AWS via ElectricEye

About this document

This document provides the step-by-step procedure to configure AWS via ElectricEye in SAFE.

Introduction

The SAFE integration with AWS enables the onboarding of AWS accounts into SAFE and allows the retrieval of assets and their security misconfigurations through ElectricEye.

Add AWS Account

SAFE allows users to add Individual Accounts and Member Accounts.

Add Individual Account in SAFE

SAFE admins can onboard an Individual AWS Account in SAFE via the Role method.

1. Navigate to Integrations and search for the “AWS via ElectricEye” card.

2. Click the AWS via Electric Eye card.

3. Go to the Individual Account tab.

4. (Optional) Set the expiry for the CloudFormation stack link you are going to generate.

5. Click the Generate button.

6. The system generates a CloudFormation stack link. Clicking the link will open the AWS console. You can also copy and paste the link into a browser.
   

7. If the system asks you to log in to your AWS account,

8. The system displays a pre-filled Quick Create stack page.

9. (Optional) If necessary, add the Permission Boundary ARN. SAFE supports adding the Permission Boundary ARN to allow the permission boundary to be attached to the IAM role (that is created as part of the stack).

10. Mark the checkbox to acknowledge that AWS CloudFormation might create IAM resources with custom names.
    Note: The CloudFormation template creates an IAM role and assigns read-only privileges to it. This access privilege is then used by SAFE during the automated/on-demand assessment of all supported services available under that cloud account.

11. Click the Create stack button. The system might take a few minutes to create the stack, usually between 3 to 5 minutes.

12. SAFE auto-discovers your AWS account and displays it under Configured Accounts.
    

Add Member Accounts in SAFE

If your organization has set up multiple AWS accounts that are managed centrally under an AWS organization, then you can use the option to add Member Accounts setup in SAFE.  

The onboarding and assessment of AWS Member Accounts using the Management Account in AWS is possible using the StackSets feature of CloudFormation in AWS. StackSets will enable the AWS Admin/Delegated Admin to deploy cloud formation stacks in multiple accounts from the Management Account.

To add AWS Member accounts:

1. Navigate to Integrations > AWS via ElectricEye card.

2. Click the AWS via ElectricEye card

3. Click the Member Account tab.

4. (Optional) Set the expiry by marking the checkbox and selecting a date of expiry.

5. Click the Generate button to generate the AWS StackSet parameters. The system automatically generates the AWS onboarding link.

6. Click the redirect icon available for the generated link. The system will redirect you to the AWS console. You can also copy and paste the link into a browser.
   

7. On the AWS console, a page with the title "Choose a template" will open up.

8. On the Choose a template page:

   1. In the Prerequisite - Prepare template section, select the option Template is Ready.

   2. In the Specify template section, under the Template source, select the Amazon S3 URL.

   3. Copy the Template URL from SAFE and paste it into the Amazon S3 URL field.

   4. Click Next.
      

9. In Specify StackSet details:

   1. Specify an appropriate StackSet name and relevant StackSet description in the respective fields.

   2. In Parameters:

      1. Copy the ExternalID from SAFE and paste it into the respective field.

      2. Copy the NotificationTopicArn from SAFE and paste it into the respective field.

      3. Copy the TenantID from SAFE and paste it into the respective field.

      4. Copy the TrustedRoleArn from SAFE and paste it into the respective field.

      5. Copy the AccountId from SAFE and paste it into the respective field.

10. Click Next.
    

11. In Configure StackSet section:

    1. Configure tags, if needed, in Tags.

    2. In Permissions - Choose any one of the 2 types of permissions shown:

       1. (RECOMMENDED) Service-managed permissions - With these permissions, you can deploy stack instances to accounts managed by AWS Organizations in specific Regions. You don't need to create the necessary IAM roles; StackSets will create the IAM roles on your behalf. If any new account is added to the Management account in the future, it will get auto-discovered on SAFE, provided Automatic deployment is Enabled in the Set Deployment Target Section.

       2. Self-Managed Permissions - You can deploy stack instances to specific AWS accounts in specific Regions with these permissions. You must first create the necessary IAM roles to establish a trusted relationship between the account you are administering the StackSet from and the account you are deploying stack instances too.

          Note: If the customer wants "per-account" control (e.g., delete the stack in a single account after deployment) on the stack set, they should choose Self-Managed Permissions. Users can only perform actions (e.g., delete) at an OU level with the Service-managed permissions. Hence, Self-managed permissions offer more granular control, even though they will require higher maintenance effort than Service managed permissions.

    3. Click Next.
       

12. In the Set deployment section:

    1. In Deployment Targets:

       1. If you want to deploy stack to all accounts under the Management Account, choose to Deploy to the organization.

       2. If you want to onboard only a subset of your OUs, choose to Deploy to organizational units (OUs).

    2. Choose the appropriate options for Automatic deployment and Account removal behavior.

    3. In Specify regions, select the region as shown in Specified Regions in SAFE.

    4. In Deployment options, specify values for Maximum concurrent accounts and Failure tolerance, if needed.
       Note: If Failure tolerance is a small value, stack creation failure in that many accounts will cause the entire StackSets deployment to stop.

    5. Click Next.

13. Review the options and deploy the stack sets by clicking Submit.
    

14. Once deployed, StackSets can be viewed from AWS Console > CloudFormation > StackSets.

15. To view individual stacks, click on the StackSet Name > Stack Instances.

Note: If any of the AWS Member accounts were already onboarded individually in SAFE by “creating a Stack using the Quick create-link (from the Assume Role section of Add Account page) and we try to deploy another stack in the same account using StackSets from the Management Account, the stack creation will fail for that AWS  member account where the stack already exists. Admin should delete the individual stack before deploying a StackSet in the OU containing the AWS Member account.

Manage AWS Accounts

View AWS Account

1. Navigate to AWS via ElectricEye integration page.

2. The system displays a list of all the Configured accounts on the page.

View sync history for AWS Account

To view the sync history of individual accounts, click on the Account ID in the “Configured Account” section.The page will display the sync history for the account.

Manually Sync AWS Account

To start a manual sync:

1. Navigate to the integration configuration page.

2. Click the options menu available in the Manage column.

3. Click the sync button. The system notifies you that a sync has been started. The status of the sync will be displayed under the “Assessment Status” column.

4. To Sync AWS Account in bulk select the AWS accounts by marking the checkboxes available against them.

5. Click the Sync icon available at the top to start the sync.

Delete AWS Account

To delete multiple AWS account:

1. In the section for Configured Accounts, select the AWS accounts by marking the checkboxes available against them.

2. Click the Delete option from top menu.

3. click the “Yes, Delete” button on the confirmation screen.

4. AWS account can also be deleted individually by choosing the delete option from the “Manage” column menu.
   

Set Global Sync Frequency

1. Navigate to the AWS integration configuration page.

2. In the section for Configured Accounts, click on the Setting icon at the top.

3. Enter the number of days in the Global Sync Frequency field.

4. Click the Update button.
   

View results

1. Go to AWS integration page.

2. Click the Asset View tab to see all the assets

3. Click the Finding View tab to see all the findings.
   

FAQs

If I pause/stop an EC2 instance, will SAFE still be able to assess it if the account is regularly assessed?

Yes. SAFE will continue to assess the instance as long as the account is onboarded and regularly assessed.

If I set the expiry for a stack-creation link as April 7, 2021, when will it become inactive?

The link will become inactive from April 8, 2021, at 12:00 AM onward.

What happens if I use the stack-creation link after its expiry date?

The stack creation will still be initiated and completed, but the account will not appear in SAFE.

What if I try to create another stack in an account that already has one stack created?

• You can deploy multiple stacks if they correspond to different SAFE instances.

• If you attempt to create another stack for the same SAFE instance, the stack creation will fail.

• To resolve this, delete the existing stack first. However, deleting the stack will cause the account’s assessment status in SAFE to fail unless the new stack is deployed before the next sync.

If an AWS account sync is in progress and I delete the account from SAFE, what will happen?

The ongoing sync will continue in the background, but sync results will not be updated in SAFE.

Why is the "Add Account" button disabled even though I am logged in as an Admin?

Please contact the SAFE Support team to enable the "Add Account" button.

SAFE's Outgoing IP Addresses

Click here to find the outgoing IP addresses of SAFE. All traffic to any integrations in SAFE will see one IP address as the source IP of the incoming connection.