Contents x
    AWS
    • 10 Minutes to read
    • Print
    • PDF
    Contents

    AWS

    • 10 Minutes to read
    • Print
    • PDF
    Article Summary

    1. Introduction

    SAFE allows users to onboard and assess AWS accounts. SAFE admins can configure the AWS integration from SAFE Hooks. 

    SAFE scans the configured and confirmed AWS accounts and automatically onboard discovered assets under the "Cloud-AWS" vertical.

    Info

    SAFE admins can trigger an on-demand assessment of the onboarded accounts. They can also set Global Auto Scan Frequency for AWS accounts.


    2. Add AWS Accounts

    SAFE allows users to add "Individual Account" and "Member Account."

    Add accounts - AWS

    2.1. AddIndividual Account

    You can onboard an Individual AWS Account in SAFE via the Role method.

    SAFE Admin can add an AWS account by following the below step-by-step instructions:

    1. Navigate to SAFE Hooks.
    2. Click the Configure button available on the AWS card.
    3. Click the Add Account button.
    4.  (Optional) If required, set the expiry date for the link as follows:
      1. Mark the checkbox to Set the expiry date for the generated link.
      2. Enter or select the expiry date from the calendar.
    5. Click the Generate button.
    6. The system generates a CloudFormation stack link. Clicking the redirect icon available for the link will open the AWS console. You can also copy and paste the link into a browser. The link redirects you to the AWS console page.

      SAFE - Individual Account
      You can view the Cloudformation template here.

    7. If asked by the system, please log in to your AWS account.
    8. The system displays a pre-filled Quick create stack page.
    9. (Optional) If necessary, add the Permission Boundary ARN. SAFE supports adding the Permission Boundary ARN to allow attaching the permission boundary to the IAM role (that is created as part of the stack).
    10. Mark the checkbox to acknowledge that AWS CloudFormation might create IAM resources with custom names.
      Note
      The CloudFormation template creates an IAM role and assigns read-only privileges to it. This access privilege is then used by SAFE during the automated/on-demand assessment of all supported services available under that cloud account.
    11. Click the Create stack button. The system might take a few minutes to create the stack, usually between 3 to 5 minutes.
      AWS with Permission boundry(1)
    12. SAFE auto-discovers your AWS account and displays it under AWS Configuration > Unconfirmed Accounts.

      Important

    2.2. Add AWS Member Accounts

    Info
    The onboarding and assessment of AWS Member Accounts using the Management Account in AWS is possible using the StackSets feature of CloudFormation in AWS. StackSets will enable the AWS Admin / Delegated Admin to deploy cloud formation stacks in multiple accounts from the Management Account.

    To add AWS Member accounts:

    Section 1: Steps to be performed on SAFE UI

    1. Navigate to SAFE Hooks.
    2. Click the Configure button available on the AWS card.
    3. Click the Add Account button.
    4. Click the Member Account tab.
    5. (Optional) If necessary, set the expiry by marking the checkbox and selecting a date of expiry.
    6. Click the Generate button to generate the Generate AWS StackSet parameters. The system automatically generates the AWS onboarding link.
    7. Click the redirect icon available for the generated link. The system will redirect you to the AWS console. You can also copy and paste the link into a browser.

    Section 2: Steps to be performed on AWS Console

    1. On the AWS console, a page with the title "Choose a template" will open up.
    2. On the Choose a template page.
      1. In the Prerequisite - Prepare template section, select the option Template is Ready.
      2. In the Specify template section, under the Template source, select the Amazon S3 URL.
      3. Copy the Template URL from SAFE and paste it into the Amazon S3 URL field.
      4. Click Next.
    3. In Specify StackSet details:
      1. Specify an appropriate StackSet name and relevant StackSet description in the respective fields.
      2. In Parameters:
        1. Copy the ExternalID from SAFE and paste it into the respective field.
        2. Copy the NotificationTopicArn from SAFE and paste it into the respective field.
        3. Copy the TenantID from SAFE and paste it into the respective field.
        4. Copy the TrustedRoleArn from SAFE and paste it into the respective field.
      3. Click Next.
    4. In Configure StackSet section:
      1. Configure tags, if needed, in Tags.
      2. In Permissions - Choose any one of the 2 types of permissions shown -
        1. (RECOMMENDED) Service-managed permissions - With these permissions, you can deploy stack instances to accounts managed by AWS Organizations in specific Regions. You don't need to create the necessary IAM roles; StackSets will create the IAM roles on your behalf. If any new account is added to the Management account in the future, it will get auto-discovered on SAFE, provided Automatic deployment is Enabled in the Set Deployment Target Section.
        2. Self-Managed Permissions - You can deploy stack instances to specific AWS accounts in specific Regions with these permissions. You must first create the necessary IAM roles to establish a trusted relationship between the account you are administering the StackSet from and the account you are deploying stack instances too.
          Note: If the customer wants "per-account" control (e.g., delete the stack in a single account after deployment) on the stack set, they should choose Self-Managed Permissions. Users can only perform actions (e.g., delete) at an OU level with the Service-managed permissions. Hence, Self-managed permissions offer more granular control, even though they will require higher maintenance effort than Service managed permissions.
      3. Click Next.
    5. In the Set deployment section:
      1. In Deployment Targets:
        1. Choose one of the 2 options shown:
          1. If you want to deploy stack to all accounts under the Management Account, choose to Deploy to the organization.
          2. If you want to onboard only a subset of your OUs, choose to Deploy to organizational units (OUs).
        2. Choose the appropriate options for Automatic deployment and Account removal behavior.
      2. In Specify regions, select the region as shown in Specified Regions in SAFE.
      3. In Deployment options, specify values for Maximum concurrent accounts and Failure tolerance, if needed. Note: If Failure tolerance is a small value, stack creation failure in that many accounts will cause the entire StackSets deployment to stop.
      4. Click Next.
    6. Review the options and deploy the stack sets by clicking Submit.
    7. Once deployed, StackSets can be viewed from AWS Console > CloudFormation > StackSets.
    8. To view individual stacks, click on the StackSet Name > Stack Instances.
    Note
    If any of the AWS Member accounts were already onboarded individually in SAFE by “creating a Stack using the Quick create-link (from the Assume Role section of Add Account page) and we try to deploy another stack in the same account using StackSets from the Management Account, the stack creation will fail for that AWS  member account where the stack already exists. Admin should delete the individual stack before deploying a StackSet in the OU containing the AWS Member account.

    3. Manage AWS Accounts

    All the onboarded AWS accounts will be available on the AWS Account Management Page. 

    • Unconfirmed Accounts: Upon successful configuration of the AWS account, the system auto-discovers the AWS account and displays it under Unconfirmed accounts.
    • Confirmed Accounts: Users need to confirm all the added AWS accounts available under Unconfirmed Accounts to scan it. Once the user confirms the account, it will be displayed under the Confirmed tab.  

    3.1. View AWS Account

    To view the onboarded AWS account:

    1. Navigate to Safe Hooks > AWS.
    2. Click the configuration button available on the AWS card.
    3. The system displays a list of all the Confirmed accounts on the page. 
    4. Click the Unconfirmed tab to view the list of Unconfirmed Accounts.

    3.2. Confirm AWS Account

    Upon onboarding, SAFE auto-discovers your AWS account and displays it under AWS Configuration > Unconfirmed Accounts. Users need to confirm the added Unconfirmed accounts to complete the onboarding process.

    To confirm:

    1. Go to the Unconfirmed Accounts tab available on the AWS Account Management page.
    2. Click the Confirm button available in the Manage column.

    3.3. Scan AWS Account

    Users can scan the onboarded AWS account from the AWS configuration page. 

    To start the Scan:

    1. Navigate to Safe Hooks > AWS.
    2. Click the configuration button available on the AWS card.
    3. The system displays a list of all the Confirmed accounts on the page. 
    4. Click the options menu available in the  Manage column.
    5. Click the Scan button. The system notifies you that a scan has been started. The status of the scan will be displayed under the Assessment Status column.

    3.4. Scan AWS Account in bulk

    Users can start the scan of multiple AWS accounts from the AWS configuration page. 

    To start the Scan in bulk:

    1. Navigate to Safe Hooks > AWS.
    2. Click the configuration button available on the AWS card.
    3. The system displays a list of all the Confirmed accounts on the page. 
    4. Select the AWS accounts by marking the checkboxes available against them.
    5. Click the Scan icon available at the top to start the scan.

    3.5. View Assessment Status

    On hovering over the Assessment Status, the system displays more details about the assessment status. For example: If the Assessment Status is Failed, the system displays the reason for failure.

    3.6. Delete AWS Account

    To delete an AWS account:

    1. Navigate to Safe Hooks > AWS.
    2. Click the configuration button available on the AWS card.
    3. The system displays a list of all the Confirmed accounts on the page. 
    4. Click the options menu available in the Manage column.
    5. Click the Delete button.
    6. On the confirmation screen, click the “Yes, Delete” button.

    Note
    If required, select the checkbox to retire the associated assets with the AWS account.

    3.7. Delete AWS Accounts in bulk

    To delete an AWS account in bulk:

    1. Navigate to Safe Hooks > AWS.
    2. Click the configuration button available on the AWS card.
    3. The system displays a list of all the Confirmed accounts on the page. 
    4. Select the AWS accounts by marking the checkboxes available against them.
    5. Click the Delete icon available at the top.
    6. On the confirmation screen, click the “Yes, Delete” button.
    Note
    If required, select the checkbox to retire the associated assets with the AWS accounts.


    4. Set Global Scan Frequency for onboarded AWS accounts

    Users can set Global Scan Frequency (frequency for scanning the onboarded AWS account as a number of days).

    To set the auto-sync frequency for onboarded AWS accounts:

    1. Navigate to Safe Hooks > AWS.
    2. Click the Configuration button available on the AWS card.
    3. On the AWS account management page, click the Settings icon.
    4. Enter the number of days in the Global Scan Frequency field. 
    5. Click the Update button.

    5. View assessment results of the onboarded AWS Accounts

    SAFE scans the added AWS accounts and automatically onboards the assets under the "Cloud-AWS" vertical.

    To view the assessment result of the onboarded AWS Accounts:

    1. Navigate to the Risk Scenario page and click the Group Risk tab.
    2. Click the Cloud AWS Risk from the list.
      Cloud AWS Risk
    3. The system opens the Cloud AWS Risk details page that includes the Risk Trend, Actionable Insights, and MITRE ATT&CK mapping.
      Cloud AWS RISK 2

    6. FAQs

    6.1. What happens when I delete an AWS account from UI, retire the linked assets, and then re-onboard that AWS account and assess it?

    The assets that got retired will get unretired and start getting assessed, provided they exist in the account.
    If an asset is deleted from SAFE and is found in the AWS account, it will get added as a new asset in SAFE.

    6.2. If I have paused/stopped an EC2 instance, will SAFE still be able to assess it (given it's already onboarded on SAFE and the related account gets assessed regularly)?

    Yes.

    6.3. If I set the expiry for a stack-creation link as, say, 7th Apr 2021 in SAFE, from what time onward will the link become inactive?

    It will become inactive from 8th Apr 2021 from 12:00 AM onward.

    6.4. What will happen if I use the stack-creation link beyond its expiry date?

    Stack creation will get initiated and completed using that link. But that particular account will not show up in SAFE.

    6.5. What if I try to create another stack in an account that already has one stack created?

    You can deploy multiple stacks in the same account as long as they correspond to different SAFE instances. If one stack already corresponds to one SAFE instance and you try to create another stack for that instance, the stack creation will fail. To resolve this, you need first to delete the previous stack. Please note that on deleting the previous stack, the account will not be able to get assessed using that stack (since it has been deleted), and hence the assessment status of that account in SAFE will become Failed unless you deploy the second stack before the next Scan.

    6.6. If a scan of an AWS account is in progress and I click on Scan again for that account, what will happen?

    The Scan in progress will continue without interruption, and a new Scan (to scan the account after the first Scan ends) will not be queued.

    6.7. If the scan of an AWS account is in progress and I delete the account from SAFE, what will happen?

    The ongoing Scan will continue in the background, but the scan results will not be updated in SAFE. Furthermore, if the assets linked to the account were retired while deleting the AWS account, those assets will not get unretired.

    6.8. Why do I see the Add Account button as disabled even though I am logged in as an Admin?

    Please get in touch with the SAFE Support team to enable the Add Account button.

    6.9. What happens if I delete the stack from my AWS account when the Scan is ongoing?

    The status of the Scan gets updated to "Failed" on SAFE UI for that account.

    Was this article helpful?
    What's Next