- 10 Minutes to read
- Print
- PDF
AWS
- 10 Minutes to read
- Print
- PDF
1. About this document
This document includes the step-by-step procedure to onboard AWS accounts in SAFE. Once you configure and confirm an AWS account, SAFE automatically discovers and onboards AWS assets in SAFE.
2. Add AWS Accounts
SAFE allows users to add "Individual Account" and "Member Account."
2.1. Add Individual Account
You can onboard an Individual AWS Account in SAFE via the Role method.
SAFE admin can add an AWS account by following the below step-by-step instructions:
Navigate to Integrations, on the left navigation.
Click the AWS card.
Click the Add Account button.
(Optional) If required, set the expiry date for the link as follows:
Mark the checkbox to Set the expiry date and time for the generated link.
Enter or select the expiry date and time from the calendar.
Click the Generate button.
The system generates a CloudFormation stack link. Clicking the redirect icon available for the link will open the AWS console. You can also copy and paste the link into a browser. The link redirects you to the AWS console page.
If asked by the system, log in to your AWS account.
The system displays a pre-filled Quick create stack page.
(Optional) If necessary, add the Permission Boundary ARN. SAFE supports adding the Permission Boundary ARN to allow attaching the permission boundary to the IAM role (that is created as part of the stack).
Mark the checkbox to acknowledge that AWS CloudFormation might create IAM resources with custom names.
Note
The CloudFormation template creates an IAM role and assigns read-only privileges to it. This access privilege is then used by SAFE during the automated/on-demand assessment of all supported services available under that cloud account.
Click the Create stack button. The system might take a few minutes to create the stack, usually between 3 to 5 minutes.
SAFE auto-discovers your AWS account and displays it under AWS Configuration > Unconfirmed Accounts.
Important
If your organization has set up multiple AWS accounts that are managed centrally under an AWS organization, then you can use the option to add Member accounts setup in SAFE. Refer to Add AWS member account.
You need to confirm the added unconfirmed accounts to complete the onboarding process
2.2. Add AWS Member Accounts
Info
The onboarding and assessment of AWS Member Accounts using the Management Account in AWS is possible using the StackSets feature of CloudFormation in AWS. StackSets will enable the AWS Admin / Delegated Admin to deploy cloud formation stacks in multiple accounts from the Management Account.
To add AWS Member accounts:
Section 1: Steps to be performed on SAFE UI
Navigate to Integrations, on the left navigation.
Click the AWS card.
Click the Add Account button.
Click the Member Account tab.
(Optional) If necessary, set the expiry by marking the checkbox and selecting a date of expiry.
Click the Generate button to generate the Generate AWS StackSet parameters. The system automatically generates the AWS onboarding link.
Click the redirect icon available for the generated link. The system will redirect you to the AWS console. You can also copy and paste the link into a browser.
Section 2: Steps to be performed on AWS Console
On the AWS console, a page with the title "Choose a template" will open up.
On the Choose a template page.
In the Prerequisite - Prepare template section, select the option Template is Ready.
In the Specify template section, under the Template source, select the Amazon S3 URL.
Copy the Template URL from SAFE and paste it into the Amazon S3 URL field.
Click Next.
In Specify StackSet details:
Specify an appropriate StackSet name and relevant StackSet description in the respective fields.
In Parameters:
Copy the ExternalID from SAFE and paste it into the respective field.
Copy the NotificationTopicArn from SAFE and paste it into the respective field.
Copy the TenantID from SAFE and paste it into the respective field.
Copy the TrustedRoleArn from SAFE and paste it into the respective field.
Click Next.
In Configure StackSet section:
Configure tags, if needed, in Tags.
In Permissions - Choose any one of the 2 types of permissions shown -
(RECOMMENDED) Service-managed permissions - With these permissions, you can deploy stack instances to accounts managed by AWS Organizations in specific Regions. You don't need to create the necessary IAM roles; StackSets will create the IAM roles on your behalf. If any new account is added to the Management account in the future, it will get auto-discovered on SAFE, provided Automatic deployment is Enabled in the Set Deployment Target Section.
Self-Managed Permissions - You can deploy stack instances to specific AWS accounts in specific Regions with these permissions. You must first create the necessary IAM roles to establish a trusted relationship between the account you are administering the StackSet from and the account you are deploying stack instances too.
Note: If the customer wants "per-account" control (e.g., delete the stack in a single account after deployment) on the stack set, they should choose Self-Managed Permissions. Users can only perform actions (e.g., delete) at an OU level with the Service-managed permissions. Hence, Self-managed permissions offer more granular control, even though they will require higher maintenance effort than Service managed permissions.
Click Next.
In the Set deployment section:
In Deployment Targets:
Choose one of the 2 options shown:
If you want to deploy stack to all accounts under the Management Account, choose to Deploy to the organization.
If you want to onboard only a subset of your OUs, choose to Deploy to organizational units (OUs).
Choose the appropriate options for Automatic deployment and Account removal behavior.
In Specify regions, select the region as shown in Specified Regions in SAFE.
In Deployment options, specify values for Maximum concurrent accounts and Failure tolerance, if needed. Note: If Failure tolerance is a small value, stack creation failure in that many accounts will cause the entire StackSets deployment to stop.
Click Next.
Review the options and deploy the stack sets by clicking Submit.
Once deployed, StackSets can be viewed from AWS Console > CloudFormation > StackSets.
To view individual stacks, click on the StackSet Name > Stack Instances.
Note
If any of the AWS Member accounts were already onboarded individually in SAFE by “creating a Stack using the Quick create-link (from the Assume Role section of Add Account page) and we try to deploy another stack in the same account using StackSets from the Management Account, the stack creation will fail for that AWS member account where the stack already exists. Admin should delete the individual stack before deploying a StackSet in the OU containing the AWS Member account.
3. Manage AWS Accounts
All the onboarded AWS accounts will be available on the AWS Account Management Page.
Unconfirmed Accounts: Upon successful configuration of the AWS account, the system auto-discovers the AWS account and displays it under Unconfirmed accounts.
Confirmed Accounts: Users need to confirm all the added AWS accounts available under Unconfirmed Accounts to scan it. Once the user confirms the account, it will be displayed under the Confirmed tab.
3.1. View AWS Account
To view the onboarded AWS account:
Navigate to Integrations.
Click the AWS card.
The system displays a list of all the Confirmed accounts on the page.
Click the Unconfirmed tab to view the list of Unconfirmed accounts.
3.2. Confirm AWS Account
Upon onboarding, SAFE auto-discovers your AWS account and displays it under AWS Configuration > Unconfirmed Accounts. Users need to confirm the added Unconfirmed accounts to complete the onboarding process.
To confirm:
Go to the UnconfirmedAccounts tab available on the AWS Account Management page.
Click the Confirm button available in the Manage column.
3.3. Scan AWS Account
To start the Scan:
Navigate to Integrations.
Click the AWS card.
The system displays a list of all the Confirmed accounts on the page.
Click the options menu available in the Manage column.
Click the Scan button. The system notifies you that a scan has been started. The status of the scan will be displayed under the Assessment Status column.
3.4. Scan AWS Account in bulk
Users can start the scan of multiple AWS accounts from the AWS configuration page.
To start the Scan in bulk:
Navigate to Integrations.
Click the AWS card.
The system displays a list of all the Confirmed accounts on the page.
Select the AWS accounts by marking the checkboxes available against them.
Click the Scan icon available at the top to start the scan.
3.5. View Assessment Status
On hovering over the Assessment Status, the system displays more details about the assessment status. For example: If the Assessment Status is Failed, the system displays the reason for failure.
3.6. Delete AWS Account
To delete an AWS account:
Navigate to Integrations.
Click the AWS card.
The system displays a list of all the Confirmed accounts on the page.
Click the options menu available in the Manage column.
Click the Delete button.
click the “Yes, Delete” button on the confirmation screen.
Note
If required, select the checkbox to retire the associated assets with the AWS account.
3.7. Delete AWS Accounts in bulk
To delete an AWS account in bulk:
Navigate to Integrations
Click the AWS card.
The system displays a list of all the Confirmedaccounts on the page.
Select the AWS accounts by marking the checkboxes available against them.
Click the Delete icon available at the top.
On the confirmation screen, click the “Yes, Delete” button.
Note
If required, select the checkbox to retire the associated assets with the AWS accounts.
4. Set Global Scan Frequency for onboarded AWS accounts
Users can set Global Scan Frequency (frequency for scanning the onboarded AWS account as a number of days).
To set the auto-sync frequency for onboarded AWS accounts:
Navigate to Integrations
Click the AWS card.
On the AWS account management page, click the Settings icon.
Enter the number of days in the Global Scan Frequency field.
Click the Update button.
5. View results
SAFE scans the added AWS accounts and automatically onboard the assets in SAFE.
To view the onboarded AWS assets:
Go to Technology > Assets from the left navigation.
Click the filter icon availabe at the top-right of the asset list table.
Apply a filter Cloud Type Equals AWS.
The system displays the AWS assets.
To view the findings:
Note
To view findings related to assets, they should be assigned to at least one group and its associated risk scenarios. The Findings view on the Risk Scenario page will present the findings list along with their respective details.
Navigate to the Risk Scenario created for the AWS assets.
Scroll down to the Findings section. Here you can see the finding details of the AWS assets.
6. FAQs
6.1. What happens when I delete an AWS account from UI, retire the linked assets, and then re-onboard that AWS account and assess it?
The assets that got retired will get unretired and start getting assessed, provided they exist in the account. If an asset is deleted from SAFE and found in the AWS account, it will be added as a new asset in SAFE.
6.2. If I have paused/stopped an EC2 instance, will SAFE still be able to assess it (given it's already onboarded on SAFE and the related account gets assessed regularly)?
Yes.
6.3. If I set the expiry for a stack-creation link as, say, 7th Apr 2021 in SAFE, from what time onward will the link become inactive?
It will become inactive from 8th Apr 2021 from 12:00 AM onward.
6.4. What will happen if I use the stack-creation link beyond its expiry date?
Stack creation will be initiated and completed using that link. But that particular account will not show up in SAFE.
6.5. What if I try to create another stack in an account that already has one stack created?
You can deploy multiple stacks in the same account as long as they correspond to different SAFE instances. If one stack already corresponds to one SAFE instance and you try to create another stack for that instance, the stack creation will fail. To resolve this, you need first to delete the previous stack. Please note that on deleting the previous stack, the account will not be able to get assessed using that stack (since it has been deleted), and hence the assessment status of that account in SAFE will become Failed unless you deploy the second stack before the next Scan.
6.6. If a scan of an AWS account is in progress and I click on Scan again for that account, what will happen?
The Scan in progress will continue without interruption, and a new Scan (to scan the account after the first Scan ends) will not be queued.
6.7. If the scan of an AWS account is in progress and I delete the account from SAFE, what will happen?
The ongoing Scan will continue in the background, but the scan results will not be updated in SAFE. Furthermore, if the assets linked to the account were retired while deleting the AWS account, those assets will not be unretired.
6.8. Why do I see the Add Account button as disabled even though I am logged in as an Admin?
Please get in touch with the SAFE Support team to enable the Add Account button.
6.9. What happens if I delete the stack from my AWS account when the Scan is ongoing?
The status of the Scan gets updated to "Failed" on SAFE UI for that account.