Manual Onboarding of AWS Environments
This topic describes how to onboard an AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. environment with the legacy onboarding experience. For the new experience, with the Unified onboarding procedure, see Unified Onboarding of AWS Environments.
The onboarding procedure adds all regions, Security Groups, and assets in the AWS account to the CloudGuard portal. It enables you to manage the AWS Security Groups from CloudGuard.
This is a must and prerequisite step to managing CloudGuard regions, security groups, and assets.
CloudGuard Operation Modes for AWS Accounts
CloudGuard has two operation modes to manage AWS accounts. The procedure of onboarding your environment to CloudGuard varies based on the operation mode you select.
Monitor - Monitor and visualize your accounts in CloudGuard, run compliance tests on them, and receive alerts, notifications, and reports of activities and changes to cloud entities, but you cannot actively manage them from CloudGuard.
Full-Protection - Contains all the capabilities of the Monitor mode. Use CloudGuard to enforce access and tamper protection on your assets, manage your Security Groups, and control access to your cloud assets.
See AWS Security Group Management Considerations for more details on operation mode considerations.
You can change the operation mode for an environment after it is onboarded to CloudGuard.
Notes Before Starting
Select the operation mode for the account. See AWS Security Group Management Considerations.
You can select an operation mode for each account separately, so some can be Read-Only, while others are Full-Protection.
If you use the Read-Only mode for an account, then all Security Groups in the account become Read-Only in CloudGuard (you can actively manage them in the AWS console or some other application). But if you use the Full-Protection mode for the account, you can choose to manage each Security Group A set of access control rules that acts as a virtual firewall for your virtual machine instances to control incoming and outgoing traffic. separately as Read-Only or Full-Protection.
At the end of the onboarding procedure, all Security groups are set to Read-Only mode in CloudGuard, regardless of the operation mode for the account. You can then change individual Security Groups to Full-Protection (for accounts in Full-Protection); see Full Protection in CloudGuard for details.
The CloudGuard operation mode (Monitor or Full Protection) can be changed after your account has been onboarded.
For details about policies, see CloudGuard AWS Policies and Permissions.
For onboarding an AWS GovCloud account, see Manual Onboarding of AWS GovCloud or AWS China Environments.
You can onboard AWS accounts to CloudGuard in these ways:
Using the CloudGuard web portal and AWS console - Onboard one AWS account following on-screen instructions, in CloudGuard portal and the AWS console.
Using automation batch scripts, from your AWS account - Onboard an AWS account and, optionally, all child accounts, using scripts run from the AWS command line.
Using Terraform and the Terraform CloudGuard Dome9 provider - Onboard one or more AWS accounts with Terraform An infrastructure as code tool that lets you define both cloud and on-prem resources in human-readable configuration files that you can version, reuse, and share. files (one for each account) and the CloudGuard Dome9 Provider.
Using the CloudGuard REST API - Onboard one or more AWS accounts with the CloudGuard REST API. You must first create a CloudGuard account and get an API Key and Secret in the CloudGuard web portal.
Onboarding from the CloudGuard Portal
The onboarding procedure is done on the CloudGuard portal, with step-by-step instructions presented on-screen for two modes: Monitor and Full-Protection. In the course of this procedure, you have instructions to perform some actions on the AWS Console and some on the CloudGuard portal.
CloudGuard does not make changes to the permissions or roles definitions in your AWS account. The actions you perform when you follow the on-screen instructions.
To onboard an AWS account:
In the CloudGuard portal, navigate to Assets > Environments, click Add New and select AWS Environment. The onboarding wizard with the new method of onboarding opens.
On the top of the screen, read the note and click Switch to the manual onboarding.
The onboarding wizard with the legacy onboarding procedure opens.
Select the mode, Monitor or Full-Protection.
In your AWS account, prepare the IAM Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. Policy that grants appropriate permissions to CloudGuard to access your AWS account for information about resources. The policy details are different for Read-Only and Full-Protection onboarding.
In your AWS account, create an IAM Role that CloudGuard has to use to access your environment (together with the IAM permissions defined in Step 4). It is necessary to provide details for this role of the CloudGuard AWS account, which uses the role.
Optionally, select the Organizational Units in CloudGuard with which the onboarded environment is associated. These associations can always be changed, from the Organizational Units page in the Assets menu.
Click Finish. The onboarding procedure starts. It can take a few minutes, based on the number of entities in your environment.
Using the CloudGuard Latest Policies
CloudGuard uses the readonly-policy to access information from your AWS account, for two operation modes. All CloudGuard functions, such as Posture Management, Network Security, and others, use this information.
Best Practice - Check Point recommends to use the latest version of the readonly-policy, which you can download from https://github.com/dome9/policies.
Additional Onboarding Methods
Onboard Using Automation Scripts
Use this open-source set of scripts to onboard accounts to CloudGuard from your AWS CLI https://github.com/dome9/onboarding-scripts/tree/master/AWS/full_automation.
These scripts create a CFT stack that creates the IAM policies required by CloudGuard, and then onboard the AWS accounts to CloudGuard. If your AWS accounts are organized as an AWS Organization, you can onboard the organization. The script automatically discovers the individual organization member accounts.
Onboard Using the CloudGuard REST API
You can onboard one or more AWS accounts to CloudGuard with the CloudGuard REST API Also known as RESTful API - an application programming interface (API or web API) that conforms to the constraints of REST architectural style and allows for interaction with RESTful web services.. This requires an API Key and Secret for a CloudGuard account.
See the CloudGuard REST API reference guide and Onboard an AWS account to CloudGuard using the REST API for more details and examples.