Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            AWS Onboarding Process For CloudShield.AI

            Modified on Tue, 8 Apr at 12:11 AM

            PERMISSION REQUIRED FROM CLIENTS

            1. For Detection: Read-only
            Permissions Granted to CloudDefense.AI:

            • arn:aws:iam::aws:policy/AWSSSODirectoryReadOnly

            • arn:aws:iam::aws:policy/SecurityAudit

            • macie2:ListClassificationJobs

            • waf:ListRuleGroups

            • lambda:GetFunction

            • wafv2:GetLoggingConfiguration

            • backup:ListProtectedResources

            • lambda:GetFunctionUrlConfig

            • codebuild:ListSourceCredentials

            • kms:List*

            • kms:Get*

            • kms:Describe*

            • elasticfilesystem:DescribeAccessPoints

            • backup:GetBackupVaultNotifications

            • logs:ListTagsForResource

            • backup:GetBackupSelection

            • s3:Get*

            • s3:List*

            • s3:Describe*

            • backup:ListBackupPlans

            • acm:GetCertificate

            • ssm:ListTagsForResource

            • ssm:GetParameter

            • backup:ListBackupSelections

            • waf:ListRules

            • backup:ListRecoveryPointsByBackupVault

            • cloudtrail:GetInsightSelectors


            Permissions Given to Assume Role for CDRemediation Lambda Function:

            • lambda:InvokeFunction

            • lambda:UpdateFunctionCode

            Permissions Granted to Lambda Function(created in Customer Env):

            • logs:*

            • sts:AssumeRole

            • ecr:GetDownloadUrlForLayer

            • ecr:BatchGetImage

            • ecr:BatchCheckLayerAvailability

            • arn:aws:iam::aws:policy/ReadOnlyAccess

            2. For Detection and Enforcement:

            Permissions Granted to CloudDefense.AI:

            • arn:aws:iam::aws:policy/AWSSSODirectoryReadOnly

            • arn:aws:iam::aws:policy/SecurityAudit

            • macie2:ListClassificationJobs

            • waf:ListRuleGroups

            • lambda:GetFunction

            • wafv2:GetLoggingConfiguration

            • backup:ListProtectedResources

            • lambda:GetFunctionUrlConfig

            • codebuild:ListSourceCredentials

            • kms:List*

            • kms:Get*

            • kms:Describe*

            • elasticfilesystem:DescribeAccessPoints

            • backup:GetBackupVaultNotifications

            • logs:ListTagsForResource

            • backup:GetBackupSelection

            • s3:Get*

            • s3:List*

            • s3:Describe*

            • backup:ListBackupPlans

            • acm:GetCertificate

            • ssm:ListTagsForResource

            • ssm:GetParameter

            • backup:ListBackupSelections

            • waf:ListRules

            • backup:ListRecoveryPointsByBackupVault


            • cloudtrail:GetInsightSelectors

            Permissions Given to Assume Role for CDRemediation Lambda Function:

            • lambda:InvokeFunction

            • lambda:UpdateFunctionCode

            Permissions Granted to Lambda Function(created in Customer Env):

            • logs:*

            • sts:AssumeRole

            • ecr:GetDownloadUrlForLayer

            • ecr:BatchGetImage

            • ecr:BatchCheckLayerAvailability

            • arn:aws:iam::aws:policy/AdministratorAccess


            STEPS TO ONBOARD AWS ACCOUNT

            STEP 1: LOG IN AND CONNECT AWS ACCOUNT

            Log in to Cloud Security portal using your credentials : 
            https://acs-us.clouddefenseai.com/             



            After logging in, click on sidebar menu and open "Management" -> "Onboard Accounts" -> "Add New Account"



             Click on "AWS"


            • Choose your preferred account option (Single AWS or Multiple AWS)

            • Click “Next”

            • Link to an AWS account and Verify


            STEP 2: BASIC INFORMATION


            Start with giving it a name. You can give any name for your account. Labels help you to identify the account. Some examples of labels are: US PROD, Dev server, etc.




            STEP 3: BUSINESS UNIT

            Choose a Business Unit from the dropdown list or create a new business unit.




            STEP 4: ATTACH THE REQUIRED POLICIES

            This is where you need to decide on the policies. You will see 3 options there:

            1. Detection (Read-Only) 

            2. Detection and Enforcement in network

            3. Detection and Enforcement: Administrator Access

            STEP 5: CHOOSE REGIONS

            We will only scan the regions that you choose here. You can choose any specific region or all regions. This selection can be changed later.



            STEP 6: FINAL STEP

            Please review the details of the generated CloudFormation policy by clicking on the hyperlink on this page. 


            • Click “Create Cloud Formation Template” button.


            On the AWS screen, follow the steps to finishing adding CloudFormation policy: 

            • Click check box “I acknowledge that AWS CloudFormation might create IAM resources with custom names.“(Refer to image below)

            • Click “Create Stack” button. (Refer to image below)


            RESOURCE SET CREATED IN CLIENT CLOUD

            1. AWS CloudFormation Stack: CloudDefenseAccountIntegrationStack

            2. Custom Resource: CdefenseMotherShipCallback

            3. IAM Role: CloudDefenseCloudShieldIAMRole

            4. IAM Role: CloudPolicyHandlerLambdaRole

            5. IAM Role: EventBridgeIAMRole

            6. IAM Role: CloudShieldLambdaExecutionRole

            7. Lambda Function: CloudPolicyHandlerLambdaFunction

            8. Lambda Function: CloudShieldLambdaFunction

            9. Lambda Permission: CloudPolicyHandlerLambdaCodeUpdatePermission

            10. Lambda Permission: PermissionForEventsToInvokeCloudShieldLambda

            11. Lambda Permission: CloudPolicyHandlerLambdaInvokePermission

            12. EventBridge Rule: CloudShieldEventBridgeRule

            13. S3 Bucket Policy: CloudTrailBucketPolicy

            14. S3 Bucket: CloudTrailLogBucket

            15. CloudTrail Trail: CloudTrailTrail

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0