Onboard an AWS Environment

The onboarding process adds all regions and Security Groups in the AWS account to the CloudGuard portal and enable you to manage the AWS Security Groups from CloudGuard.

This is an essential and prerequisite step to managing CloudGuard regions, security groups, and instances.

CloudGuard Operational Modes for AWS Accounts

CloudGuard has two operation modes for managing AWS accounts. The process of onboarding your environment to CloudGuard varies according to the operational mode you want to use.

  • Monitor - in this mode you can monitor and visualize your accounts in CloudGuard, run compliance tests on them, and receive alerts, notifications and reports of activities and changes to cloud entities, but you cannot actively manage them from CloudGuard

  • Full-Protection - in this mode you have all the capabilities of Read-Only mode but, in addition, you can use CloudGuard to actively enforce access and tamper protection on your assets, manage your Security Groups, and control direct access to your cloud assets

See AWS Security Group Management Considerations for more details on operation mode considerations.

You can change the operational mode for an account once it has been onboarded to CloudGuard.

Notes before starting

Before beginning this procedure, decide which operation mode you wish to use for the account. See AWS Security Group Management Considerations.

  • You can choose an operation mode for each account separately, so some can be Read-Only, while others are Full-Protection.

  • If you use the Read-Only mode for an account, all Security Groups in the account will be Read-Only in CloudGuard (you can actively manage them in the AWS console or some other application). However, if you use the Full-Protection mode for the account, you can choose to manage each Security Group separately as either Read-Only or Full-Protection.

  • At the end of the onboarding process all Security groups will initially be in Read-Only mode in CloudGuard, regardless of the operation mode for the account. You can then change individual Security Groups to Full-Protection (for accounts in Full-Protection); see Full Protection in CloudGuard for details.

  • The CloudGuard operation mode can be changed after your account has been onboarded.

For details about policies, see CloudGuard AWS Policies & Permissions.

For onboarding an AWS GovCloud account, see Onboard an AWS GovCloud or AWS China Environment.

Onboarding options

You can onboard AWS accounts to CloudGuard in the following ways:

Using the CloudGuard web portal and AWS console - onboard a single AWS account following onscreen instructions, in CloudGuard and the AWS console.

Using automation batch scripts, from your AWS account - onboard an AWS account and, optionally, all child accounts, using scripts run from the AWS command line.

Using Terraform and the Terraform CloudGuard Dome9 provider - onboard one or more AWS accounts with Terraform files (one for each account) and the CloudGuard Dome9 Provider.

Using the CloudGuard REST API - onboard one or more AWS accounts using the CloudGuard REST API. You must first create a CloudGuard account and obtain an API Key and Secret in the CloudGuard web portal.

Onboarding from the CloudGuard Portal

The onboarding procedure is done on the CloudGuard portal, with step-by-step instructions presented on-screen for two modes: Monitor and Full-Protection. In the course of this procedure, you have instructions to perform some actions on the AWS Console and some on the CloudGuard portal.

CloudGuard does not make changes to the permissions or roles definitions in your AWS account; these actions you perform when you follow the onscreen instructions.

Onboard Using Automation Scripts

Use this open-source set of scripts to onboard accounts to CloudGuard from your AWS CLI https://github.com/dome9/onboarding-scripts/tree/master/AWS/full_automation.

These scripts create a CFT stack which creates the IAM policies required by CloudGuard, and then onboard the AWS accounts to CloudGuard. If your AWS accounts are organized as an AWS Organization, you can onboard the organization (the individual organization member accounts are discovered automatically by the script).

Onboard Using Terraform

You can use the Check Point CloudGuard Dome9 Terraform provider to onboard and update AWS accounts in CloudGuard. This involves preparing Terraform files for your AWS accounts.

https://www.terraform.io/docs/providers/dome9/index.html

https://github.com/terraform-providers/terraform-provider-dome9

Use CloudGuard Dome9 as a Terraform Provider

Onboard Using the CloudGuard REST API

You can onboard one or more AWS accounts to CloudGuard using the CloudGuard REST API. This requires an API Key and Secret for a CloudGuard account.

See the CloudGuard REST API reference site, Dome9 API V2, and Onboard an AWS account to CloudGuard using the REST API for more details and examples.