Updating Onboarded AWS Organizations

Sometimes, it is necessary to change some of the configured parameters of the onboarded Organizations. These parameters are stored in the stackset of your AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. account. You can change the parameters only from the AWS portal.

Note - The procedures below show the minimal set of parameters that is necessary to configure on the AWS portal to change your CloudGuard Organization. You can configure and change more AWS parameters based on your needs.

Use Cases

  • Managing the deployment scope (adding or removing OU)

  • Managing the deployment parameters (for example: enabling or disabling AWP)

Managing the Organization Onboarding Scope

CloudGuard organization onboarding uses AWS CloudFormation stackset to manage the scope that defines which account to onboard to CloudGuard.

Each AWS account with a successful stack instance starts an automatic onboarding attempt. Hence, to add (or remove) accounts to CloudGuard, it is necessary to add (or remove) the accounts to the current stackset scope.

Adding Organizational Units to StackSet

The changes made with this procedure are applicable to all accounts that you add to the stackset in the future.

  1. In a new browser tab, go to the AWS portal and sign in to your AWS account.

  2. In CloudFormation, navigate to StackSets and select the stackset used for onboarding the Organization.

  3. Click Actions and select Add stacks to StackSet.

  4. On the Set deployment options page, select these options:

    1. Deploy new stacks (default).

    2. For Deployment targets, select Deploy to organizational units (OUs).

    3. Optional - to add one or more new OUs, enter the OU ID below AWS OU ID. For this:

      1. Open a new browser tab and open AWS Organizations.

      2. In the AWS accounts page, below Organizations, in the Organizational structure, find the organization that is necessary to add and copy its ID.

      3. Click Add another OU if needed.

    4. In the Specify regions section, select one region that matches your CloudGuard Data Center. For more information, see Region Selection.

      Important - Do not select Add all regions for this option.

    5. In the Deployment options section:

      • For Maximum concurrent accounts – optional, select Percentage and enter 100.

      • For Failure tolerance - optional, select Percentage and enter 100.

      • For Region concurrency, select Sequential.

    6. Click Next.

  5. Optionally, on the Specify overrides page, in the Parameters section, change these values:

    • In AwpMode:

      • Select Disabled to disable AWP for all accounts in the organization.

      • Select InAccount (default) to enable AWP scanning within your account.

      • Select Saas to enable AWP scanning of your snapshots on CloudGuard's account.

      For more details, see Agentless Workload Posture.

    • In CDR:

      • Select Enabled to onboard the organization to CDR. You can select to onboard up to three S3 bucketsClosed A bucket is a container for objects stored in Amazon S3 (Amazon Simple Storage Service).. For this, enter the values:

        • CloudAccountId1, CloudAccountId2, CloudAccountId3 (mandatory)

        • KmsDecryptArn1, KmsDecryptArn2, KmsDecryptArn3 (optional)

        • S3BucketArn1, S3BucketArn2, S3BucketArn3 (mandatory)

        • SnsTopicArn1, SnsTopicArn2, SnsTopicArn3 (optional)

      • Select Disabled to skip onboarding the organization to CDR

      For more details, see Onboarding AWS Environments to Intelligence.

    • In Serverless:

      • Select Enabled (default) to enable Serverless Runtime Protection.

      • Select Disabled to disable Serverless Runtime Protection.

      For more details, see AWS Serverless Function Runtime Protection.

    • In ExternalId - Copy the value from the CloudGuard wizard.

    • In UseAwsReadOnlyPolicy - Set Disable if you prefer not to grant redundant permissions.

    The updated values of AWP and Serverless Runtime Protection apply only to the newly onboarded accounts in the organization. Already onboarded accounts stay with their initial settings.

    Caution - Do not change the values of the RoleName and ExternalId parameters.

  6. Click Next.

  7. On the Review page, examine all the parameters and click Submit.

  8. Go to the Stack instances tab to examine the added stack.

  9. In the CloudGuard portal, navigate to Assets > Environments. After approximately 15 minutes, this page shows the updated scope with new accounts.

Removing Organizational Units from StackSet

CloudGuard does not try to onboard again an account that was removed from the scope.

  1. In the AWS portal, sign in to your AWS account.

  2. In CloudFormation, navigate to StackSets and select the stackset used for onboarding the Organization.

  3. Click Actions and select Delete stacks from StackSet.

  4. On the Set deployment options page, select these options:

    1. Enter the OU ID below AWS OU ID. For this:

      1. Open a new browser tab and open AWS Organizations.

      2. In the AWS accounts page, below Organizations, in the Organizational structure, find the organization that is necessary to remove and copy its ID.

      3. Click Add another OU if needed.

    2. In the Specify regions section, select the suggested region.

    3. In the Deployment options section:

      • For Maximum concurrent accounts – optional, select Percentage and enter 100.

      • For Failure tolerance - optional, select Percentage and enter 100.

      • For Region concurrency, select Sequential.

    4. Click Next.

  5. On the Review page, examine all the parameters and click Submit.

  6. Go to the Stack instances tab to make sure that the stack is deleted.

  7. In the CloudGuard portal, navigate to Assets > Environments.

  8. To remove the accounts from CloudGuard, see Removing an Environment.

Changing Onboarded AWS Organizations

Managing Automatic Deployment

With automatic deployment, when an account is added to an OU, the stackset automatically deploys more stack instances to this account. When you remove an account from the OU, the stackset automatically deletes stack instances in this account.

  1. In the AWS portal, sign in to your AWS account.

  2. In CloudFormation, navigate to StackSets and select the stackset used for onboarding the Organization.

  3. Click Actions and select Edit automatic deployment.

  4. In the Edit automatic deployment window, select Activated to enable it or Deactivated to disable.

  5. Select one of the options for account removal behavior (Delete stacks or Retain stacks).

  6. Click Save.

Changing Deployment Parameters for the Entire Organization

When you update an onboarded AWS Organization, it is necessary to change parameters in the Organization onboarding stackset. This update usually means that you enable, disable, or change mode for one of the CloudGuard features.

  1. In the AWS portal, sign in to your AWS account.

  2. In CloudFormation, navigate to StackSets and select the stackset used for onboarding the Organization.

  3. Click Actions and select Edit StackSet details.

  4. On the Choose a template page, click Next.

  5. On the Specify Stackset details page, in the Parameters section, you can change the deployment parameters.

    Caution - Do not change the values of the RoleName and ExternalId parameters.

  6. Click Next.

  7. On the Configure StackSet options page, click Next.

  8. On the Set deployment options page, select these options:

    1. For Deployment targets, select Deploy to organizational units (OUs).

    2. Enter the onboarded OU ID below AWS OU ID.

    3. In the Specify regions section, select the suggested region.

    4. In the Deployment options section:

      • For Maximum concurrent accounts – optional, select Percentage and enter 100.

      • For Failure tolerance - optional, select Percentage and enter 100.

      • For Region concurrency, select Sequential.

    5. Click Next.

  9. On the Review page, examine all the parameters and click Submit.

The changes apply in CloudGuard after 15 minutes.

Changing Deployment Parameters for Specific OUs

When you update an onboarded AWS Organization, it is necessary to change parameters in the Organization onboarding stackset. This change overrides parameters on specific OUs only, while other OUs stay with initially configured parameters. This does not affect OUs to be onboarded in the future.

  1. In the AWS portal, sign in to your AWS account.

  2. In CloudFormation, navigate to StackSets and select the stackset used for onboarding the Organization.

  3. Click Actions and select Override StackSet details.

  4. On the Set deployment options page, select these options:

    1. Deploy new stacks (default).

    2. For Deployment targets, select Deploy to organizational units (OUs).

    3. Optional - to add one or more new OUs, enter the OU ID below AWS OU ID. For this:

      1. Open a new browser tab and open AWS Organizations.

      2. In the AWS accounts page, below Organizations, in the Organizational structure, find the organization that is necessary to add and copy its ID.

      3. Click Add another OU if needed.

    4. In the Specify regions section, select the suggested region.

    5. In the Deployment options section:

      • For Maximum concurrent accounts – optional, select Percentage and enter 100.

      • For Failure tolerance - optional, select Percentage and enter 100.

      • For Region concurrency, select Sequential.

    6. Click Next.

  5. On the Specify overrides page, in the Parameters section, change the deployment parameters.

    Caution - Do not change the values of the RoleName and ExternalId parameters.

  6. On the Review page, examine all the parameters and click Submit.

The changes apply in CloudGuard in 15 minutes.

Region Selection

Region selection is relevant for organizations onboarded with AWP or Serverless Runtime Protection and not with CSPM only.

When you onboard an organization with enabled AWP or Serverless Runtime Protection, make sure to specify the AWS region that matches the Data Center of your CloudGuard account (appears in Settings > Account > Account Info > Data Center).

See available CloudGuard Data Centers and their corresponding AWS regions in the table below.

Data Center

Region

United States

us-east-1

Ireland

eu-west-1

India

ap-south-1

Singapore

ap-southeast-1

Australia

ap-southeast-2

Canada

ca-central-1