloads every day with automated cloud native integrations.

For teams working within AWS, the ability for organizations to provision new and compliant AWS accounts that conform to company-wide policies and governance is a ‘must have’ to accelerate cloud operations velocity. With Prisma Cloud and AWS Control Tower you can provision automated account registrations, governance, and management of those multiple AWS accounts in just a few clicks. Prisma Cloud also extends cloud automation to actual security response with integrated Lambda serverless remediation across multiple AWS accounts, all managed by common policy and governance frameworks.

When using Prisma Cloud with AWS Control Tower, teams do not become overwhelmed by manual effort creating and managing AWS accounts and, instead, use cloud automation managed by a single-pane-of-glass to setup, enforce, and govern common policies across multiple AWS accounts and organizational units (OUs) at scale. In this way Prisma Cloud, together with AWS, helps you manage cloud environments and implement security at the speed of business.


Automated Registration, Governance and Management of Multiple AWS Accounts with Prisma Cloud

Provisioning is the first layer in the Cloud Native Computing Foundation’s cloud native landscape and, for security and compliance, having a single, comprehensive cloud native tool for central governance and management is a must, especially if you use AWS Organizations.

Prisma Cloud is better together with AWS Control Tower by centrally provisioning, managing, and governing AWS services and resources. When a new AWS member account is added to your organization with AWS Control Tower, that new AWS account is onboarded automatically to Prisma Cloud. If you use AWS Organizations, all member accounts included within the hierarchy can be automatically onboarded to Prisma Cloud in one simple and streamlined workflow.

AWS Control Tower integrated with Prisma Cloud further allows teams to:


Prisma Cloud multi-account registration with AWS Control Tower


  • Allocate separate AWS accounts to different teams for enhanced control
  • Isolate AWS organizational units (OUs) and workloads to specific governance
  • Scale, experiment, and innovate more quickly across multi-AWS accounts
  • Innovate on AWS with trusted Palo Alto Networks support


Automated Remediation of Multiple AWS Accounts with Prisma Cloud and Lambda Serverless Functions

Security is integrated and automated with Prisma Cloud and AWS Control Tower to bring visibility of Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) together into a single cloud native security dashboard, a top trend according to Gartner in their Top 9 Security and Risk Trends for 2020.

When creating new AWS accounts in multi-account environments, governance and policies are applied with automation across all accounts. Enforcement is also automated to maintain and verify compliance across all workloads and lifecycles.

Prisma Cloud multi-account remediation with AWS Control Tower

Use Prisma Cloud with AWS Control Tower to create, update, and delete stacks across multiple accounts and regions with execution triggers for automated DevSecOps. Prisma Cloud leverages AWS CloudFormation StackSet allowing Lambda serverless remediation to make necessary changes in the master and member accounts as the basis for provisioning stacks into selected target accounts across specified regions.

Gain team operations confidence knowing Prisma Cloud integrated with AWS Control Tower offers security remediation and verifies with compliance that is integrated and automated across multiple accounts for a ‘better together’ and comprehensive cloud native security dashboard for AWS operations:

  • Natively ingest AWS threat and cloud operations data across accounts and alert on deviations from security best practices
  • Validate compliance across Build and Deploy development phases, and at Runtime
  • Integrated with Amazon GuardDuty, Amazon Inspector, and AWS Security Hub to deliver comprehensive cloud native protection, centralized visibility, and automated remediation

Comprehensive Cloud Native Security for AWS

Cloud and security teams looking to enhance AWS with auto-provisioned, centralized, multi-account management and visibility that offers common governance across all AWS accounts can adopt Prisma Cloud with Control Tower for simplified, securely-scaled, cloud native operations.

Leveraging compliant, secured, and appropriately configured AWS Landing Zones, centralized role-based access control (RBAC), and ML-powered policy and security controls, teams using Prisma Cloud on AWS can manage, detect, and respond to everything with an integrated AWS Partner Solution that verifies security guardrails at the organizational level and across all AWS accounts and workload lifecycles.

Get Started Using Prisma Cloud with AWS Control Tower

Cloud onboarding setup screen in Prisma Cloud

To learn more about Prisma Cloud integrated with AWS Control Tower, visit Security Solutions for AWS Control Tower in AWS Marketplace. To learn more about Prisma Cloud on AWS, visit the Prisma Cloud AWS Marketplace or the Palo Alto Networks AWS partnership page.

Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.