Onboard AWS Accounts

This topic explains how to onboard AWS accounts to ACE.

ASMS Integration Note:

How AWS Onboarding Works

ACE connects to AWS using a secure, role-based access model.

During onboarding, an AWS administrator deploys an AlgoSec-provided CloudFormation template or Terraform configuration. This deployment creates the IAM role and permissions required for ACE to read AWS networking and security configuration.

After the deployment is complete, ACE discovers AWS resources such as:

  • VPCs

  • Subnets

  • Security Groups

  • Route Tables

  • Transit Gateways

  • Network Firewall resources

Depending on the onboarding method you choose, ACE can also automatically synchronize changes made in AWS after onboarding.

ACE uses role-based access to discover and continuously synchronize AWS networking and security resources.

AWS Onboarding Flow (Via Wizard)

  1. Start AWS onboarding in ACE.

  2. Select an onboarding method and deploy. See below Onboarding methods for AWS Accounts.

  3. AWS creates the required IAM role and permissions.

  4. ACE securely accesses AWS configuration data.

  5. AWS resources are imported into ACE.

  6. ACE automatically synchronizes future changes when using CloudFormation or Terraform onboarding.

Who performs AWS onboarding?

AWS onboarding typically requires collaboration between:

  • An AWS administrator, who deploys the CloudFormation template or Terraform configuration in AWS.

  • An ACE administrator, who initiates the onboarding process and verifies the connection.

The deployment creates the IAM role and permissions required for ACE to access AWS configuration data.

Onboarding methods for AWS Accounts

Choose the onboarding method that best fits your AWS environment and operational model.

Some onboarding methods support automatic synchronization, allowing ACE to detect and import changes made in AWS after onboarding.

Onboarding Method Description Automatic synchronization
CloudFormation (recommended) Via the onboarding wizard: Generates and deploys an AWS CloudFormation template. Yes
Terraform Via the onboarding wizard: Uses Terraform to deploy the required AWS permissions and onboarding resources. Yes
REST API (single account) Onboard a single AWS account via API No

Automatic Synchronization

  • CloudFormation and Terraform onboarding support automatic synchronization.

  • ACE automatically discovers and imports changes made in AWS.

  • API onboarding is limited to a single AWS account and does not support automatic synchronization.

Note:

Note: Deleting AWS accounts is not automatically synced. To remove AWS accounts from AlgoSec Cloud Enterprise after deletion in AWS, refer to Offboard AWS accounts from ACE.

Before you start

  1. Make sure you are logged on to AWS Console .

  2. If you want to configure VPC flow logs, see VPC Flow Logs and Enable AWS VPC flow logging.

Onboard AWS accounts

Note: For issues onboarding AWS accounts, see Troubleshoot Onboarding.

Do the following:

Note: If you have licenses for both Cloud Network Security (CNS) and Cloud App Analyzer (CAA) but want to deploy only CNS in AWS, refer to this KB article for the correct CNS-only onboarding steps.

  1. In the ACE Settings area, click Onboarding.

  2. On the Onboarding Management page that opens, click +Onboard Accounts. The Onboard Account Wizard opens.

  3. Click the Amazon Web Services button.

  4. Select CloudFormation and click Next..

    The AWS Onboarding Wizard Access Permissions step opens.

  5. (Optional) Account Properties:

    Note: The download CloudFormation File button on this step is tied to Account Management and is different from the file downloaded at the end of the onboarding wizard.

    If you plan to onboard multiple AWS accounts and you want to display AWS Account names, Organizational Unit and information about suspended accounts in ACE, it's necessary to establish a role within your management account that grants ACE permissions. See Permissions to display account properties.

    1. Click and save to a local folder on your computer. For more details about the file, see Management accounts flow .

    2. Log on to AWS Console on your management account (with administrative permissions) to deploy a CloudFormation stack.

    3. Follow the steps in the AWS documentation .

  6. Specify the details below; they will be included in the file available for download at the end of the onboarding wizard.

    Optional settings Description
    Use the same external ID for all accounts Select to use the same external ID for all accounts
    Retrieve VPC Flow Logs Select to retrieve VPC Flow Logs. For more information, see VPC Flow Logs.
    Enable permissions for policy change

    AlgoSec only needs READ permissions to provide support for your AWS security policy management. This requirement ensures you can still receive complete security analysis and recommendations while granting the minimal level of access.

    Write permissions can optionally be added for advanced policy change capabilities.

  1. Click Next. The Features Permissions step of the wizard opens.

  2. Onboard VM Scanning (optional)

    The VM Scanner feature enables scanning Elastic Block Store (EBS) volumes attached to EC2 instances across multiple regions in an AWS account. ACE Cloud App Analyzer's VM Scanner enhances cloud workload security by providing agentless scanning for AWS EC2 instances that have volumes attached. For more information, see Enable Virtual Machine Security (AWS).

  3. Onboard Kubernetes Scanning (optional)

    Cloud App Analyzer provides agentless discovery and detection of vulnerabilities, compliance, and configuration risks for Kubernetes components. For more information, see Kubernetes Services Risks Management.

Note: During the onboarding process, ACE connects with your AWS StackSets and any subsequent changes made to StackSets in AWS such as addition or removal of Stacks (accounts) are automatically reflected in ACE.

  1. Onboard CD Mitigation (optional)

    The CD Mitigation feature provides threat management for AWS Elastic Container Registry (ECR) by scanning and securing your Continuous Delivery (CD) pipeline, preventing threats from reaching container-based workloads.

    • Select Grant CD mitigation permissions & create related resources to be automatically onboarded.

    • If you choose not to Grant CD mitigation permissions & create related resources in the wizard, you can always onboard manually later.

  1. Click Next. The Deployment step of the wizard opens.

  2. Click Download File. The file is downloaded to your machine. You will use it later in these steps.

  3. Copy the Client ID and Client Secret to also be used later in these steps.

  4. Click Close to close the wizard.

  1. Log in to the AWS Console Home.

  2. In the AWS Console Home, click CloudFormation.

  3. Create single or multiple accounts to sync with ACE.

    Note: You should deploy only one stack or StackSet per AWS account, even if the account spans multiple regions.

    1. Click Stacks.

    2. Click Create Stack and select With new resources (standard).

    3. In the Specify Template section, click Upload a Template File. Click Choose file. Browse and select the CloudFormation Template that you downloaded previously. Then click Next.

    4. In the Specify Stack details section, give the Stack a name and paste the Client ID and Client Secret from the Stack Deployment step of the wizard . Enter your Tenant ID (optional) if you want to add it to the resource name. Then click Next.

      Note: The account name displayed in ACE is initially the AWS account number (ID) of the user who created the Stack (account) in AWS. To edit the account name in ACE, see Edit account details.

    5. On the Configure Stack options screen, click Next.

    6. Review the Stack. Select I acknowledge that AWS CloudFormation might create IAM resources.

    7. Click Submit. It may take several minutes for the Stack to be created and the account to appear in ACE.

    1. Click Stack Sets.

    2. Click Create StackSet.

    3. In the Specify Template section, click Upload a Template File. Click Choose file. Browse and select the CloudFormation Template that you downloaded previously. Then click Next.

    4. In the Specify Stack Set details section, give the Stack Set a name and paste the Client ID and Client Secret from the Stack Deployment step of the wizard. Enter your Tenant ID (optional) if you want to add it to the resource name. Then click Next.

      The Configure Stack Set options screen appears.

    5. On the Configure Stack Set options screen, click Next.

      The Set Deployment Options section appears.

    6. In Set Deployment Options, click Deploy New Stacks

      You can deploy stacks across accounts by targeting either your entire organization or specific accounts using organizational units (OUs) and account filter options.

      Choose either one of the following:

      • Deploy stacks across accounts by targeting your entire organization:

        • Click Deploy to organization

      • Deploy stacks across accounts by targeting specific accounts using organizational units (OUs) and account filter options:

        • Click Deploy to Organizational Units (OUs)

        • Click Add Another OU. Enter an AWS OU ID. Repeat as required.

        • (optional) Select Account Filter Type. For more info, see AWS documentation.

      Note: The account names displayed in ACE are initially set to the AWS account numbers (ID). To edit the account names in ACE, see Edit account details.

    7. In the Specify Regions section, select the region(s) where the stacks will be created and managed.

    8. Set Deployment Options based on the needs and requirements of your system. Then click Next.

    9. Review the StackSet. Select I acknowledge that AWS CloudFormation might create IAM resources.

    10. Click Submit. It may take several minutes for the StackSets to be created and the accounts to appear in ACE.

      Tip: You can check the individual stack instances in CloudFormation>Stack Sets as follows.

      1. Click the created Stack Set.

      2. Click the Stack Instance tab and see which accounts were created and their detailed status.

Note: For issues onboarding AWS accounts, see Troubleshoot Onboarding.

  1. Open Permissions Diagnostics to confirm that the account/subscription/project meets the requirements for the ACE scan types you want to run, and use the remediation links to complete any required setup.

You can use API calls to add a single AWS account to ACE.

Note: Any changes to an account after onboarding are not synced with ACE. To delete one or more manually added accounts, see Onboard AWS Accounts.

Do the following:

  1. adCreate an AWS IAM Role for ACE that includes the required permissions (referenced HERE). For detailed steps on setting up the role, see HERE. After creating the role, copy its ARN roleArn for use in the request.

  2. Define your externalId using the following suggested format: algosec-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

  3. Add AWS AlgoSec Account ID (ALGOSEC_ACCOUNT_ID) to the IAM role Trust relationships with a condition to provide the externalId. Use the ALGOSEC_ACCOUNT_ID based on the region of the AlgoSec environment you are onboarded to as provided HERE.

    For example:

    Copy 
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::<ALGOSEC_ACCOUNT_ID>:root"
                },
                "Action": "sts:AssumeRole",
                "Condition": {
                    "StringEquals": {
                        "sts:ExternalId": "algosec-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
                    }
                }
            }
        ]
    }

  4. Manually Add VM permissions (Optional): Add the AWS EC2 scanning IAM permissions to the created IAM role. You can find the permissions under Additional optional permissions.

  5. Manually onboard KSPM (Optional): The permissions for Kubernetes scan should be granted at the level of the Cluster. Follow the For Kubernetes Cluster Scan instructions under Additional optional permissions.

    1. PrevasioImagePushHandlerRole (IAM Role)

      PrevasioImagePushHandlerRoleis an IAM role assumed by thePrevasioImagePushHandlerFunctionLambda, granting it basic execution permissions.

      Do the following:

      1. Open IAM Console.
      2. Go to Roles > Click Create role.
      3. In the Trusted Entity Type field: Choose theAWS service.
      4. In the Use case dropdown: Choose Lambda.
      5. Click Next
      6. Permissions: Attach the policy:AWSLambdaBasicExecutionRole.
      7. Click Next
      8. Enter Role name: PrevasioImagePushHandlerRole.
      9. Click Create role

      10. On the AWS CLI, enter:

        Copy 
        aws iam create-role \
          --role-name PrevasioImagePushHandlerRole \
          --assume-role-policy-document '{
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Principal": {"Service": "lambda.amazonaws.com"},
              "Action": "sts:AssumeRole"
            }]
          }'
         
        aws iam attach-role-policy \
          --role-name PrevasioImagePushHandlerRole \
          --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

    1. PrevasioECRExclusionsRole (IAM Role)

      PrevasioECRExclusionsRoleis an IAM role for thePrevasioECRExclusionsFunctionLambda, granting it basic execution rights and permissions to read and update ECR repository policies.

      Do the following:

      1. Open IAM Console
      2. Go to Roles > Click Create Role.
      3. In the Trusted Entity Type field: Choose theAWS service.
      4. In the Use case dropdown: Choose Lambda.
      5. Click Next.
      6. Permissions: Attach: AWSLambdaBasicExecutionRole.
      7. Click Next.
      8. Enter Role name: PrevasioECRExclusionsRole.
      9. Click Create Role.
      10. Go to the Role Permissions, click Add inline policy.

      11. On the JSON tab, enter:

        Copy 
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "ecr:GetRepositoryPolicy",
                "ecr:SetRepositoryPolicy",
                "ecr:DescribeRepositories"
              ],
              "Resource": "*"
            }
          ]
        }

      12. Click Review policy, name itPrevasioECRExclusionsPolicy, then click Create Policy

      13. On the AWS CLI:

        # 1. Create the custom policy

        Copy 
        aws iam create-policy \
          --policy-name PrevasioECRExclusionsPolicy \
          --policy-document '{
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Action": [
                "ecr:GetRepositoryPolicy",
                "ecr:SetRepositoryPolicy",
                "ecr:DescribeRepositories"
              ],
              "Resource": "*"
            }]
          }'

        # 2. Create the role

        Copy 
        aws iam create-role \
          --role-name PrevasioECRExclusionsRole \
          --assume-role-policy-document '{
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Principal": {"Service": "lambda.amazonaws.com"},
              "Action": "sts:AssumeRole"
            }]
          }'

        # 3. Attach the built-in policy

        Copy 
        aws iam attach-role-policy \
          --role-name PrevasioECRExclusionsRole \
          --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

        # 4. Attach the custom policy (replace <ACCOUNT_ID> with your AWS account ID)

        Copy 
        aws iam attach-role-policy \
          --role-name PrevasioECRExclusionsRole \
          --policy-arn arn:aws:iam::<ACCOUNT_ID>:policy/PrevasioECRExclusionsPolicy

    1. PrevasioECRExclusionsFunction (Lambda Function)

      This Lambda function updates ECR repository policies to add App Analyzer IAM roles from access exclusions.

      Do the following:

      2. Save the code as index.py and zip it as function.zip.

      3. Create a lambda function following the steps in either I or II below:

        1. Open the AWS Lambda Console.

          1. Click Create function

          2. Select the option Author from scratch:

          3. Enter the function Name: PrevasioECRExclusionsFunction <TenantId> (replace <TenantId> as needed)

          4. Select from the Runtime dropdown: Python 3.11

          5. Under Role: select Use existing role and then select PrevasioECRExclusionsRole

          6. After the lambda function creation finishes,go to the Code source of the lambda function, andclick Upload from > .zip file > Upload function.zip

          7. Set Handler to index.handler

          8. Set Memory: 128 MB

          9. Set Timeout: 60 seconds

          10. Under Configuration > Environment variables, add:

            1. Key: algosecRole

            2. Value: The role ARN that you have created in step 1.

          11. For the source code,upload the function.zip you downloaded or created from the above link.

          12. Click Create function

        2. On the AWS CLI, run the following:

          Copy 
          aws lambda create-function \
            --function-name PrevasioECRExclusionsFunction<TenantId> \
            --runtime python3.11 \
            --role arn:aws:iam::<ACCOUNT_ID>:role/PrevasioECRExclusionsRole \
            --handler index.handler \
            --timeout 60 \
            --memory-size 128 \
            --environment Variables={algosecRole=<AlgosecRoleArn>} \
            --zip-file fileb://function.zip

          3. Note: Replace <ACCOUNT_ID>, <TenantId>, <AlgosecRoleArn>, and use the code from the provided link as index.py.

    1. PrevasioImagePushHandlerFunction (Lambda Function)

      This Lambda function is triggered when an image is pushed to a repository, and sends a request to App Analyzer to scan the image.

      Do the following:

      2. Save the code as index.py and zip it as function.zip.

      3. In the downloaded file, replace the following values :

        For the value of the <algosaas_host> and <prevasio_host>, use the url for your region:

      4. Create a lambda function following the steps in either I or II below:

        1. Open the AWS Lambda Console. .

          1. Click Create function.

          2. Select the option: Author from scratch

          3. Enter the function Name:PrevasioImagePushHandlerFunction<TenantId>(replace <TenantId> as needed)

          4. Select from the Runtime dropdown:Python 3.11

          5. Under Role: select Use existing role and then select PrevasioImagePushHandlerRole

          6. After the Lambda function is created, go to Code source, click Upload from > .zip file > Upload function.zip

          7. Set Handler toindex.handler

          8. Set Memory:128 MB

          9. Set Timeout:10 seconds

          10. ClickCreate function

        2. On the AWS CLI, run the following:

          Copy 
          aws lambda create-function \
            --function-name PrevasioImagePushHandlerFunction<TenantId> \
            --runtime python3.11 \
            --role arn:aws:iam::<ACCOUNT_ID>:role/PrevasioImagePushHandlerRole \
            --handler index.handler \
            --timeout 10 \
            --memory-size 128 \
            --zip-file fileb://function.zip

          Note: Replace <ACCOUNT_ID>, <TenantId>, and use the code from the provided link as index.py.

    1. Onboard Access Key Credentials

      1. Log in to the AWS Console Home.
      2. Go to AWS System Manager > Parameter Store, My Parameters tab.

      3. Click Create Parameter and create secure string parameters for the following:

        • /algosec/<algosec_tenant_id>/clientId

        • /algosec/<algosec_tenant_id>/clientSecret

        In the parameter names, use your Tenant ID where shown (<algosec_tenant_id>).

        For the parameter values, get the Client ID and Client Secret by clicking on the Onboarding page.

    1. PrevasioImagePushedEventBridgeRule (EventBridge Rule)

      PrevasioImagePushedEventBridgeRule is an EventBridge rule that listens for successful ECR image push events and triggers the PrevasioImagePushHandlerFunction Lambda function.

      Do the following:

      1. Open Amazon EventBridge Console.

      2. ClickCreate rule.

      3. Enter Rule Name: PrevasioImagePushedEventBridgeRule.

      4. Choose Rule with an event pattern as the Rule type.

      5. In the Event Pattern section, select Custom pattern (JSON editor) and paste:

        Copy 
        {
          "source": ["aws.ecr"],
          "detail-type": ["ECR Image Action"],
          "detail": {
            "result": ["SUCCESS"]
          }
        }

      6. Under Target:

        • Target type:AWS service
        • Function:Select PrevasioImagePushHandlerFunction

      7. Click Next, review, and click Create rule.

      8. On the AWS CLI:

        • Create the rule:

        Copy 
        aws events put-rule \
          --name PrevasioImagePushedEventBridgeRule \
          --event-pattern '{
            "source": ["aws.ecr"],
            "detail-type": ["ECR Image Action"],
            "detail": {"result": ["SUCCESS"]}
          }'
         
        aws events put-targets \
          --rule PrevasioImagePushedEventBridgeRule \
          --targets '[{"Id": "PrevasioImagePushHandlerFunction<TenantId>", "Arn": "<LambdaFunctionArn>"}]'

        • Add the target:

        Copy 
        aws events put-targets \
          --rule PrevasioImagePushedEventBridgeRule \
          --targets '[{"Id": "PrevasioImagePushHandlerFunction<TenantId>", "Arn": "<LambdaFunctionArn>"}]'

      Note: Replace <TenantId> and <LambdaFunctionArn> with your actual values.

    1. PrevasioInvokeImagePushHandlerFunctionPermission (Lambda Permission)

      PrevasioInvokeImagePushHandlerFunctionPermission is a Lambda permission that allows EventBridge to invoke the PrevasioImagePushHandlerFunction when an event (such as an ECR image push) matches a defined rule.

      Do the following:

      1. Open the AWS Lambda Console.

      2. Find the Lambda function:PrevasioImagePushHandlerFunction

      3. Open the function and navigate to theConfiguration tab > Permissions

      4. Under Resource-based policy, clickAdd permissions > Add permissions to Lambda function

      5. Set the following values:

        • Principal: events.amazonaws.com
        • Action: lambda:InvokeFunction
        • Source ARN: Use the ARN of the EventBridge rule that triggers the function

      6. On the AWS CLI:

        Copy 
        aws lambda add-permission \
          --function-name PrevasioImagePushHandlerFunction \
          --action lambda:InvokeFunction \
          --principal events.amazonaws.com \
          --source-arn arn:aws:events:<REGION>:<ACCOUNT_ID>:rule/<RULE_NAME> \
          --statement-id AllowEventBridgeInvoke

      Note: Replace <REGION>, <ACCOUNT_ID>, and <RULE_NAME> with your actual values.

    1. Run PrevasioECRExclusionsFunction

      This step executes the PrevasioECRExclusionsFunction Lambda manually to apply ECR access exclusions.

      Do the following:

      1. Open the AWS Lambda Console.

      2. Search for and open the function: PrevasioECRExclusionsFunction

      3. ClickTest

      4. In the test event dialog:

        1. Enter any name (e.g., TestInvoke)
        2. Input the following JSON payload:
          Copy 
          {"RequestType": "Create"}
        3. Click Save

      5. Click Test again to execute the function

      6. Review logs and output in the Execution resultspanel

      7. On the AWS CLI:

        Copy 
        aws lambda invoke \
          --function-name PrevasioECRExclusionsFunction \
          --payload '{"RequestType": "Create"}' \
          response.json

  7. Onboard the account through the API. For details, refer to the API documentation on adding or editing an AWS account. See Add/edit an AWS account.

  8. Open Permissions Diagnostics to confirm that the account/subscription/project meets the requirements for the ACE scan types you want to run, and use the remediation links to complete any required setup.

You can leverage Terraform, the infrastructure-as-code solution, as another option for onboarding your AWS accounts into ACE.

Prerequisite: Install the Terraform CLI on the machine where you’ll run the commands. For instructions how to do this see Install Terraform .

Do the following:

  1. In the ACE Settings area, click Onboarding.

  2. On the Onboarding Management page that opens, click +Onboard Accounts. The Onboard Account Wizard opens.

  3. Click the Amazon Web Services button.

  4. Select Terraform and click Next.

    The AWS Onboarding Wizard Access Permissions step opens.

  5. (Optional) Account Properties:

    Note: The download Terraform File button on this step is tied to Account Management and is different from the file downloaded at the end of the onboarding wizard.

    If you plan to onboard multiple AWS accounts and you want to display AWS Account names, Organizational Unit and information about suspended accounts in ACE, it's necessary to establish a role within your management account that grants ACE permissions. See Permissions to display account properties.

    1. Click and save to a local folder on your computer.

    2. Log on to AWS Console on your management account (with administrative permissions) to deploy the terraform template.

    3. Upload the Terraform template. (If you are updating an existing terraform template, save the template in the same directory you used to onboard accounts with Terraform, or in the directory that contains your Terraform state file (to learn more about Terraform state, see State).

    4. Run:

      terraform init

    5. Run:

      terraform apply -var="tenant_id=<AlgoSec Tenant ID>"

      The template is applied and AWS resources and permissions are created.

    6. When prompted, enter the Client ID and Client Secret.

      Note: To get these values, click Next in the wizard, then click Next again to go to the Deployment step (Step 4). You can copy the required values from that screen.

  6. Specify the details below; they will be included in the file available for download at the end of the onboarding wizard.

    Optional settings Description
    Use the same external ID for all accounts Select to use the same external ID for all accounts
    Retrieve VPC Flow Logs Select to retrieve VPC Flow Logs. For more information, see VPC Flow Logs.
    Enable permissions for policy change

    AlgoSec only needs READ permissions to provide support for your AWS security policy management. This requirement ensures you can still receive complete security analysis and recommendations while granting the minimal level of access.

    Write permissions can optionally be added for advanced policy change capabilities.

  1. Click Next. The Features Permissions step of the wizard opens.

  2. Onboard VM Scanning (optional)

    The VM Scanner feature enables scanning Elastic Block Store (EBS) volumes attached to EC2 instances across multiple regions in an AWS account. ACE Cloud App Analyzer's VM Scanner enhances cloud workload security by providing agentless scanning for AWS EC2 instances that have volumes attached. For more information, see Enable Virtual Machine Security (AWS).

  3. Onboard Kubernetes Scanning (optional)

    Cloud App Analyzer provides agentless discovery and detection of vulnerabilities, compliance, and configuration risks for Kubernetes components. For more information, see Kubernetes Services Risks Management.

Note: During the onboarding process, ACE connects with your AWS StackSets and any subsequent changes made to StackSets in AWS such as addition or removal of Stacks (accounts) are automatically reflected in ACE.

  1. Onboard CD Mitigation (optional)

    The CD Mitigation feature provides threat management for AWS Elastic Container Registry (ECR) by scanning and securing your Continuous Delivery (CD) pipeline, preventing threats from reaching container-based workloads.

    • Select Grant CD mitigation permissions & create related resources to be automatically onboarded.

    • If you choose not to Grant CD mitigation permissions & create related resources in the wizard, you can always onboard manually later.

  1. Click Next. The Deployment step of the wizard opens.

  2. Click Download File. The file is downloaded to your machine. You will use it later in these steps.

  3. Copy the Client ID and Client Secret to also be used later in these steps.

  4. Click Close to close the wizard.

  1. Run the AWS CLI in AWS CloudShell or from your local machine.

  2. If running from you local machine:

    1. Login to your AWS account.

    2. Set region environment parameter.

  3. Upload the Terraform file to a directory of your choice. (If you are updating an existing terraform template, save the template in the same directory you used to onboard accounts with Terraform, or in the directory that contains your Terraform state file (to learn more about Terraform state, see State).

  4. In that directory, run:

    terraform init

  5. Run one of the following:

    • To apply with a tenant ID: (this associates your tenant ID with all created resources)

      terraform apply -var="tenant_id=<AlgoSec Tenant ID>"

    • To apply without a tenant ID:

      terraform apply

  6. When prompted, enter the Client ID and Client Secret.

  7. When prompted to approve the changes, type Yes and press Enter. Terraform resources and permissions are updated.

  8. Open Permissions Diagnostics to confirm that the account/subscription/project meets the requirements for the ACE scan types you want to run, and use the remediation links to complete any required setup.

Permissions required for AWS roles

See Permissions Required for AWS Accounts.

VPC Flow Logs

Tip: For background about VPC Flow Logs, see these: AWS Article: VPC Flow Logs, AWS Blog: VPC Flow Logs.

By enabling VPC Flow Logs, ACE can retrieve and analyze network traffic data for multiple purposes.

  • For ACE Cloud Network Security, flow logs are used to determine when security group (SG) rules were last exercised. This data is surfaced in the Risk Triggers and Network Policy pages, allowing you to identify stale, over-permissive, or unused rules and confidently clean up your network policies. For more details, see Last used and Clean Up Policies

  • In addition, ACE Cloud App Analyzer uses VPC Flow Logs to observe established traffic patterns between services. This enables ACE to accurately merge microservices based on real communication paths, resulting in more precise application discovery.

Follow the steps in Enable AWS VPC flow logging to get started.

Notes:
(1) Allow up to 24 hours for relevant rule usage information to be displayed when enabling flow logs for the first time and when adding accounts that already had flow logs enabled.

(2) VPC flow logs can be stored on either S3 or CloudWatch. ACE supports collecting flow logs from either option.

(3) ACE supports processing flow logs only when they are stored in the default log format. More details in this AWS article.

(4) If you configure both S3 and CloudWatch as your VPC Flow Logs targets, ACE will collect only from the S3 buckets.

(5) ACE collects only VPC Flow Logs of traffic type “accept”. Make sure that you configure the VPC Flow Logs traffic type to either “Accepted traffic” or “All traffic” (more details in this AWS article)

Enable AWS VPC flow logging

ACE can work with flow logging enabled at the various levels that AWS allows: VPC, Subnet, Network Interfaces.

Do the following:

To provide optimal performance, the following procedure explains how to enable flow logging at the Network Interface level. Repeat it for each Network Interface requiring flow logging.

  1. Enabled Flow Logs in AWS.

    Note for shared VPCs:

    • To support flow logs defined on the VPC level, the AWS owner account must have at least a single Network Interface (NIC) defined on the shared VPC.

    • To support flow logs defined on the Subnet level, the AWS owner account must have at least a single Network Interface (NIC) defined on the shared VPC Subnet.

    These instructions rely on the creation of an S3 (Simple Storage Service) bucket and configuring VPC Flow Logs to store on it. If you want to create cross account flow logs provide additional permissions to your S3 bucket, as explained below.

    Do the following:

    1. Enter your AWS account and open the AWS Management Console.

    2. In the Storage Section, click on S3.
    3. Click the Create Bucket button.
    4. In the dialog that is displayed:
      1. Enter a DNS compliant name for the S3 Bucket.
      2. Verify that the correct region is selected.
      3. Click Next.

      4. Continue clicking Next until you see the Create Bucket button at the bottom right of your screen.

        Note: By clicking Next until now, you have skipped parameters that do not require changes. The S3 Buckets page you just created is displayed.

    5. (Optional) To create cross account flow logs, provide additional permissions to your S3 bucket, see AWS documentation.

    6. Click on your S3 Bucket name.
      On the right, a panel displays the properties of this S3 bucket, permissions and management details. At the top is the Copy Bucket ARN button.

    7. Click the Copy Bucket ARN button.

      The ARN(Amazon Resource Name) is now in your copy buffer. You will use it soon.

      Important: Be sure not to copy anything else into your copy buffer until you are asked to paste this into a field in one of the last steps of this procedure.

    8. From the main AWS page, in the Compute section, click EC2.
    9. On the EC2 dashboard that is displayed, in the left panel Network and Security section, click on Network Interfaces.
      A list of Network Interfaces is displayed.
    10. Select a network interface on which you wish to enable flow logging.
    11. Under the network interface list, click the Flow Logs tab.
    12. Click the Create flow log button.
    13. In the Create flow log page that is displayed:
      1. Select Accept from the Filter dropdown list to indicate that only Accepted Traffic should be collected.
      2. For the Maximum aggregation interval select 10 minutes.
      3. For Destination, select Send to S3 Bucket.
      4. In the ARN field, paste the ARN that you copied in Step #7, above. It should still be in your copy buffer.
      5. Click Create at the bottom of the page.
    14. Optional: View your new flow log:
      1. Go to the Network Interfaces list
      2. Select the Network Interface for which you created the Flow Log.
      3. Click Flow Logs tab under the Network Interface List.
      4. In the Destination Tabs column, click the name of your S3 Bucket.

      You must configure both of the elements below to store VPC Flow Logs in CloudWatch. See this AWS article for more details.

      1. Configure this role trust relationship:

        {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

      2. Configure the following role permissions:

        {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

        Note: For info about required permissions see Permissions Required for AWS Accounts.

    Modify the following parameters as needed:

    Parameter Description

    TRAFFIC_LOG_FREQUENCY_PERIOD_MINUTES

    Determines the frequency, in minutes, at which ACE collects traffic logs from AWS SGs.

    Value: Integer

    Default: 60
    ENABLE_TRAFFIC_LOGS

    Determines whether traffic log collection is enabled for AWS SGs.

    Disabling this parameter will cause ACE to display Flow logs disabled in the Last used column on the risk trigger details pages, even when flow logging is enabled in the AWS SG itself.

    Value: Boolean

    Default: Enabled
    INACTIVE_RULE_PERIOD

    Determines the number of days counting back from current day for which ACE checks flow logs for unused rules.

    Range = 1 to 365 days

    Default = 30

    If flow logs were enabled, available and collected byACE for the entire period, SG Rules that did not have a single hit during the period are by definition unused rules.

    In the Last used column, unused rules are marked as No traffic logged.

    For details, see Last used.

    Note: This parameter can also be configured in the Network Policies web interface, when selecting the “Unused rules” cleanup view.

    To modify any of these parameters, contact AlgoSec support.

Update details of onboarded AWS accounts

You can update the details for AWS resources already onboarded to ACE. This is helpful if you need to add or remove write permissions.

Do the following:

Note: If you have licenses for both Cloud Network Security (CNS) and Cloud App Analyzer (CAA) but want to deploy only CNS in AWS, refer to this KB article for the correct CNS-only onboarding steps.

  1. In the ACE Settings area, click Onboarding.

  2. On the Onboarding Management page that opens, click +Onboard Accounts. The Onboard Account Wizard opens.

  3. Click the Amazon Web Services button.

  4. Select CloudFormation and click Next..

    The AWS Onboarding Wizard Access Permissions step opens.

  5. (Optional) Account Properties:

    Note: The download CloudFormation File button on this step is tied to Account Management and is different from the file downloaded at the end of the onboarding wizard.

    If you plan to onboard multiple AWS accounts and you want to display AWS Account names, Organizational Unit and information about suspended accounts in ACE, it's necessary to establish a role within your management account that grants ACE permissions. See Permissions to display account properties.

    1. Click and save to a local folder on your computer. For more details about the file, see Management accounts flow .

    2. Log on to AWS Console on your management account (with administrative permissions) to deploy a CloudFormation stack.

    3. Follow the steps in the AWS documentation .

  6. Specify the details below; they will be included in the file available for download at the end of the onboarding wizard.

    Optional settings Description
    Use the same external ID for all accounts Select to use the same external ID for all accounts
    Retrieve VPC Flow Logs Select to retrieve VPC Flow Logs. For more information, see VPC Flow Logs.
    Enable permissions for policy change

    AlgoSec only needs READ permissions to provide support for your AWS security policy management. This requirement ensures you can still receive complete security analysis and recommendations while granting the minimal level of access.

    Write permissions can optionally be added for advanced policy change capabilities.

  1. Click Next. The Features Permissions step of the wizard opens.

  2. Onboard VM Scanning (optional)

    The VM Scanner feature enables scanning Elastic Block Store (EBS) volumes attached to EC2 instances across multiple regions in an AWS account. ACE Cloud App Analyzer's VM Scanner enhances cloud workload security by providing agentless scanning for AWS EC2 instances that have volumes attached. For more information, see Enable Virtual Machine Security (AWS).

  3. Onboard Kubernetes Scanning (optional)

    Cloud App Analyzer provides agentless discovery and detection of vulnerabilities, compliance, and configuration risks for Kubernetes components. For more information, see Kubernetes Services Risks Management.

Note: During the onboarding process, ACE connects with your AWS StackSets and any subsequent changes made to StackSets in AWS such as addition or removal of Stacks (accounts) are automatically reflected in ACE.

  1. Onboard CD Mitigation (optional)

    The CD Mitigation feature provides threat management for AWS Elastic Container Registry (ECR) by scanning and securing your Continuous Delivery (CD) pipeline, preventing threats from reaching container-based workloads.

    • Select Grant CD mitigation permissions & create related resources to be automatically onboarded.

    • If you choose not to Grant CD mitigation permissions & create related resources in the wizard, you can always onboard manually later.

  1. Click Next. The Deployment step of the wizard opens.

  2. Click Download File. The file is downloaded to your machine. You will use it later in these steps.

  3. Copy the Client ID and Client Secret to also be used later in these steps.

  4. Click Close to close the wizard.

  1. Log in to the AWS Console Home.

  2. In the AWS Console Home, click CloudFormation.

  3. Update single or multiple accounts.

    Note: You should deploy only one stack or StackSet per AWS account, even if the account spans multiple regions.

    1. Click Stacks.

    2. Click Create Stack and select With new resources (standard).

    3. In the Specify Template section, click Upload a Template File. Click Choose file. Browse and select the CloudFormation Template that you downloaded previously. Then click Next.

    4. In the Specify Stack details section, give the Stack a name and paste the Client ID and Client Secret from the Stack Deployment step of the wizard . Enter your Tenant ID (optional) if you want to add it to the resource name. Then click Next.

      Note: The account name displayed in ACE is initially the AWS account number (ID) of the user who created the Stack (account) in AWS. To edit the account name in ACE, see Edit account details.

    5. On the Configure Stack options screen, click Next.

    6. Review the Stack. Select I acknowledge that AWS CloudFormation might create IAM resources.

    7. Click Submit. It may take several minutes for the Stack to be created and the account to appear in ACE.

    1. Click Stack Sets.

    2. Click Create StackSet.

    3. In the Specify Template section, click Upload a Template File. Click Choose file. Browse and select the CloudFormation Template that you downloaded previously. Then click Next.

    4. In the Specify Stack Set details section, give the Stack Set a name and paste the Client ID and Client Secret from the Stack Deployment step of the wizard. Enter your Tenant ID (optional) if you want to add it to the resource name. Then click Next.

      The Configure Stack Set options screen appears.

    5. On the Configure Stack Set options screen, click Next.

      The Set Deployment Options section appears.

    6. In Set Deployment Options, click Deploy New Stacks

      You can deploy stacks across accounts by targeting either your entire organization or specific accounts using organizational units (OUs) and account filter options.

      Choose either one of the following:

      • Deploy stacks across accounts by targeting your entire organization:

        • Click Deploy to organization

      • Deploy stacks across accounts by targeting specific accounts using organizational units (OUs) and account filter options:

        • Click Deploy to Organizational Units (OUs)

        • Click Add Another OU. Enter an AWS OU ID. Repeat as required.

        • (optional) Select Account Filter Type. For more info, see AWS documentation.

      Note: The account names displayed in ACE are initially set to the AWS account numbers (ID). To edit the account names in ACE, see Edit account details.

    7. In the Specify Regions section, select the region(s) where the stacks will be created and managed.

    8. Set Deployment Options based on the needs and requirements of your system. Then click Next.

    9. Review the StackSet. Select I acknowledge that AWS CloudFormation might create IAM resources.

    10. Click Submit. It may take several minutes for the StackSets to be created and the accounts to appear in ACE.

      Tip: You can check the individual stack instances in CloudFormation>Stack Sets as follows.

      1. Click the created Stack Set.

      2. Click the Stack Instance tab and see which accounts were created and their detailed status.

Note: For issues onboarding AWS accounts, see Troubleshoot Onboarding.

  1. Open Permissions Diagnostics to confirm that the account/subscription/project meets the requirements for the ACE scan types you want to run, and use the remediation links to complete any required setup.

Do the following:

  1. adCreate an AWS IAM Role for ACE that includes the required permissions (referenced HERE). For detailed steps on setting up the role, see HERE. After creating the role, copy its ARN roleArn for use in the request.

  2. Define your externalId using the following suggested format: algosec-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

  3. Add AWS AlgoSec Account ID (ALGOSEC_ACCOUNT_ID) to the IAM role Trust relationships with a condition to provide the externalId. Use the ALGOSEC_ACCOUNT_ID based on the region of the AlgoSec environment you are onboarded to as provided HERE.

    For example:

    Copy 
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::<ALGOSEC_ACCOUNT_ID>:root"
                },
                "Action": "sts:AssumeRole",
                "Condition": {
                    "StringEquals": {
                        "sts:ExternalId": "algosec-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
                    }
                }
            }
        ]
    }

  4. Manually Add VM permissions (Optional): Add the AWS EC2 scanning IAM permissions to the created IAM role. You can find the permissions under Additional optional permissions.

  5. Manually onboard KSPM (Optional): The permissions for Kubernetes scan should be granted at the level of the Cluster. Follow the For Kubernetes Cluster Scan instructions under Additional optional permissions.

    1. PrevasioImagePushHandlerRole (IAM Role)

      PrevasioImagePushHandlerRoleis an IAM role assumed by thePrevasioImagePushHandlerFunctionLambda, granting it basic execution permissions.

      Do the following:

      1. Open IAM Console.
      2. Go to Roles > Click Create role.
      3. In the Trusted Entity Type field: Choose theAWS service.
      4. In the Use case dropdown: Choose Lambda.
      5. Click Next
      6. Permissions: Attach the policy:AWSLambdaBasicExecutionRole.
      7. Click Next
      8. Enter Role name: PrevasioImagePushHandlerRole.
      9. Click Create role

      10. On the AWS CLI, enter:

        Copy 
        aws iam create-role \
          --role-name PrevasioImagePushHandlerRole \
          --assume-role-policy-document '{
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Principal": {"Service": "lambda.amazonaws.com"},
              "Action": "sts:AssumeRole"
            }]
          }'
         
        aws iam attach-role-policy \
          --role-name PrevasioImagePushHandlerRole \
          --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

    1. PrevasioECRExclusionsRole (IAM Role)

      PrevasioECRExclusionsRoleis an IAM role for thePrevasioECRExclusionsFunctionLambda, granting it basic execution rights and permissions to read and update ECR repository policies.

      Do the following:

      1. Open IAM Console
      2. Go to Roles > Click Create Role.
      3. In the Trusted Entity Type field: Choose theAWS service.
      4. In the Use case dropdown: Choose Lambda.
      5. Click Next.
      6. Permissions: Attach: AWSLambdaBasicExecutionRole.
      7. Click Next.
      8. Enter Role name: PrevasioECRExclusionsRole.
      9. Click Create Role.
      10. Go to the Role Permissions, click Add inline policy.

      11. On the JSON tab, enter:

        Copy 
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "ecr:GetRepositoryPolicy",
                "ecr:SetRepositoryPolicy",
                "ecr:DescribeRepositories"
              ],
              "Resource": "*"
            }
          ]
        }

      12. Click Review policy, name itPrevasioECRExclusionsPolicy, then click Create Policy

      13. On the AWS CLI:

        # 1. Create the custom policy

        Copy 
        aws iam create-policy \
          --policy-name PrevasioECRExclusionsPolicy \
          --policy-document '{
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Action": [
                "ecr:GetRepositoryPolicy",
                "ecr:SetRepositoryPolicy",
                "ecr:DescribeRepositories"
              ],
              "Resource": "*"
            }]
          }'

        # 2. Create the role

        Copy 
        aws iam create-role \
          --role-name PrevasioECRExclusionsRole \
          --assume-role-policy-document '{
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Principal": {"Service": "lambda.amazonaws.com"},
              "Action": "sts:AssumeRole"
            }]
          }'

        # 3. Attach the built-in policy

        Copy 
        aws iam attach-role-policy \
          --role-name PrevasioECRExclusionsRole \
          --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

        # 4. Attach the custom policy (replace <ACCOUNT_ID> with your AWS account ID)

        Copy 
        aws iam attach-role-policy \
          --role-name PrevasioECRExclusionsRole \
          --policy-arn arn:aws:iam::<ACCOUNT_ID>:policy/PrevasioECRExclusionsPolicy

    1. PrevasioECRExclusionsFunction (Lambda Function)

      This Lambda function updates ECR repository policies to add App Analyzer IAM roles from access exclusions.

      Do the following:

      2. Save the code as index.py and zip it as function.zip.

      3. Create a lambda function following the steps in either I or II below:

        1. Open the AWS Lambda Console.

          1. Click Create function

          2. Select the option Author from scratch:

          3. Enter the function Name: PrevasioECRExclusionsFunction <TenantId> (replace <TenantId> as needed)

          4. Select from the Runtime dropdown: Python 3.11

          5. Under Role: select Use existing role and then select PrevasioECRExclusionsRole

          6. After the lambda function creation finishes,go to the Code source of the lambda function, andclick Upload from > .zip file > Upload function.zip

          7. Set Handler to index.handler

          8. Set Memory: 128 MB

          9. Set Timeout: 60 seconds

          10. Under Configuration > Environment variables, add:

            1. Key: algosecRole

            2. Value: The role ARN that you have created in step 1.

          11. For the source code,upload the function.zip you downloaded or created from the above link.

          12. Click Create function

        2. On the AWS CLI, run the following:

          Copy 
          aws lambda create-function \
            --function-name PrevasioECRExclusionsFunction<TenantId> \
            --runtime python3.11 \
            --role arn:aws:iam::<ACCOUNT_ID>:role/PrevasioECRExclusionsRole \
            --handler index.handler \
            --timeout 60 \
            --memory-size 128 \
            --environment Variables={algosecRole=<AlgosecRoleArn>} \
            --zip-file fileb://function.zip

          3. Note: Replace <ACCOUNT_ID>, <TenantId>, <AlgosecRoleArn>, and use the code from the provided link as index.py.

    1. PrevasioImagePushHandlerFunction (Lambda Function)

      This Lambda function is triggered when an image is pushed to a repository, and sends a request to App Analyzer to scan the image.

      Do the following:

      2. Save the code as index.py and zip it as function.zip.

      3. In the downloaded file, replace the following values :

        For the value of the <algosaas_host> and <prevasio_host>, use the url for your region:

      4. Create a lambda function following the steps in either I or II below:

        1. Open the AWS Lambda Console. .

          1. Click Create function.

          2. Select the option: Author from scratch

          3. Enter the function Name:PrevasioImagePushHandlerFunction<TenantId>(replace <TenantId> as needed)

          4. Select from the Runtime dropdown:Python 3.11

          5. Under Role: select Use existing role and then select PrevasioImagePushHandlerRole

          6. After the Lambda function is created, go to Code source, click Upload from > .zip file > Upload function.zip

          7. Set Handler toindex.handler

          8. Set Memory:128 MB

          9. Set Timeout:10 seconds

          10. ClickCreate function

        2. On the AWS CLI, run the following:

          Copy 
          aws lambda create-function \
            --function-name PrevasioImagePushHandlerFunction<TenantId> \
            --runtime python3.11 \
            --role arn:aws:iam::<ACCOUNT_ID>:role/PrevasioImagePushHandlerRole \
            --handler index.handler \
            --timeout 10 \
            --memory-size 128 \
            --zip-file fileb://function.zip

          Note: Replace <ACCOUNT_ID>, <TenantId>, and use the code from the provided link as index.py.

    1. Onboard Access Key Credentials

      1. Log in to the AWS Console Home.
      2. Go to AWS System Manager > Parameter Store, My Parameters tab.

      3. Click Create Parameter and create secure string parameters for the following:

        • /algosec/<algosec_tenant_id>/clientId

        • /algosec/<algosec_tenant_id>/clientSecret

        In the parameter names, use your Tenant ID where shown (<algosec_tenant_id>).

        For the parameter values, get the Client ID and Client Secret by clicking on the Onboarding page.

    1. PrevasioImagePushedEventBridgeRule (EventBridge Rule)

      PrevasioImagePushedEventBridgeRule is an EventBridge rule that listens for successful ECR image push events and triggers the PrevasioImagePushHandlerFunction Lambda function.

      Do the following:

      1. Open Amazon EventBridge Console.

      2. ClickCreate rule.

      3. Enter Rule Name: PrevasioImagePushedEventBridgeRule.

      4. Choose Rule with an event pattern as the Rule type.

      5. In the Event Pattern section, select Custom pattern (JSON editor) and paste:

        Copy 
        {
          "source": ["aws.ecr"],
          "detail-type": ["ECR Image Action"],
          "detail": {
            "result": ["SUCCESS"]
          }
        }

      6. Under Target:

        • Target type:AWS service
        • Function:Select PrevasioImagePushHandlerFunction

      7. Click Next, review, and click Create rule.

      8. On the AWS CLI:

        • Create the rule:

        Copy 
        aws events put-rule \
          --name PrevasioImagePushedEventBridgeRule \
          --event-pattern '{
            "source": ["aws.ecr"],
            "detail-type": ["ECR Image Action"],
            "detail": {"result": ["SUCCESS"]}
          }'
         
        aws events put-targets \
          --rule PrevasioImagePushedEventBridgeRule \
          --targets '[{"Id": "PrevasioImagePushHandlerFunction<TenantId>", "Arn": "<LambdaFunctionArn>"}]'

        • Add the target:

        Copy 
        aws events put-targets \
          --rule PrevasioImagePushedEventBridgeRule \
          --targets '[{"Id": "PrevasioImagePushHandlerFunction<TenantId>", "Arn": "<LambdaFunctionArn>"}]'

      Note: Replace <TenantId> and <LambdaFunctionArn> with your actual values.

    1. PrevasioInvokeImagePushHandlerFunctionPermission (Lambda Permission)

      PrevasioInvokeImagePushHandlerFunctionPermission is a Lambda permission that allows EventBridge to invoke the PrevasioImagePushHandlerFunction when an event (such as an ECR image push) matches a defined rule.

      Do the following:

      1. Open the AWS Lambda Console.

      2. Find the Lambda function:PrevasioImagePushHandlerFunction

      3. Open the function and navigate to theConfiguration tab > Permissions

      4. Under Resource-based policy, clickAdd permissions > Add permissions to Lambda function

      5. Set the following values:

        • Principal: events.amazonaws.com
        • Action: lambda:InvokeFunction
        • Source ARN: Use the ARN of the EventBridge rule that triggers the function

      6. On the AWS CLI:

        Copy 
        aws lambda add-permission \
          --function-name PrevasioImagePushHandlerFunction \
          --action lambda:InvokeFunction \
          --principal events.amazonaws.com \
          --source-arn arn:aws:events:<REGION>:<ACCOUNT_ID>:rule/<RULE_NAME> \
          --statement-id AllowEventBridgeInvoke

      Note: Replace <REGION>, <ACCOUNT_ID>, and <RULE_NAME> with your actual values.

    1. Run PrevasioECRExclusionsFunction

      This step executes the PrevasioECRExclusionsFunction Lambda manually to apply ECR access exclusions.

      Do the following:

      1. Open the AWS Lambda Console.

      2. Search for and open the function: PrevasioECRExclusionsFunction

      3. ClickTest

      4. In the test event dialog:

        1. Enter any name (e.g., TestInvoke)
        2. Input the following JSON payload:
          Copy 
          {"RequestType": "Create"}
        3. Click Save

      5. Click Test again to execute the function

      6. Review logs and output in the Execution resultspanel

      7. On the AWS CLI:

        Copy 
        aws lambda invoke \
          --function-name PrevasioECRExclusionsFunction \
          --payload '{"RequestType": "Create"}' \
          response.json

  7. Onboard the account through the API. For details, refer to the API documentation on adding or editing an AWS account. See Add/edit an AWS account.

  8. Open Permissions Diagnostics to confirm that the account/subscription/project meets the requirements for the ACE scan types you want to run, and use the remediation links to complete any required setup.

Do the following:

  1. In the ACE Settings area, click Onboarding.

  2. On the Onboarding Management page that opens, click +Onboard Accounts. The Onboard Account Wizard opens.

  3. Click the Amazon Web Services button.

  4. Select Terraform and click Next.

    The AWS Onboarding Wizard Access Permissions step opens.

  5. (Optional) Account Properties:

    Note: The download Terraform File button on this step is tied to Account Management and is different from the file downloaded at the end of the onboarding wizard.

    If you plan to onboard multiple AWS accounts and you want to display AWS Account names, Organizational Unit and information about suspended accounts in ACE, it's necessary to establish a role within your management account that grants ACE permissions. See Permissions to display account properties.

    1. Click and save to a local folder on your computer.

    2. Log on to AWS Console on your management account (with administrative permissions) to deploy the terraform template.

    3. Upload the Terraform template. (If you are updating an existing terraform template, save the template in the same directory you used to onboard accounts with Terraform, or in the directory that contains your Terraform state file (to learn more about Terraform state, see State).

    4. Run:

      terraform init

    5. Run:

      terraform apply -var="tenant_id=<AlgoSec Tenant ID>"

      The template is applied and AWS resources and permissions are created.

    6. When prompted, enter the Client ID and Client Secret.

      Note: To get these values, click Next in the wizard, then click Next again to go to the Deployment step (Step 4). You can copy the required values from that screen.

  6. Specify the details below; they will be included in the file available for download at the end of the onboarding wizard.

    Optional settings Description
    Use the same external ID for all accounts Select to use the same external ID for all accounts
    Retrieve VPC Flow Logs Select to retrieve VPC Flow Logs. For more information, see VPC Flow Logs.
    Enable permissions for policy change

    AlgoSec only needs READ permissions to provide support for your AWS security policy management. This requirement ensures you can still receive complete security analysis and recommendations while granting the minimal level of access.

    Write permissions can optionally be added for advanced policy change capabilities.

  1. Click Next. The Features Permissions step of the wizard opens.

  2. Onboard VM Scanning (optional)

    The VM Scanner feature enables scanning Elastic Block Store (EBS) volumes attached to EC2 instances across multiple regions in an AWS account. ACE Cloud App Analyzer's VM Scanner enhances cloud workload security by providing agentless scanning for AWS EC2 instances that have volumes attached. For more information, see Enable Virtual Machine Security (AWS).

  3. Onboard Kubernetes Scanning (optional)

    Cloud App Analyzer provides agentless discovery and detection of vulnerabilities, compliance, and configuration risks for Kubernetes components. For more information, see Kubernetes Services Risks Management.

Note: During the onboarding process, ACE connects with your AWS StackSets and any subsequent changes made to StackSets in AWS such as addition or removal of Stacks (accounts) are automatically reflected in ACE.

  1. Onboard CD Mitigation (optional)

    The CD Mitigation feature provides threat management for AWS Elastic Container Registry (ECR) by scanning and securing your Continuous Delivery (CD) pipeline, preventing threats from reaching container-based workloads.

    • Select Grant CD mitigation permissions & create related resources to be automatically onboarded.

    • If you choose not to Grant CD mitigation permissions & create related resources in the wizard, you can always onboard manually later.

  1. Click Next. The Deployment step of the wizard opens.

  2. Click Download File. The file is downloaded to your machine. You will use it later in these steps.

  3. Copy the Client ID and Client Secret to also be used later in these steps.

  4. Click Close to close the wizard.

  1. Run the AWS CLI in AWS CloudShell or from your local machine.

  2. If running from you local machine:

    1. Login to your AWS account.

    2. Set region environment parameter.

  3. Upload the Terraform file to a directory of your choice. (If you are updating an existing terraform template, save the template in the same directory you used to onboard accounts with Terraform, or in the directory that contains your Terraform state file (to learn more about Terraform state, see State).

  4. In that directory, run:

    terraform init

  5. Run one of the following:

    • To apply with a tenant ID: (this associates your tenant ID with all created resources)

      terraform apply -var="tenant_id=<AlgoSec Tenant ID>"

    • To apply without a tenant ID:

      terraform apply

  6. When prompted, enter the Client ID and Client Secret.

  7. When prompted to approve the changes, type Yes and press Enter. Terraform resources and permissions are updated.

  8. Open Permissions Diagnostics to confirm that the account/subscription/project meets the requirements for the ACE scan types you want to run, and use the remediation links to complete any required setup.

 

â See also: