Onboarding AWS Environments

This topic describes all available methods of onboarding AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. environments to CloudGuard.

You can select one of the methods below depending on the type and number of your environments:

• To onboard the entire Organization - Onboarding of AWS Organizations

• To onboard one AWS account

  • Unified (all available features) - Unified Onboarding of AWS Environments

  • Manually

    • Standard account - Manual Onboarding of AWS Environments

    • GovCloud or AWS China account - Manual Onboarding of AWS GovCloud or AWS China Environments

  • Using Terraform An infrastructure as code tool that lets you define both cloud and on-prem resources in human-readable configuration files that you can version, reuse, and share. - Onboarding with Terraform

Onboarding with Terraform

You can use the Check Point CloudGuard (Dome9) Terraform provider to onboard and update AWS environments in CloudGuard. First, you need to prepare Terraform files for your AWS environments. For more information, see the Terraform documentation at https://www.terraform.io/docs/providers/dome9/.

The dedicated resource at https://registry.terraform.io/providers/dome9/dome9/latest/docs/resources/aws_unified_onbording includes Intelligence and Serverless configurations, and the rulesets for Posture Management (Compliance) and Intelligence.

The full source code is at https://github.com/dome9/terraform-provider-dome9.

CloudGuard Features

Learn more about each functionality that CloudGuard provides:

• For Posture Management, see Cloud Security Posture Management (CSPM)

• For Intelligence, see Cloud Detection and Response (CDR)

• For operational modes, see AWS Security Group Management Modes: Full Protection or Read-Only

• For Serverless Protection, see Enabling Serverless Protection

• For Agentless Workload Posture, see Agentless Workload Posture

• For Permissions updates, see Updating AWS Permissions

Troubleshooting

Intelligence

Issue: CloudGuard cannot onboard your AWS account to Intelligence during the environment onboarding. The corresponding status and error message appear on the Onboarding Summary page.

Possible causes:

• CloudGuard cannot find CloudTrail logs on your account

• CloudGuard cannot find an applicable log destination, because your S3 bucket already has a configured Event Subscription

  Note - The preferred type of CloudTrail is a trail that applies to all Regions. If CloudGuard finds that your AWS account contains multiple globally applied trails, it selects one on a random basis. A warning message on the Onboarding Summary page notifies you that other buckets were found but not onboarded.

Solution: Onboard your AWS account to Intelligence separately, with Custom Onboarding. See Custom Onboarding for more information.