AWS
  • 10 Minutes to read
  • PDF

AWS

  • PDF

1. Introduction


SAFE allows users to onboard and access the AWS accounts. SAFE admins can configure the AWS from Safe Hooks. 


SAFE scans the added AWS accounts and automatically onboards the assets under the "Cloud-AWS" vertical upon successful configuration and confirmation.


Info

SAFE admins can trigger the on-demand assessment of the onboarded accounts. They can also set Global Auto Scan Frequency for AWS accounts.

AWS Home(1)

2. Add AWS Accounts


SAFE allows users to add "Individual Account" and "Member Account".

Add accounts - AWS


2.1. Add an Individual Account


You can onboard an Individual AWS Account in SAFE via the Role method.

SAFE Admin can add an AWS account by following the below step-by-step instructions:

  1. Navigate to Administration > Safe Hooks
  2. Click the Configure button available on the AWS card.
  3. Click the Add Account button.
  4.  (Optional) If required, set the expiry date for the link as follows:
    1. Mark the checkbox to Set the expiry date for the generated link.
    2. Enter or select the expiry date from the calendar.
  5. Click the Generate button.
  6. The system generates a CloudFormation stack link. Clicking the redirect icon available for the link will open the AWS console. You can also copy and paste the link into a browser. The link redirects you to the AWS console page.

    SAFE - Individual Account
  7. If asked by the system, please log in to your AWS account.
  8. The system displays a pre-filled Quick create stack page.
  9. Mark the checkbox to acknowledge that AWS CloudFormation might create IAM resources with custom names.

    Info
    The CloudFormation template creates an IAM role and assigns read-only privileges to it. This access privilege is then used by SAFE during the periodic/on-demand assessment of all supported services available under that cloud account.
  10. Click the Create stack button. The system might take a few minutes, usually between 3 to 5 mins, to create the stack.
    Create Stack
  11. SAFE auto-discovers your AWS account and displays it under AWS Configuration > Unconfirmed Accounts.

    Important

2.2. Add AWS Member Accounts


Info
The onboarding and assessment of AWS Member Accounts using the Management Account in AWS are possible using the StackSets feature of CloudFormation in AWS. StackSets will enable the AWS Admin / Delegated Admin to deploy cloud formation stacks in multiple accounts from the Management Account.


To add AWS Member accounts:

Section 1: Steps to be performed on SAFE UI

  1. Navigate to Administration > SAFE Hooks.
  2. Click the Configure button available on the AWS card.
  3. Click the Add Account button.
  4. Click the Member Account tab.
  5. (Optional) If necessary, set the expiry by marking the checkbox and selecting a date of expiry.
  6. Click the Generate button to generate the Generate AWS StackSet parameters. The system automatically generates the AWS onboarding link.
  7. Click the redirect icon available for the generated link. The system will redirect you to the AWS console. You can also copy and paste the link into a browser.

Section 2: Steps to be performed on AWS Console

  1. On the AWS console, a page with the title "Choose a template" will open up.
  2. On the Choose a template page.
    1. In the Prerequisite - Prepare template section, select the option Template is Ready.
    2. In the Specify template section, under the Template source, select the Amazon S3 URL.
    3. Copy the Template URL from SAFE and paste it into the Amazon S3 URL field.
    4. Click Next.
  3. In Specify StackSet details:
    1. Specify an appropriate StackSet name and relevant StackSet description in the respective fields.
    2. In Parameters:
      1. Copy the ExternalID from SAFE and paste it into the respective field.
      2. Copy the NotificationTopicArn from SAFE and paste it into the respective field.
      3. Copy the TenantID from SAFE and paste it into the respective field.
      4. Copy the TrustedRoleArn from SAFE and paste it into the respective field.
    3. Click Next.
  4. In Configure StackSet section:
    1. Configure tags, if needed, in Tags.
    2. In Permissions - Choose any one of the 2 types of permissions shown -
      1. (RECOMMENDED) Service-managed permissions - With these permissions, you can deploy stack instances to accounts managed by AWS Organizations in specific Regions. You don't need to create the necessary IAM roles; StackSets will create the IAM roles on your behalf. If any new account is added to the Management account in the future, it will get auto-discovered on SAFE, provided Automatic deployment is Enabled in the Set Deployment Target Section.
      2. Self-Managed Permissions - You can deploy stack instances to specific AWS accounts in specific Regions with these permissions. You must first create the necessary IAM roles to establish a trusted relationship between the account you are administering the StackSet from and the account you are deploying stack instances too.
        Note: If the customer wants "per-account" control (e.g., delete the stack in a single account after deployment) on the stack set, they should choose Self-Managed Permissions. Users can only perform actions (e.g., delete) at an OU level with the Service-managed permissions. Hence, Self-managed permissions offer more granular control, even though they will require higher maintenance effort than Service managed permissions.
    3. Click Next.
  5. In the Set deployment section:
    1. In Deployment Targets:
      1. Choose one of the 2 options shown:
        1. If you want to deploy stack to all accounts under the Management Account, choose to Deploy to the organization.
        2. If you want to onboard only a subset of your OUs, choose to Deploy to organizational units (OUs).
      2. Choose the appropriate options for Automatic deployment and Account removal behavior.
    2. In Specify regions, select the region as shown in Specified Regions in SAFE.
    3. In Deployment options, specify values for Maximum concurrent accounts and Failure tolerance, if needed. Note: If Failure tolerance is a small value, stack creation failure in that many accounts will cause the entire StackSets deployment to stop.
    4. Click Next.
  6. Review the options and deploy the stack sets by clicking Submit.
  7. Once deployed, StackSets can be viewed from AWS Console > CloudFormation > StackSets.
  8. To view individual stacks, click on the StackSet Name > Stack Instances.
Note
If any of the AWS Member accounts were already onboarded individually in SAFE by “creating a Stack using the Quick create-link (from the Assume Role section of Add Account page) and we try to deploy another stack in the same account using StackSets from the Management Account, the stack creation will fail for that AWS  member account where the stack already exists. Admin should delete the individual stack before deploying a StackSet in the OU containing the AWS Member account.

3. Manage AWS Accounts


All the onboarded AWS accounts will be available on the AWS Account Management Page. 

  • Unconfirmed Accounts: Upon successful configuration of the AWS account, the system auto-discovers the AWS account and displays it under Unconfirmed accounts.
  • Confirmed Accounts: Users need to confirm all the added AWS accounts available under Unconfirmed Accounts to scan it. Once the user confirms the account, it will be displayed under the Confirmed account.  

3.1. View AWS Account

To view the onboarded AWS account:

  1. Navigate to Administration > Safe Hooks> AWS.
  2. Click the configuration button available on the AWS card.
  3. The system displays a list of all the Confirmed accounts on the page. 
  4. Click the Unconfirmed tab to view the list of Unconfirmed Accounts.

3.2. Confirm AWS Account

Upon onboarding, SAFE auto-discovers your AWS account and displays it under AWS Configuration > Unconfirmed Accounts. Users need to confirm the added Unconfirmed accounts to complete the onboarding process.

To confirm:

  1. Go to the Unconfirmed Accounts tab available on the AWS Account Management page.
  2. Click the options menu available in the Manage column and Confirm the Account.


3.3. Scan AWS Account

Users can scan the onboarded AWS account from the AWS configuration page. 

To start the Scan:

  1. Navigate to Administration > Safe Hooks> AWS.
  2. Click the configuration button available on the AWS card.
  3. The system displays a list of all the Confirmed accounts on the page. 
  4. Click the options menu available in the  Manage column.
  5. Click the Scan button. The system notifies you for the successful start of the scan. The status of the scan will be displayed under the Assessment Status column.

3.4. Scan AWS Account in bulk

Users can start the scan of multiple AWS accounts from the AWS configuration page. 


To start the Scan in bulk:

  1. Navigate to Administration > Safe Hooks> AWS.
  2. Click the configuration button available on the AWS card.
  3. The system displays a list of all the Confirmed accounts on the page. 
  4. Select the AWS accounts by marking the checkboxes available against them.
  5. Click the Scan icon available at the top to start the scan.

3.5. View Assessment Status

On hovering over the Assessment Status, the system displays more details on the assessment status. For example: If the Assessment Status is Failed, the system displays the reason for failure.


3.6. Delete AWS Account

To delete an AWS account:

  1. Navigate to Administration > Safe Hooks > AWS.
  2. Click the configuration button available on the AWS card.
  3. The system displays a list of all the Confirmed accounts on the page. 
  4. Click the options menu available in the Manage column.
  5. Click the Delete button.
  6. On the confirmation screen, click the “Yes, Delete” button.

Note
If required, select the checkbox to retire the associated assets with the AWS account.


3.7. Delete AWS Account in bulk

To delete an AWS account in bulk:

  1. Navigate to Administration > Safe Hooks> AWS.
  2. Click the configuration button available on the AWS card.
  3. The system displays a list of all the Confirmed accounts on the page. 
  4. Select the AWS accounts by marking the checkboxes available against them.
  5. Click the Delete icon available at the top.
  6. On the confirmation screen, click the “Yes, Delete” button.
Note
If required, select the checkbox to retire the associated assets with the AWS accounts.


4. Set Global Scan Frequency for onboarded AWS accounts


Users can set Global Scan Frequency (Frequency for scanning the onboarded AWS account in the number of days).

To set the auto-sync frequency for onboarded AWS accounts:

  1. Navigate to Administration > Safe Hooks> AWS.
  2. Click the Configuration button available on the AWS card.
  3. On the AWS account management page, click the Settings icon.
  4. Enter the number of days in the Global Scan Frequency field. 
  5. Click the Update button.

5. View assessment results of the onboarded AWS Accounts


SAFE scans the added AWS accounts and automatically onboards the assets under the "Cloud-AWS" vertical.

To view the assessment result of the onboarded AWS Accounts:

  1. Navigate to the Technology > Inside-out assessment dashboard.
  2. Click the Cloud AWS vertical from the Technology Score Trend section.
  3. The system opens the Cloud-AWS details page. Users can view the assessment result for all the assets under this vertical.

AWS Score(1)

6. FAQs


6.1. What happens when I delete an AWS account from UI, retire the linked assets, and then re-onboard that AWS account and assess it?


The assets that got retired will get unretired and start getting assessed, provided they exist in the account.
If an asset is deleted from SAFE and is found in the AWS account, it will get added as a new asset in SAFE.

6.2. If I have paused/stopped an EC2 instance, will SAFE still be able to assess it (given it's already onboarded on SAFE and the related account gets assessed regularly)?


Yes.

6.3. If I set the expiry for a stack-creation link as, say, 7th Apr 2021 in SAFE, from what time onward will the link become inactive?


It will become inactive from 8th Apr 2021 from 12:00 AM onward.

6.4. What will happen if I use the stack-creation link beyond its expiry date?


Stack creation will get initiated and completed using that link. But that particular account will not show up in SAFE.

6.5. What if I try to create another stack in an account that already has one stack created?


You can deploy multiple stacks in the same account as long as they correspond to different SAFE instances. If one stack already corresponds to one SAFE instance and you try to create another stack for that instance, the stack creation will fail. To resolve this, you need first to delete the previous stack. Please note that on deleting the previous stack, the account will not be able to get assessed using that stack (since it has been deleted), and hence the assessment status of that account in SAFE will become Failed unless you deploy the second stack before the next Scan.

6.6. If Scan of an AWS account is in progress and I click on Scan again for that account, what will happen?


The Scan in progress will continue without interruption, and a new Scan (to scan the account after the first Scan ends) will not be queued.

6.7. If the scan of an AWS account is in progress and I delete the account from SAFE, what will happen?


The ongoing Scan will continue in the background, but the scan results will not be updated in SAFE. Furthermore, if the assets linked to the account were retired while deleting the AWS account, those assets will not get unretired.

6.8. Why do I see the Add Account button as disabled even though I am logged in as an Admin?


Please get in touch with the SAFE Support team to enable the Add Account button.

6.9. What happens if I delete the stack from my AWS account when the Scan is ongoing?


The status of the Scan gets updated to "Failed" on SAFE UI for that account.


Was this article helpful?

What's Next