* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/)
* Prisma Cloud Integration ...

# Prisma Cloud Integration With AWS IAM Identity Center and AWS Tag Support

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fprismacloud-aws-identity-center%2F)  
[](https://twitter.com/share?text=Prisma+Cloud+Integration+With+AWS+IAM+Identity+Center+and+AWS+Tag+Support&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fprismacloud-aws-identity-center%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fprismacloud-aws-identity-center%2F&title=Prisma+Cloud+Integration+With+AWS+IAM+Identity+Center+and+AWS+Tag+Support&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/prismacloud-aws-identity-center/&ts=markdown)  
\[\](mailto:?subject=Prisma Cloud Integration With AWS IAM Identity Center and AWS Tag Support)  
Link copied  
By [Cameron Hyde](https://www.paloaltonetworks.com/blog/author/cameron-hyde/?ts=markdown "Posts by Cameron Hyde")  
Jan 31, 2023  
4 minutes  
[Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown)  
[Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown)  
[Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)  
[Amazon](https://www.paloaltonetworks.com/blog/tag/amazon/?ts=markdown)  
[IAM](https://www.paloaltonetworks.com/blog/tag/iam/?ts=markdown)

**Prisma Cloud helps AWS customers have a deeper view into entitlements and enforce consistent, least-privilege access for all users accessing AWS infrastructure.**

Identities have become the new cloud perimeter for security teams. [Unit 42](https://start.paloaltonetworks.com/unit-42-cloud-threat-report-volume-6.html) threat researchers found an average of 3,400 cloud identities per company in a survey of 200 organizations. The alarming detail is that 99% of those identities had unused privileges, creating a massive attack surface.

The cloud infrastructure entitlement management ([CIEM](https://www.paloaltonetworks.com/prisma/cloud/cloud-infrastructure-entitlement-mgmt?ts=markdown)) capabilities built into Prisma Cloud help customers reduce identity risks. We're thrilled to release new enhancements for AWS customers, specifically the integration between Prisma Cloud and [AWS IAM Identity Center](https://aws.amazon.com/iam/identity-center/) and new support for AWS tags.

## Why AWS IAM Identity Center?

Users often access cloud infrastructure through identity providers (IdPs) or single sign-on (SSO) tools such as Azure AD or Okta. Using IdPs complicates permissions management because they need to be defined within each cloud account.
![IAM based federation vs AWS IAM Identity Center based federation.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/01/word-image-178559-1.png)
IAM based federation vs AWS IAM Identity Center based federation.

IAM Identity Center aims to centralize the management of roles and policies for AWS users and scale permissions management with a growing number of accounts. IAM Identity Center is a great first step to simplifying the management of your AWS user identities. To evaluate the overall identity risk in a cloud environment, though, you need to calculate the net-effective permissions, which is done by understanding which identities have access to critical infrastructure.

Net-effective permissions are too complex to calculate manually for many reasons, including:

* Identities extend beyond users to include machines and resources
* Companies are using multiple clouds with inconsistent IAM frameworks
* Identities may access cloud infrastructure through IdPs and SSOs

Automating permissions mapping is great for understanding IAM risk, but managing that risk is something else entirely. Through net-effective permissions calculations, security teams can highlight overly permissive identities and remediate them to enforce least-privilege access --- ensuring that if unauthorized users gain access to a role, the damage they can do is limited.

Some CIEM tools can analyze data from AWS, IdPs and SSOs to automate cloud permissions and help security teams efficiently remediate cloud identity risk. But this requires CIEM providers to directly integrate and support individual IdPs, and adding more IdPs could take months to support. Here is where Prisma Cloud and AWS can help.
![Prisma Cloud with AWS IAM Identity Center.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/01/word-image-178559-2.png)
Prisma Cloud with AWS IAM Identity Center.

Prisma Cloud integrates with AWS IAM Identity Center to provide effective permissions mapping for any AWS user, [regardless of the IdP](https://docs.aws.amazon.com/singlesignon/latest/userguide/supported-idps.html). Prisma Cloud then aggregates this data with other data sources to automate net-effective permissions mapping so that overly permissive roles are highlighted and least-privilege can be enforced across multicloud environments. In addition to the visibility feature, users can create policies and user alerts to remediate risky permissions
![AWS user and machine identities.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/01/word-image-178725-3.png)
AWS user and machine identities.

## CIEM Support for AWS Tags

AWS users often use tags to group resources together, usually to classify resources based on application and business logic. Prisma Cloud now supports AWS tags within IAM investigation, so users can know what the higher level permissions are (permissions to/from application, and also within the application), in addition to the resource level permissions. This capability allows users to make custom policies more dynamic by using specific tags to group your cloud resources, roles, groups, policies, etc. when defining alert rules.

## Learn More About Prisma Cloud

Prisma Cloud delivers CIEM across AWS, Azure and Google Cloud Platform. The integration with AWS IAM Identity Center and support for AWS Tags is available. If you'd like hands-on experience with these new capabilities, [request a free 30-day trial](https://www.paloaltonetworks.com/prisma/request-a-prisma-cloud-trial?ts=markdown).

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown)

[#### Prisma Cloud Extends CIEM to Simplify Multi-Cloud Permissions Management](https://www.paloaltonetworks.com/blog/cloud-security/ciem-graph-gcp-announcement/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Experience Next-Generation Cloud Security at AWS re:Invent 2024](https://www.paloaltonetworks.com/blog/cloud-security/aws-reinvent-2024/)

### [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown)

[#### Strengthen Your CIEM Strategy with a New Dashboard to Guide Security Teams](https://www.paloaltonetworks.com/blog/cloud-security/ciem-strategy/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Event](https://www.paloaltonetworks.com/blog/category/event/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Join Prisma Cloud at AWS re:Inforce 2024](https://www.paloaltonetworks.com/blog/cloud-security/aws-re-inforce-2024/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown)

[#### A CIEM Leader and Outperformer](https://www.paloaltonetworks.com/blog/cloud-security/2024-gigaom-radar-for-ciem/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [CIEM](https://www.paloaltonetworks.com/blog/cloud-security/category/ciem/?ts=markdown)

[#### Enhanced Least-Privilege Recommendations from Prisma Cloud and AWS](https://www.paloaltonetworks.com/blog/cloud-security/ciem-integration-aws-iam-access-analyzer/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language