Skip to main content

Preferences

The Preferences section contains platform-wide configuration settings for your Prism organization. These settings control admin roles, automated provisioning, API access, data replication, and log exports.

Preference Categories

CategoryDescriptionLink
Admin ManagementManage admin accounts, session timeouts, and CloudTrail accessAdmin Management
SCIM ConfigurationConfigure SCIM provisioning for automated user and group synchronizationSCIM Configuration
API TokensCreate and manage API tokens for programmatic access (e.g., Terraform)API Tokens
ReplicationImport users, groups, and assignments from AWS IAM Identity Center into PrismReplication
Log Export SettingsConfigure automated audit & access log export to Amazon S3Log Export Settings

Overview

Admin Management

Control who has admin access to Prism, manage MFA enforcement, set SSO session timeouts, and toggle CloudTrail access for individual admins. See Admin Management.

SCIM Configuration

Set up SCIM (System for Cross-domain Identity Management) to automatically provision and deprovision users and groups from your identity provider. See SCIM Configuration.

API Tokens

Generate API tokens for programmatic access to Prism's API, particularly for use with the Prism Terraform provider. See API Tokens.

Replication

The initial import that pulls your existing users, groups, and permission set assignments from AWS IAM Identity Center into Prism for every account in your AWS organization. Before running replication you must configure your Management Account (the AWS account hosting your IAM Identity Center instance) by providing its 12-digit Account ID and SSO Region. Once triggered, Prism reads all resources from IAM Identity Center and imports them into its database, giving you a complete, centralized view of your current access configuration. This is typically a one-time step performed during initial onboarding.

Log Export Settings

Configure automated export of audit and access logs to an Amazon S3 bucket for long-term storage and compliance. See Log Export Settings.

info

Replication is the first step after configuring your management account. It imports your existing AWS IAM Identity Center data into Prism so you can begin managing it.

Admin Management

Manage administrator accounts, and session configuration for your Prism organization. This page allows you to promote users to admin roles, control CloudTrail access, and configure SSO session timeouts.

Prerequisites

  • You must be logged in as a Super Admin. The initial Super Admin account is created during onboarding by navigating to your organization's Prism URL at /init (e.g., https://yourcompany.prism.cloudkeeper.com/init).

Admin Table

The Admin Management page displays a table of all admin-level users.

Available Actions

Promote a User to Admin

Elevate an existing user to an admin role:

  1. Navigate to Admin Portal > Preferences > Admin Management.
  2. Click the Promote User button.
  3. Select the user you want to promote.
  4. Choose the admin role to assign.
  5. Click Confirm to promote the user.
warning

Granting admin access gives the user full control over your Prism organization, including the ability to manage all users, groups, permission sets, assignments, and accounts. Only promote trusted users.

Demote an Admin

Remove admin privileges from a user:

  1. Locate the admin in the admin table.
  2. Click the Demote action on the admin's row.
  3. Confirm the demotion.

The user will revert to their previous non-admin role and lose access to the Admin Portal.

Toggle CloudTrail Access

Control whether an admin can access the CloudTrail:

  1. Locate the admin in the admin table.
  2. Click the CloudTrail Access toggle on the admin's row.
  3. The toggle switches between enabled and disabled.

Change Password

Update an admin's password:

  1. Locate the admin in the admin table.
  2. Click the Change Password action.
  3. Enter the new password.
  4. Click Save.

SSO Session Timeout

Configure how long SSO sessions remain active before requiring re-authentication.

Step-by-Step Guide

  1. Navigate to Admin Portal > Preferences > Admin Management.
  2. Locate the SSO Session Timeout setting.
  3. Select the desired timeout duration from the dropdown:
DurationDescription
30 minutesShort sessions for high-security environments
1 hourStandard for sensitive operations
4 hoursSuitable for regular workday use
8 hoursFull workday session
12 hoursDefault. Extended session for convenience
  1. Click Save to apply the timeout setting.
tip

Balance security and convenience when setting the session timeout. Shorter timeouts are more secure but require more frequent re-authentication. The default of 12 hours works well for most organizations.

What Happens Next

Changes to admin roles and settings take effect immediately in Prism.

SCIM Configuration

Configure SCIM (System for Cross-domain Identity Management) provisioning to automatically synchronize users and groups from your identity provider to Prism. SCIM eliminates the need to manually create and manage user accounts.

Prerequisites

  • Your identity provider must support SCIM 2.0 (e.g., Okta, Azure AD, OneLogin).

Overview

SCIM provisioning creates a bridge between your identity provider and Prism. When you add, update, or remove a user in your identity provider, the change is automatically reflected in Prism through the SCIM protocol.

SCIM Token Management

SCIM authentication uses Bearer tokens. You can manage tokens from the SCIM Configuration page.

Token Table

ColumnDescription
TokenThe SCIM token (masked for security; only shown in full at creation time)
Created DateWhen the token was generated
ExpirationWhen the token expires (if an expiry was set)
StatusCurrent token status: Active, Expired, or Revoked
ActionsAvailable actions (Revoke, Delete)

Generate a SCIM Token

  1. Navigate to Admin Portal > Preferences > SCIM Configuration.
  2. Click the Generate Token button.
  3. Optionally, set an expiry date for the token. If no expiry is set, the token remains valid until revoked.
  4. Click Generate.
  5. The new token is displayed. Copy it immediately -- it will not be shown again.
warning

The SCIM token is only displayed once at creation time. Copy and securely store the token before closing the dialog. If you lose the token, you must generate a new one.

Revoke a Token

  1. Locate the token in the token table.
  2. Click the Revoke action.
  3. The token status changes to Revoked and can no longer be used for authentication.

Delete a Token

  1. Locate the token in the token table.
  2. Click the Delete action.
  3. The token is permanently removed from the table.

SCIM Configuration Details

After generating a token, configure your identity provider with the following details:

SettingValue
SCIM Base URLDisplayed on the configuration page. Click the Copy button to copy it to your clipboard.
Authentication MethodBearer Token
Bearer TokenThe token generated in the previous step
info

The SCIM Base URL is unique to your Prism organization. It is pre-populated on the configuration page and should be copied directly into your identity provider's SCIM settings.

Configuring Common Identity Providers

Okta

  1. In Okta, navigate to your application's Provisioning tab.
  2. Click Configure API Integration.
  3. Enter the SCIM Base URL and Bearer Token.
  4. Enable the provisioning features: Push Users and Push Groups.

Azure AD / Microsoft Entra ID

Step 1: Create a New Enterprise Application
  1. In the Azure Portal, navigate to Microsoft Entra ID > Enterprise Applications.
  2. Click + New Application.
  3. Click + Create your own application.
  4. Enter a name for the application (e.g., "Prism SCIM Provisioning").
  5. Select "Integrate any other application you don't find in the gallery (Non-gallery)".
  6. Click Create.
Step 2: Configure Provisioning
  1. In the newly created Enterprise Application, go to Provisioning.
  2. Click New provisioning configuration.
  3. Under Admin Credentials, fill in the following:
    • Select authentication method: Choose Bearer authentication.
    • Tenant URL: Paste the SCIM Base URL copied from the Prism SCIM Configuration page.
    • Secret Token: Paste the SCIM token generated from the Prism SCIM Configuration page.
  4. Click Test Connection to verify that Azure AD can connect to the Prism SCIM endpoint.
  5. Once the connection test succeeds, click Create.
Step 3: Configure Provisioning Settings

After creating the configuration, you will be taken to the configuration details page:

  1. Set Provisioning Mode to Automatic.
  2. Under Mappings, configure attribute mappings for users and groups as needed.
  3. Under Settings, set the Scope to control which users are synced:
    • Sync only assigned users and groups -- Only users and groups assigned to the Enterprise Application will be provisioned.
    • Sync all users and groups -- All users and groups in the directory will be provisioned.
Step 4: Assign Users/Groups and Start Provisioning
  1. Navigate to Users and groups in the Enterprise Application.
  2. Click + Add user/group and assign the users or groups you want to provision to Prism.
  3. Go back to Provisioning and set Provisioning Status to On.
  4. Click Save.
tip

Use Provision on demand to test provisioning with a single user before enabling full sync for your organization.

What Happens Next

After configuring SCIM:

  1. Your identity provider begins syncing users and groups to Prism automatically.
  2. New users created in the identity provider are provisioned in Prism.
  3. User attribute updates in the identity provider are reflected in Prism.
  4. Users deactivated or deleted in the identity provider are deactivated or removed in Prism.
  5. SCIM-provisioned users and groups are available in Prism for access management.
tip

After initial SCIM setup, perform a test sync with a single user to verify that provisioning works correctly before enabling sync for the entire organization.

API Tokens

Create and manage API tokens for programmatic access to Prism's API. API tokens carry admin-level access and are primarily used with the Prism Terraform provider to create and manage resources such as users, groups, permission sets, assignments, and accounts through infrastructure-as-code workflows.

Overview

API tokens provide a secure way to authenticate with Prism's API without using interactive login credentials. Each token grants admin-level access, allowing full management of Prism resources.

Token Table

The API Tokens page displays a table of all tokens created by the current admin.

Creating an API Token

Step-by-Step Guide

  1. Navigate to Admin Portal > Preferences > API Tokens.
  2. Click the Create Token button.
  3. Enter a Description for the token. Use a description that identifies the token's purpose (e.g., "Terraform CI/CD Pipeline", "Monitoring Script").
  4. Click Create.
  5. The newly created token is displayed. Copy it immediately -- it will not be shown again.
  6. Click the Copy button to copy the token to your clipboard.

Field Reference

FieldTypeRequiredDescription
DescriptionTextYesA human-readable description of the token's purpose. Helps identify tokens in the table.
warning

The API token is only displayed once at creation time. Copy and securely store the token before closing the dialog. If you lose the token, you must delete it and create a new one.

Deleting an API Token

  1. Locate the token in the token table.
  2. Click the Delete button on the token's row.
  3. Confirm the deletion.

The token is permanently deleted and can no longer be used for authentication. Any scripts or pipelines using this token will fail.

warning

Deleting a token immediately revokes access. Any automation (Terraform pipelines, scripts, integrations) using this token will stop working. Ensure you update those systems with a new token before deleting the old one.

Using API Tokens

With the Prism Terraform Provider

API tokens are the recommended authentication method for the Prism Terraform provider:

provider "prism" {
  api_token = var.prism_api_token
}
tip

Never hardcode API tokens in Terraform files or source code. Use environment variables or a secrets manager:

export PRISM_API_TOKEN="your-token-here"
provider "prism" {
  api_token = env("PRISM_API_TOKEN")
}

Security Best Practices

  • One token per use case -- Create separate tokens for each integration, pipeline, or script. This limits the blast radius if a token is compromised.
  • Use descriptive names -- Name tokens after their purpose so you can identify and manage them easily.
  • Rotate tokens regularly -- Periodically create new tokens and phase out old ones.
  • Store tokens securely -- Use a secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.) rather than storing tokens in plain text.
  • Monitor usage -- Check the "Last Used" column to identify unused tokens that should be deleted. Token usage can also be verified in the Audit Logs.

Replication

Replication is the initial import process that pulls your existing users, groups, and assignments from AWS IAM Identity Center into Prism for all accounts in your AWS organization. This is a critical first step that populates Prism with your current IAM Identity Center configuration so you can begin managing it.

Prerequisites

  • The Management Account must be configured (see below).

Overview

When you first set up Prism, your AWS IAM Identity Center already contains users, groups, and assignments. Replication reads this data from AWS and imports it into Prism's database, giving you a complete view of your organization's access configuration.

Overview Cards

The Replication page displays overview cards showing the current state of your organization:

CardDescription
AWS AccountsTotal number of AWS accounts in your organization
UsersTotal number of users
GroupsTotal number of groups
Permission SetsTotal number of permission sets
AssignmentsTotal number of assignments

These counts give you a quick overview of what will be replicated.

Management Account Configuration

Before running replication, you must configure the Management Account -- the AWS account that hosts your AWS instance.

Configuration Fields

FieldTypeRequiredDescription
AWS Account IDText (12 digits)YesThe 12-digit ID of the AWS account that contains your IAM Identity Center instance.
SSO RegionDropdownYesThe AWS region where IAM Identity Center is deployed. Choose from 25 supported regions.
DescriptionTextNoAn optional description for the management account configuration.

Supported SSO Regions

The SSO Region dropdown includes all 25 AWS regions where IAM Identity Center is available, including:

  • us-east-1 (N. Virginia)
  • us-east-2 (Ohio)
  • us-west-2 (Oregon)
  • eu-west-1 (Ireland)
  • eu-central-1 (Frankfurt)
  • ap-southeast-1 (Singapore)
  • ap-northeast-1 (Tokyo)
  • And 18 additional regions.

Step-by-Step Guide

  1. Navigate to Admin Portal > Preferences > Replication.
  2. In the Management Account section, enter:
    • AWS Account ID -- The 12-digit ID of your management account.
    • SSO Region -- Select the region where IAM Identity Center is deployed.
    • Description -- Optionally, add a description.
  3. Click Save to store the management account configuration.

Running Replication

Replication imports all resources -- users, groups, and assignments -- from AWS IAM Identity Center into Prism for all accounts in your AWS organization.

Step-by-Step Guide

  1. Navigate to Admin Portal > Preferences > Replication.
  2. Review the overview cards to understand the scope of the replication.
  3. Click the Run Full Replication button.
  4. The replication process begins. This may take a minute or two depending on the number of resources in your AWS organization.
  5. When complete, result cards are displayed showing the outcome.

Replication Results

After replication completes, result cards are displayed for each resource type:

ResultDescription
SuccessResources that were successfully imported
FailedResources that failed to import (with error details)
SkippedResources that were already up-to-date in Prism
TotalThe total number of resources processed

Result cards are shown for each resource type:

  • Users
  • Groups
  • Assignments
tip

If any resources show as Failed, review the error details and fix the underlying issues before running replication again. Common causes include connectivity issues with AWS or insufficient permissions on the management account role.

When to Run Replication

Run Replication during initial setup to import your existing AWS IAM Identity Center configuration into Prism. This is typically a one-time process when first onboarding your organization.

Log Export Settings

Configure automated export of audit and access logs to an Amazon S3 bucket. Log exports enable long-term log retention for compliance, auditing, and security analysis.

Prerequisites

  • You must have an Amazon S3 bucket where logs will be stored.
  • The S3 bucket must be accessible from Prism (appropriate IAM permissions and bucket policy).

Step-by-Step Guide

Configuring Log Export

  1. Navigate to Admin Portal > Preferences > Log Export Settings.
  2. Fill in the export configuration:
    • S3 Bucket Name -- Enter the name of the S3 bucket where logs will be stored. The bucket must exist and have proper permissions.
    • Path Prefix (optional) -- Enter an optional prefix for the log files. Files will be stored as {prefix}/audit-logs/YYYY-MM-DD.json and {prefix}/access-logs/YYYY-MM-DD.json.
    • Export Time (UTC) -- Set the daily export time in HH:MM format (24-hour, UTC). Default is 02:00 UTC.
  3. Click Test Connection to verify that Prism can connect to and write to the S3 bucket.
  4. Click Save Configuration to save the settings.
  5. Optionally, click Trigger Export Now to run an immediate export.

Field Reference

FieldTypeRequiredDescription
S3 Bucket NameTextYesThe name of the Amazon S3 bucket where logs will be exported. Must be an existing bucket with proper permissions.
Path PrefixTextNoAn optional prefix (folder path) for the log files within the bucket. Files are stored as {prefix}/audit-logs/YYYY-MM-DD.json and {prefix}/access-logs/YYYY-MM-DD.json.
Export Time (UTC)Time (HH:MM)NoThe daily export time in 24-hour UTC format. Default is 02:00 UTC.

Available Actions

ActionDescription
Test ConnectionVerifies that Prism can connect to and write to the specified S3 bucket. Run this before saving to confirm everything is set up correctly.
Save ConfigurationSaves the current log export settings.
Trigger Export NowTriggers an immediate log export, independent of the scheduled daily export. Useful for testing or exporting logs on demand.

Last Export

The page displays the most recent export status, including the date/time and whether it succeeded or failed.

What Happens Next

After configuring log exports:

  1. Logs are automatically exported to the specified S3 bucket on the configured schedule (daily).
  2. Each export includes all new audit and access log entries since the last export.
  3. Log files are stored in the S3 bucket with the configured prefix.
  4. You can query exported logs using tools like Amazon Athena, AWS CloudTrail Lake, or any S3-compatible analytics tool.
tip

Use a meaningful S3 key prefix to organize logs by environment or date. For example: prism-logs/production/ or logs/prism/.

warning

Ensure the S3 bucket has appropriate retention policies and access controls. Log data may contain sensitive information about user activity and access patterns.

S3 Bucket Setup

To ensure Prism can export logs to your S3 bucket:

  1. Create an S3 bucket (or use an existing one).
  2. Ensure the bucket policy allows Prism to write objects (PutObject).
  3. Optionally, configure S3 lifecycle rules for log rotation and archival.
  4. Optionally, enable S3 server-side encryption for data-at-rest protection.