Onboard an AWS Environment
The onboarding process adds all regions and Security Groups in the AWS account to the CloudGuard portal and enable you to manage the AWS Security Groups from CloudGuard.
This is an essential and prerequisite step to managing CloudGuard regions, security groups, and instances.
CloudGuard Operational Modes for AWS Accounts
CloudGuard has two operation modes for managing AWS accounts. The process of onboarding your environment to CloudGuard varies according to the operational mode you want to use.
Monitor - in this mode you can monitor and visualize your accounts in CloudGuard, run compliance tests on them, and receive alerts, notifications and reports of activities and changes to cloud entities, but you cannot actively manage them from CloudGuard
Full-Protection - in this mode you have all the capabilities of Read-Only mode but, in addition, you can use CloudGuard to actively enforce access and tamper protection on your assets, manage your Security Groups, and control direct access to your cloud assets
See AWS Security Group Management Considerations for more details on operation mode considerations.
You can change the operational mode for an account once it has been onboarded to CloudGuard.
Notes before starting
Before beginning this procedure, decide which operation mode you wish to use for the account. See AWS Security Group Management Considerations.
You can choose an operation mode for each account separately, so some can be Read-Only, while others are Full-Protection.
If you use the Read-Only mode for an account, all Security Groups in the account will be Read-Only in CloudGuard (you can actively manage them in the AWS console or some other application). However, if you use the Full-Protection mode for the account, you can choose to manage each Security Group separately as either Read-Only or Full-Protection.
At the end of the onboarding process all Security groups will initially be in Read-Only mode in CloudGuard, regardless of the operation mode for the account. You can then change individual Security Groups to Full-Protection (for accounts in Full-Protection); see Full Protection in CloudGuard for details.
The CloudGuard operation mode can be changed after your account has been onboarded.
For details about policies, see CloudGuard AWS Policies & Permissions.
For onboarding an AWS GovCloud account, see Onboard an AWS GovCloud or AWS China Environment.
You can onboard AWS accounts to CloudGuard in the following ways:
Using the CloudGuard web portal and AWS console - onboard a single AWS account following onscreen instructions, in CloudGuard and the AWS console.
Using automation batch scripts, from your AWS account - onboard an AWS account and, optionally, all child accounts, using scripts run from the AWS command line.
Using Terraform and the Terraform CloudGuard Dome9 provider - onboard one or more AWS accounts with Terraform files (one for each account) and the CloudGuard Dome9 Provider.
Using the CloudGuard REST API - onboard one or more AWS accounts using the CloudGuard REST API. You must first create a CloudGuard account and obtain an API Key and Secret in the CloudGuard web portal.
Onboarding from the CloudGuard Portal
The onboarding procedure is done on the CloudGuard portal, with step-by-step instructions presented on-screen for two modes: Monitor and Full-Protection. In the course of this procedure, you have instructions to perform some actions on the AWS Console and some on the CloudGuard portal.
CloudGuard does not make changes to the permissions or roles definitions in your AWS account; these actions you perform when you follow the onscreen instructions.
- In the CloudGuard portal, navigate to Assets>Environments, click Add New and select AWS Environment.
Select the mode, Monitor or Full-Protection.
Prepare the IAM Policy in your AWS account, granting appropriate permissions to CloudGuard to access your AWS account for information about resources. The policy details are different for Read-Only and Full-Protection onboarding.
Create an IAM Role in your AWS account, to be used by CloudGuard to access your environment (and using the IAM permissions defined in the previous step). You will provide details for this role of the CloudGuard AWS account, which will use the role.
Optionally, select the Organizational Units in CloudGuard with which the onboarded environment is associated. These associations can always be modified later on, from the Organizational Units page in the Assets menu.
- Click Finish. The onboarding process starts. It can take a few minutes, based on the number of entities in your environment.
The CloudGuard-readonly-policy is a used by CloudGuard to access information from your AWS account, for two operation modes. This information is used by all CloudGuard for functions: Posture Management, Network Security, etc.
Best Practice - Check Point recommends to use the latest version of the readonly-policy, which you can download from https://github.com/dome9/policies.
Onboard Using Automation Scripts
Use this open-source set of scripts to onboard accounts to CloudGuard from your AWS CLI https://github.com/dome9/onboarding-scripts/tree/master/AWS/full_automation.
These scripts create a CFT stack which creates the IAM policies required by CloudGuard, and then onboard the AWS accounts to CloudGuard. If your AWS accounts are organized as an AWS Organization, you can onboard the organization (the individual organization member accounts are discovered automatically by the script).
Onboard Using Terraform
You can use the Check Point CloudGuard Dome9 Terraform provider to onboard and update AWS accounts in CloudGuard. This involves preparing Terraform files for your AWS accounts.
Onboard Using the CloudGuard REST API
You can onboard one or more AWS accounts to CloudGuard using the CloudGuard REST API. This requires an API Key and Secret for a CloudGuard account.
See the CloudGuard REST API reference site, Dome9 API V2, and Onboard an AWS account to CloudGuard using the REST API for more details and examples.