Migrating AWS Integration Configuration via Electric Eye

Prev

Introduction

This document details the steps required to successfully migrate from the older, soon-to-be-deprecated, SAFE ‘AWS’ integration to the new enhanced version ‘AWS via Electric Eye’. At a high level, this migration requires first deleting the AWS stacks deployed for the original integration, then deleting the accounts and associated assets onboarded in SAFE, followed by deploying new AWS stacks for the ‘AWS via Electric Eye’ integration.

Potential Impact of Migration

Take note that this migration process includes deleting existing assets in SAFE that have been onboarded from the AWS integration source.

Any non-default custom field or asset metadata that has been manually applied to the assets onboarded from AWS will also be removed. If relevant, please discuss this with a SAFE engineer for recommendations on how to potentially retain this data.

The updated AWS via Electric Eye integration uses a different onboarding/finding source name and will have differences in the Asset Types values used in SAFE. The impact of this is that any existing smart groups using filters that reference the onboarding source of AWS or specific AWS Asset Types values will need to be reviewed and updated following the migration.

Migration Process

Deleting AWS Stacks

The process to delete the deployed AWS integration stacks differs slightly depending on how they were originally deployed. Refer to the appropriate section for the type of deployment originally used in your environment, either Individual Account (Stacks) or Member Account (StackSets). This step should be completed by an AWS Administrator.

Deleting Individual Accounts (Stacks)

This step should be completed for each AWS account that was integrated with SAFE.

  1. Log in to the AWS Console for the relevant account.

  2. Navigate to CloudFormation > Stacks

  3. Identify the stack originally deployed for the SAFE integration. By default, this should have a name beginning with “SafeSecurityManagement“ and be searchable by this string.

  4. Select the stack and click the Delete button.
    AWS via EE11.png

  5. Follow the on-screen prompts to confirm the stack deletion.

  6. Verify that the deletion operation is successful (Status for the stack will show DELETE_COMPLETE), this should generally complete in less than 5 minutes.

Deleting Member Accounts (StackSets)

This step should be completed for each AWS organization that was integrated with SAFE.

  1. Log in to the AWS organization management account where the SAFE integration StackSet was originally defined and deployed from.

  2. Navigate to CloudFormation > StackSets

  3. Identify the StackSet originally created for the SAFE integration, the name for this will have been user definable at creation.

  4. Select the StackSet and from the Actions drop-down menu select Delete stacks from StackSet.
    AWS via EE 12.png

  5. In the Organisational units (OUs) section, input AWS OU ID values or individual account filters as appropriate for your AWS environment to cover all member accounts where the SAFE AWS integration stack was originally deployed.

  6. In the Specify Regions section, select the relevant region for your environment where the integration stacks have been deployed.
    15.png

  7. Click Next and confirm the deletion.

  8. Verify that the stack deletion operations are successful, there should be DELETE type operations with a SUCCEEDED status for each stack.
    AWS via EE 14.png

  9. Once all stack deletions have been completed, the StackSet can be deleted. Select the StackSet again and from the Actions drop-down menu select Delete StackSet. Follow the on screen prompts to confirm the deletion.
    AWS via EE 15.png

Deleting Onboarded Accounts/Assets in SAFE

All confirmed & unconfirmed AWS accounts that have been onboarded to SAFE should be deleted along with all assets to ensure a clean new sync can be performed that results in a consistent set of findings and source names for the new integration.

If you believe there is a non-default custom field or asset metadata that has been manually applied to the assets onboarded from AWS, please discuss this with a SAFE engineer for recommendations on how to potentially retain this.

The process for deleting an AWS account is detailed here but repeated below for completeness. In this case, make sure that the selection box for Select to retire assets associated with the account(s) is selected.

  1. In SAFE, navigate to the AWS integration card [Integrations > AWS]

  2. In the Confirmed tab, use the options menu from the Manage column of each account to delete the account.

  3. On the prompt, make sure that the selection box for Select to retire assets associated with the account(s) is selected, and then click Yes, Delete

  4. Check the Unconfirmed tab to see if any unconfirmed accounts are present, if so Confirm these then proceed to delete them from the Confirmed tab.

There is a bulk AWS account deletion option detailed here, but you may encounter a bug that prevents bulk deletion and will present a failure message. The recommendation is to individually delete each account.

Configuring AWS via Electric Eye Integration

Follow the documentation guide for configuring the new AWS via Electric Eye integration - found here https://docs.safe.security/docs/aws-via-electric-eye

Ensure that the new integration card is used; it will be named exactly AWS via Electric Eye.