Skip to main content

AWS Accounts

The AWS Accounts section allows you to onboard, manage, and delete AWS accounts in your Prism organization. Onboarded accounts are the target environments where users and groups receive access through assignments.

Prerequisites

  • You must have access to the AWS accounts you want to onboard (for setting up the required trust policy and IAM permissions).

AWS Accounts List

The AWS Accounts page displays a paginated table of all onboarded accounts.

Table Columns

ColumnDescription
Account NameThe display name for the AWS account in Prism
Account IDThe 12-digit AWS account identifier
JIT OwnersUsers designated as JIT (Just-In-Time) access owners for this account
ActionsAvailable management actions

Available Actions

ActionDescriptionLink
Onboard AccountAdd a new AWS account to PrismOnboard Account
Rename AccountChange the display name of an accountRename Account
Manage OwnersAssign JIT access owners to an accountManage Owners
Delete AccountRemove an AWS account from PrismDelete Account

Understanding Account Onboarding

Before Prism can manage access to an AWS account, the account must be onboarded. This process establishes a trust relationship between Prism and the AWS account, allowing Prism to manage IAM Identity Center resources.

Prism supports two onboarding methods:

  1. Automated -- Prism generates a prepopulated CloudFormation template that sets up the required cross-account IAM role.
  2. Manual -- You manually create the required IAM roles and policies in the AWS account.

See Onboard Account for detailed instructions on each method.

JIT Account Owners

Each AWS account can have one or more JIT owners. JIT owners are users who can approve Just-In-Time (JIT) access requests for the account through the JIT Portal. This provides a controlled way to grant temporary, elevated access.

See Manage Owners for details on assigning JIT owners.

Onboard AWS Account

Onboard a new AWS account to bring it under Prism management. Once onboarded, you can create assignments to grant users and groups access to the account.

Prerequisites

  • You must have the 12-digit AWS account ID for the account you want to onboard.
  • You must have sufficient permissions in the AWS account to create IAM roles and policies.

Onboarding Methods

Prism provides multiple methods to onboard AWS accounts. Choose the method that best fits your workflow.

Method 1: Automated Onboarding

The automated method generates a prepopulated CloudFormation template that sets up the required cross-account IAM role for you.

Step-by-Step Guide
  1. Navigate to Admin Portal > AWS Accounts from the sidebar.
  2. Click the Onboard Account button.
  3. Select the Automated onboarding method.
  4. Fill in the required fields:
    • AWS Account ID -- Enter the 12-digit AWS account ID.
    • Account Name -- Enter a display name for the account in Prism.
  5. Click the generated CloudFormation link to open the AWS CloudFormation console with a pre-configured stack that creates the required cross-account IAM role.
  6. Review the stack in the AWS Console and click Create Stack.
  7. Once the stack is created, return to Prism and click Validate to verify that Prism can assume the role in the target account.
  8. If validation succeeds, click Onboard to complete the process.
Field Reference
FieldTypeRequiredDescription
AWS Account IDText (12 digits)YesThe AWS account's unique 12-digit identifier. Found in the AWS Console under account settings.
Account NameTextYesA friendly display name for the account in Prism (e.g., "Production", "Development", "Staging").
tip

Use descriptive account names that help your team quickly identify the account's purpose. Names like "prod-us-east-1" or "dev-data-team" are more useful than generic names.

Method 2: Manual Onboarding

The manual method gives you full control over the IAM setup in the AWS account.

Step-by-Step Guide
  1. Navigate to Admin Portal > AWS Accounts from the sidebar.
  2. Click the Onboard Account button.
  3. Select the Manual onboarding method.
  4. Prism displays the required configuration:
    • Trust Policy -- A JSON trust policy document that must be attached to an IAM role in the target account. Click the Copy button to copy it to your clipboard.
    • Required IAM Policies -- A list of IAM policies that the role must have for Prism to manage the account.
  5. Go to the AWS Console for the target account and create the IAM role with the provided trust policy and required policies.
  6. Return to Prism and fill in:
    • AWS Account ID -- Enter the 12-digit AWS account ID.
    • Account Name -- Enter a display name for the account.
  7. Click Validate to verify that Prism can assume the role in the target account.
  8. If validation succeeds, click Onboard to complete the process.
warning

The trust policy must be applied exactly as provided. Modifying the trust policy may prevent Prism from managing the account.

What Happens Next

After onboarding an account:

  1. The account appears in the AWS Accounts list.
  2. You can create assignments for the account.
  3. You can assign JIT owners to the account.

Troubleshooting

IssueSolution
Validation failsVerify the AWS account ID is correct (12 digits). Ensure the trust policy and IAM permissions are correctly configured in the target account.

Rename Account

Change the display name of an onboarded AWS account in Prism. Renaming an account only changes how it appears in the Prism interface -- it does not affect the AWS account itself.

Prerequisites

  • The account must already be onboarded.

Step-by-Step Guide

  1. Navigate to Admin Portal > AWS Accounts from the sidebar.
  2. Locate the account you want to rename in the table.
  3. Click the Edit icon on the account's row.
  4. Enter the new display name for the account.
  5. Click Save to apply the change.

Field Reference

FieldTypeRequiredDescription
Account NameTextYesThe new display name for the account in Prism. Does not affect the AWS account name.

What Happens Next

After renaming an account:

  1. The new name is reflected immediately across the Prism interface, including the Assignments page and JIT Portal.
tip

Use descriptive names that convey the account's purpose and environment. Examples: "Production - US East", "Staging - Data Team", "Dev - Frontend".

Manage Account Owners

Assign JIT (Just-In-Time) access owners to an AWS account. JIT owners are users who can approve JIT access requests for the account through the JIT Portal. This enables a controlled, time-limited access approval workflow.

Step-by-Step Guide

  1. Navigate to Admin Portal > AWS Accounts from the sidebar.
  2. Locate the account you want to manage owners for.
  3. Click the Manage Owners icon on the account's row.
  4. A multi-select list of available users is displayed.
  5. Select one or more users to designate as JIT owners for this account.
  6. Click Save to apply the changes.
tip

The user list supports multi-select, allowing you to assign several owners at once. Having multiple owners ensures that JIT access requests can be approved even if one owner is unavailable.

What Happens Next

After assigning JIT owners:

  1. The selected users appear in the JIT Owners column for the account.
  2. When a user submits a JIT access request for this account through the JIT Portal, the designated owners receive the request for approval.
  3. Owners can approve or deny JIT access requests from the Approver interface.

Removing Owners

To remove a user as a JIT owner:

  1. Navigate to Admin Portal > AWS Accounts and click Manage Owners for the account.
  2. Deselect the user from the owners list.
  3. Click Save.
info

If an account has no JIT owners, JIT access requests for that account will default to Prism admins for approval.

Best Practices

  • Assign multiple owners -- Ensure at least two or three owners per account to avoid bottlenecks when approvals are needed.
  • Choose appropriate owners -- JIT owners should be senior team members or managers who understand the security implications of granting access.
  • Review owners regularly -- As team structures change, review and update account ownership to keep it current.

Delete AWS Account

Remove an AWS account from your Prism organization. Deleting an account disconnects it from Prism management and revokes all assignments associated with the account.

Prerequisites

  • The AWS account must already be onboarded.
  • There must be no active assignments on the account. You must delete all assignments before deleting the account.

Step-by-Step Guide

  1. Navigate to Admin Portal > AWS Accounts from the sidebar.
  2. Locate the account you want to delete in the table.
  3. Click the Delete icon on the account's row.
  4. A confirmation dialog will appear, asking you to confirm the deletion.
  5. Review the account name and ID to ensure you are deleting the correct account.
  6. Click Confirm to proceed, or Cancel to abort.
warning

Deleting an account is a significant action. The account will be completely removed from Prism, and all associated configuration (owners, display name, etc.) will be lost.

Pre-Deletion Checklist

Before deleting an account, complete the following steps:

  1. Delete all assignments -- Navigate to Assignments and remove all assignments for this account. The system will prevent deletion if active assignments exist.
  2. Notify affected users -- Inform users and group members who had access to the account.
  3. Document the change -- Record why the account was deleted for audit purposes.

What Happens Next

After deleting an account:

  1. The account is removed from Prism's database.
  2. The account disappears from the AWS Accounts list.
  3. All JIT owner associations for the account are removed.
  4. JIT access requests for the account can no longer be submitted.
info

Deleting removes the account from Prism's management but does not affect the AWS account itself. The account and its resources continue to exist in AWS. Any IAM roles created during onboarding remain in the AWS account and should be manually cleaned up if no longer needed.

Hierarchy View

If Org Services is enabled for your customer, a Hierarchy / List toggle appears in the header. The hierarchy view displays your AWS Organization structure as an expandable tree, showing how accounts are organized into Organizational Units (OUs).

Switching Views

  • List (default) -- The standard paginated table of onboarded accounts.
  • Hierarchy -- The AWS Organizations tree showing Root, OUs, and accounts.

All nodes are expanded by default. Click the expand/collapse arrow on any node to toggle its children.

Organization Tree Actions

Each node in the hierarchy tree has a three-dot menu with context-appropriate actions:

Node TypeAvailable Actions
RootCreate Child OU
OUCreate Child OU, Delete OU
AccountMove Account

Creating an Organizational Unit

  1. Switch to Hierarchy view.
  2. Click the three-dot menu on a Root or OU node.
  3. Select Create Child OU.
  4. Enter the OU name.
  5. Click Create.

The tree refreshes automatically after creation. A "Refreshing organization tree..." indicator is shown while the tree updates.

Deleting an Organizational Unit

  1. Click the three-dot menu on the OU you want to delete.
  2. Select Delete OU.
  3. Confirm the deletion.
warning

The OU must be empty -- it cannot contain any accounts or child OUs. Move all accounts out of the OU before deleting it.

Moving an Account

  1. Click the three-dot menu on the Account you want to move.
  2. Select Move Account.
  3. Choose the destination OU from the dropdown list.
  4. Click Move.

The tree refreshes automatically after the move.

tip

Use OUs to group accounts by environment (production, staging, development), team, or business unit. This organization helps when applying policies to groups of accounts.