Onboarding of AWS Organizations

This topic describes how to onboard an AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. organization automatically. For other onboarding methods, see Onboarding AWS Environments.

Prerequisites

Before onboarding your AWS Organization, make sure:

  • You have Administrator permissions to create and manage resources in this Organization.

How it Works

After you onboard an AWS Organization to CloudGuard, every new AWS account added to the Organization is automatically onboarded to CloudGuard.

In general, after onboarding with the Unified procedure (Unified Onboarding of AWS Environments), the environment has a set of CloudGuard features (configuration) defined by the CloudFormation Template. Similarly, when you onboard an Organization, its configuration is defined by a CloudFormation Template which is used as a blueprint. Nonetheless, an AWS account added (onboarded) to the Organization acquires the configuration defined in the CFT and not the configuration currently existing in the Organization. To learn how you can onboard organizations with different configurations, see examples in Updating Onboarded AWS Organizations.

Onboarding

  1. In the CloudGuard portal, navigate to Assets > Environments.

  2. For first-time onboarding, click Amazon Web Services.

    Or, if you already onboarded environment(s), from the top menu, select Add > AWS Environment.

  3. On the Welcome page, select to onboard an Organization.

  4. In the Management Account ID field, enter the ID of your AWS Management Account.

  5. Click Next.

On the second wizard page, you create a management account stack. Follow the on-screen instructions.

  1. Click CloudFormation Template to review all resources for CloudGuard to deploy on your management account. Optionally, you can click Download CFT to save the resource file on your local drive.

  2. Open a new browser tab, go to the AWS portal, and sign in to your AWS account.

  3. In the CloudGuard onboarding wizard, click Launch Stack.

    A new browser tab opens with the CloudFormation stack. CloudGuard automatically enters all required default parameters. Change the default AWP, Serverless, and CDR parameters as you need.

    Caution - If the management account is already onboarded to CloudGuard through unified onboarding, do not change the existing AWP, Serverless, and CDR parameters in the stack, otherwise the Organization onboarding fails. To change the parameters, see Updating Onboarded AWS Organizations.

  4. Below Capabilities, read the explanation and select the I acknowledge... option to accept. Click Create stack.

  5. AWS begins to create the stack. Wait until it creates the IAMClosed Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. role (CrossAccountRole) and the stack status becomes Create_Complete.

  6. Enter the stack details in the CloudGuard wizard:

  7. Click Next.

On the third wizard page, you create a stackset for member accounts.

In AWS console:

  1. Open CloudFormation, navigate to StackSets and click Create StackSet. Follow these five steps below:

      1. In the Permissions section, select Service-managed permissions.

      2. In the Prerequisite – Prepare template section, select Template is ready.

      3. In the Specify template section:

        • Select Upload a template file and upload the attached CloudFormation Template.

        • Or select Amazon S3 URL and paste the S3 address from the CloudGuard wizard to Amazon S3 URL.

      4. Click Next.

      1. Enter CloudGuardOnboarding for the StackSet name.

      2. Optionally, enter a StackSet description.

      3. In the Parameters section, select these values:

        • In AwpMode:

          • Select Disabled to disable AWP for all accounts in the organization.

          • Select InAccount (default) to enable AWP scanning within your account.

          • Select Saas to enable AWP scanning of your snapshots on CloudGuard's account.

          For more details, see Agentless Workload Posture.

        • In CDR:

          • Select Enabled to onboard the organization to CDR. You can select to onboard up to three S3 bucketsClosed A bucket is a container for objects stored in Amazon S3 (Amazon Simple Storage Service).. For this, enter the values:

            • CloudAccountId1, CloudAccountId2, CloudAccountId3 (mandatory)

            • KmsDecryptArn1, KmsDecryptArn2, KmsDecryptArn3 (optional)

            • S3BucketArn1, S3BucketArn2, S3BucketArn3 (mandatory). If the management account was previously onboarded to CDR, provide the same bucket that it used before.

            • SnsTopicArn1, SnsTopicArn2, SnsTopicArn3 (optional)

            Note - For the management account previously onboarded to CSPM and to CDR, you need to enable CDR manually to have it for the entire Organization. Follow the link at the end of the onboarding process.

          • Select Disabled to skip onboarding the organization to CDR.

          For more details, see Onboarding AWS Environments to Intelligence.

        • In Serverless:

          • Select Enabled (default) to enable Serverless Runtime Protection.

          • Select Disabled to disable Serverless Runtime Protection.

          For more details, see AWS Serverless Function Runtime Protection.

        • In ExternalId - Copy the value from the CloudGuard wizard.

        • In UseAwsReadOnlyPolicy - Set Disable if you prefer not to grant redundant permissions.

          Note - By default, using the ReadOnlyAccess policy is enabled, which allows you to receive permissions update requests less frequently. You can manually disable the policy at this stage in the UseAwsReadOnlyPolicy field if you prefer not to grant redundant permissions. For more information about policies, see Policies.

      4. Click Next.

    3. Click Next.

      1. In the Add stacks to stack set section, select Deploy new stacks.

      2. In the Deployment targets section, select one of two options.

        If you select Organizational units (OU), enter the OU ID in the AWS OU ID. To see this value, go to the organization page in AWS Organizations > AWS accounts and copy the ID value from the Organizational unit details section.

      3. In the Auto-deployment options section:

        • For Automatic deployment, select Enable.

        • For Account removal behavior, select Delete stacks.

      4. In the Specify regions section, select one region that matches your CloudGuard Data Center. For more information, see Region Selection.

        Important - Do not select Add all regions for this option.

      5. In the Deployment options section:

        • For Maximum concurrent accounts – optional, select Percentage and enter 100.

        • For Failure tolerance - optional, select Percentage and enter 100.

        • For Region concurrency, select Sequential.

      6. Click Next.

      1. Review all the details.

      2. Select the option I acknowledge that AWS CloudFormation might create IAM resources with custom names.

      3. Click Submit.

  2. AWS redirects you to the stackset page. On the StackSet info tab, find the StackSet ARN.

In the CloudGuard wizard:

  1. Paste the StackSet ARN in the wizard's field.

  2. Click Next.

On this page, you see the onboarding summary.

To onboard the management account, start the unified onboarding process. For more information, see Unified Onboarding of AWS Environments.

Your organization is onboarded to CloudGuard. When the process is done, CloudGuard redirects you to the Environments page that lists your onboarded environments. The new organization appears on the Assets > Organizational Units page under the root OU as its child, like the manually created CloudGuard OUs. All actions available for regular OUs (creating sub-OU, renaming, moving, and deletion) are available for the onboarded AWS organization.

You can change some of the configured parameters after the Organization onboarding is completed. For more information, see Updating Onboarded AWS Organizations.

Region Selection

Region selection is relevant for organizations onboarded with AWP or Serverless Runtime Protection and not with CSPM only.

When you onboard an organization with enabled AWP or Serverless Runtime Protection, make sure to specify the AWS region that matches the Data Center of your CloudGuard account (appears in Settings > Account > Account Info > Data Center).

See available CloudGuard Data Centers and their corresponding AWS regions in the table below.

Data Center

Region

United States

us-east-1

Ireland

eu-west-1

India

ap-south-1

Australia

ap-southeast-2

Canada

ca-central-1

Onboarding with API

To onboard AWS organizations with API, make these API calls and changes in your AWS account:

  1. Make the first call: GET - https://api.dome9.com/v2/aws-organization-management-onboarding/management-stack (Link).

  2. In AWS, create a management stack with the managementCftUrl field obtained from the response.

  3. Make the second call: GET - https://api.dome9.com/v2/aws-organization-management-onboarding/member-account-configuration (Link).

  4. In AWS, create a stackset with the content from the second API call.

  5. Make the third call: POST - https://api.dome9.com/v2/aws-organization-management (Link).

    Data:

    • secret - Use the externalId field from the first API call.

    • roleArn – Take from the management stack outputs.

  6. Make the forth call: PUT - https://api.dome9.com/v2/aws-organization-management/{id}/stackset-arn (Link)

    • Id - Use the ID that returns from the second call.

    • stackSetArn - Use the created stackset ARN from AWS.

Wait about one hour until all your AWS accounts are onboarded to CloudGuard.

More Links