Onboarding of AWS Organizations

This topic describes how to onboard an AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. organization automatically. For other onboarding methods, see Onboarding AWS Environments.

Prerequisites

Before onboarding your AWS Organization, make sure:

  • You have Administrator permissions to create and manage resources in this Organization.

How it Works

After you onboard an AWS Organization to CloudGuard, every new AWS account added to the Organization is automatically onboarded to CloudGuard.

In general, after onboarding with the Unified procedure (Unified Onboarding of AWS Environments), the environment has a set of CloudGuard features (configuration) defined by the CloudFormation Template. Similarly, when you onboard an Organization, its configuration is defined by a CloudFormation Template which is used as a blueprint. Nonetheless, an AWS account added (onboarded) to the Organization acquires the configuration defined in the CFT and not the configuration currently existing in the Organization. To learn how you can onboard organizations with different configurations, see examples in Updating Onboarded AWS Organizations.

Onboarding

Your organization is onboarded to CloudGuard. When the process is done, CloudGuard redirects you to the Environments page that lists your onboarded environments. The new organization appears on the Assets > Organizational Units page under the root OU as its child, like the manually created CloudGuard OUs. All actions available for regular OUs (creating sub-OU, renaming, moving, and deletion) are available for the onboarded AWS organization.

You can change some of the configured parameters after the Organization onboarding is completed. For more information, see Updating Onboarded AWS Organizations.

Region Selection

Region selection is relevant for organizations onboarded with AWP or Serverless Runtime Protection and not with CSPM only.

When you onboard an organization with enabled AWP or Serverless Runtime Protection, make sure to specify the AWS region that matches the Data Center of your CloudGuard account (appears in Settings > Account > Account Info > Data Center).

See available CloudGuard Data Centers and their corresponding AWS regions in the table below.

Data Center

Region

United States

us-east-1

Ireland

eu-west-1

India

ap-south-1

Singapore

ap-southeast-1

Australia

ap-southeast-2

Canada

ca-central-1

Onboarding with API

To onboard AWS organizations with API, make these API calls and changes in your AWS account:

  1. Make the first call: GET - https://api.dome9.com/v2/aws-organization-management-onboarding/management-stack (Link).

  2. In AWS, create a management stack with the managementCftUrl field obtained from the response.

  3. Make the second call: GET - https://api.dome9.com/v2/aws-organization-management-onboarding/member-account-configuration (Link).

  4. In AWS, create a stackset with the content from the second API call.

  5. Make the third call: POST - https://api.dome9.com/v2/aws-organization-management (Link).

    Data:

    • secret - Use the externalId field from the first API call.

    • roleArn – Take from the management stack outputs.

  6. Make the forth call: PUT - https://api.dome9.com/v2/aws-organization-management/{id}/stackset-arn (Link)

    • Id - Use the ID that returns from the second call.

    • stackSetArn - Use the created stackset ARN from AWS.

Wait about one hour until all your AWS accounts are onboarded to CloudGuard.

More Links