Onboard AWS Accounts

This topic explains how to onboard AWS accounts to ACE.

Note: Seamless AWS Account Onboarding to ASMS from ACE:

  • For ASMS A33.00: An early availability feature in ASMS A33.00 is the ability to onboard AWS accounts to both ACE and ASMS simultaneously. This capability streamlines your onboarding process. Once accounts are added to ACE, they are automatically onboarded to ASMS. For more details, refer to our ASMS tech docs Onboard AWS accounts to both AlgoSec Cloud and ASMS simultaneously.

  • For ASMS A33.10+: When ACE is connected to ASMS, when AWS accounts are added to ACE Cloud Network Security, they are automatically onboarded to ASMS. For more details, refer to our ASMS tech docs Simultaneously Onboard AWS Accounts into ACE and ASMS.

You can choose from three methods to add new AWS accounts. The first involves using scripts, while the others do not. The onboarding method you select also determines whether changes made to account resources after onboarding are automatically synced from AWS to your environment.

Note: Depending on which onboarding method you choose, changes to onboarded account resources may be automatically synced every hour.

Onboarding methods for AWS Accounts

You can onboard new AWS accounts using one of the following methods:

*Automatically syncs changes to accounts from AWS to ACE after onboarding.
Onboarding Method Description Automatic sync*
CloudStack Formation (via wizard) Uses scripts to onboard AWS resources Yes
API (single account) Onboard a single subscription via API No
Terraform Leverage Terraform, an infrastructure-as-code solution, to onboard AWS accounts into ACE Yes

Note: Deleting AWS accounts is not automatically synced. To remove AWS accounts from AlgoSec Cloud Enterprise after deletion in AWS, refer to Offboard AWS accounts from ACE.

Note: For more information about the AWS onboarding script, see Inside the AWS Onboarding Script.

Before you start

Make sure you are logged on to AWS Console .

Onboard AWS accounts

Note: For issues onboarding AWS accounts, see Troubleshoot Onboarding.

Do the following:

  1. In the ACE Settings area, click ONBOARDING.

  2. On the Onboarding Management page that opens, click +Onboard Accounts. The Onboard Account Wizard opens.

  3. Click the Amazon Web Services button and click Next.

    The AWS Onboarding Wizard Access Permissions step opens.

  4. (Optional) Account Properties:

    Note: The download CloudFormation File button on this step is tied to Account Management and is different from the file downloaded at the end of the onboarding wizard.

    If you plan to onboard multiple AWS accounts and you want to display AWS Account names, Organizational Unit and information about suspended accounts in ACE, it's necessary to establish a role within your management account that grants ACE permissions. For more details, see Management accounts flow .

    1. Click and save to a local folder on your computer.

    2. Log on to AWS Console on your management account (with administrative permissions) to deploy a CloudFormation stack.

    3. Follow the steps in the AWS documentation .

  5. Specify the details below; they will be included in the file available for download at the end of the onboarding wizard.

    Optional settings Description
    Use the same external ID for all accounts Select to use the same external ID for all accounts
    Retrieve VPC Flow Logs Select to retrieve VPC Flow Logs (flow logs must enabled in AWS for them to be visible in Cloud Network Security). For more information, see VPC Flow Logs. During the onboarding process, Cloud Network Security connects with your AWS StackSets and any subsequent changes made to StackSets in AWS such as addition or removal of Stacks (accounts) are automatically reflected in ACE.
    Enable permissions for policy change

    AlgoSec only needs READ permissions to provide support for your AWS security policy management. This requirement ensures you can still receive complete security analysis and recommendations while granting the minimal level of access.

    Write permissions can optionally be added for advanced policy change capabilities.

  1. Click Next. The Features Permissions step of the wizard opens.

  2. VM Scanner (optional)

    The VM Scanner feature enables scanning Elastic Block Store (EBS) volumes attached to EC2 instances across multiple regions in an AWS account. ACE Cloud App Analyzer's VM Scanner enhances cloud workload security by providing agentless scanning for AWS EC2 instances that have volumes attached. For more information, see Enable Virtual Machine Security.

  3. Kubernetes agentless security (optional)

    Cloud App Analyzer provides agentless discovery and detection of vulnerabilities, compliance, and configuration risks for Kubernetes components. For more information, see Kubernetes Services Risks Management.

Note: During the onboarding process, ACE connects with your AWS StackSets and any subsequent changes made to StackSets in AWS such as addition or removal of Stacks (accounts) are automatically reflected in ACE.

  1. Click Download File. The CloudFormation template file is downloaded to your machine. You will use it later in these steps.

  2. Log in to the AWS Console Home.

  3. In the AWS Console Home, click CloudFormation.

  4. Create single or multiple accounts to sync with ACE.

    1. Click Stacks.

    2. Click Create Stack and select With new resources (standard).

    3. In the Specify Template section, click Upload a Template File. Click Choose file. Browse and select the CloudFormation Template that you downloaded previously. Then click Next.

    4. In the Specify Stack details section, give the Stack a name and then click Next.

      Note: The account name displayed in ACE is initially the AWS account number (ID) of the user who created the Stack (account) in AWS. To edit the account name in ACE, see Edit account details.

    5. On the Configure Stack options screen, click Next.

    6. Review the Stack. Select I acknowledge that AWS CloudFormation might create IAM resources.

    7. Click Submit. It may take several minutes for the Stack to be created and the account to appear in ACE.

    1. Click StackSets.

    2. Click Create StackSet.

    3. In the Specify Template section, click Upload a Template File. Click Choose file. Browse and select the CloudFormation Template that you downloaded previously. Then click Next.

    4. In the Specify StackSet details section, give the StackSet a name and then click Next.

      The Configure StackSet options screen appears.

    5. On the Configure StackSet options screen, click Next.

      The Set Deployment Options section appears.

    6. In Set Deployment Options, click Deploy New Stacks

      You can deploy stacks across accounts by targeting either your entire organization or specific accounts using organizational units (OUs) and account filter options.

      Choose either one of the following:

      • Deploy stacks across accounts by targeting your entire organization:

        • Click Deploy to organization

      • Deploy stacks across accounts by targeting specific accounts using organizational units (OUs) and account filter options:

        • Click Deploy to Organizational Units (OUs)

        • Click Add Another OU. Enter an AWS OU ID. Repeat as required.

        • (optional) Select Account Filter Type. For more info, see AWS documentation.

      Note: The account names displayed in ACE are initially set to the AWS account numbers (ID). To edit the account names in ACE, see Edit account details.

    7. In the Specify Regions section, select the region(s) where the stacks will be created and managed.

    8. Set Deployment Options based on the needs and requirements of your system. Then click Next.

    9. Review the StackSet. Select I acknowledge that AWS CloudFormation might create IAM resources.

    10. Click Submit. It may take several minutes for the StackSets to be created and the accounts to appear in ACE.

      Tip: You can check the individual stack instances in CloudFormation>StackSets as follows.

      1. Click the created StackSet.

      2. Click the Stack Instance tab and see which accounts were created and their detailed status.

Note: For issues onboarding AWS accounts, see Troubleshoot Onboarding.

  1. (optional) Set up data collection for CloudTrail events. See Collect Data Events with CloudTrail .

You can use API calls to add a single AWS account to ACE.

Note: Any changes to an account after onboarding are not synced with ACE. To delete one or more manually added accounts, see Offboard AWS accounts from ACE.

Do the following:

  1. Create an AWS IAM Role for ACE that includes the required permissions (referenced HERE). For detailed steps on setting up the role, see HERE. After creating the role, copy its ARN roleArn for use in the request.

  2. Define your externalId using the following suggested format: algosec-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

  3. Add AWS AlgoSec Account ID (ALGOSEC_ACCOUNT_ID) to the IAM role Trust relationships with a condition to provide the externalId. Use the ALGOSEC_ACCOUNT_ID based on the region of the AlgoSec environment you are onboarded to as provided HERE.

    For example:

    Copy 
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::<ALGOSEC_ACCOUNT_ID>:root"
                },
                "Action": "sts:AssumeRole",
                "Condition": {
                    "StringEquals": {
                        "sts:ExternalId": "algosec-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
                    }
                }
            }
        ]
    }

  4. Manually Add VM permissions (Optional): Add the AWS EC2 scanning IAM permissions to the created IAM role. You can find the permissions under Additional optional permissions.

  5. Manually onboard KSPM (Optional): The permissions for Kubernetes scan should be granted at the level of the Cluster. Follow the For Kubernetes Cluster Scan instructions under Additional optional permissions.

    1. PrevasioImagePushHandlerRole (IAM Role)

      PrevasioImagePushHandlerRoleis an IAM role assumed by thePrevasioImagePushHandlerFunctionLambda, granting it basic execution permissions.

      Do the following:

      1. Open IAM Console.
      2. Go toRoles > Click Create role.
      3. In the Trusted Entity Type field: Choose theAWS service.
      4. In the Use case dropdown: Choose Lambda.
      5. Click Next
      6. Permissions: Attach the policy:AWSLambdaBasicExecutionRole.
      7. Click Next
      8. Enter Role name: PrevasioImagePushHandlerRole.
      9. Click Create role

      10. On the AWS CLI, enter:

        Copy 
        aws iam create-role \
          --role-name PrevasioImagePushHandlerRole \
          --assume-role-policy-document '{
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Principal": {"Service": "lambda.amazonaws.com"},
              "Action": "sts:AssumeRole"
            }]
          }'
         
        aws iam attach-role-policy \
          --role-name PrevasioImagePushHandlerRole \
          --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

    1. PrevasioECRExclusionsRole (IAM Role)

      PrevasioECRExclusionsRoleis an IAM role for thePrevasioECRExclusionsFunctionLambda, granting it basic execution rights and permissions to read and update ECR repository policies.

      Do the following:

      1. Open IAM Console
      2. Go to Roles > Click Create Role.
      3. In the Trusted Entity Type field: Choose theAWS service.
      4. In the Use case dropdown: Choose Lambda.
      5. Click Next.
      6. Permissions: Attach: AWSLambdaBasicExecutionRole.
      7. Click Next.
      8. Enter Role name: PrevasioECRExclusionsRole.
      9. Click Create Role.
      10. Go to the Role Permissions, click Add inline policy.

      11. On the JSON tab, enter:

        Copy 
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "ecr:GetRepositoryPolicy",
                "ecr:SetRepositoryPolicy",
                "ecr:DescribeRepositories"
              ],
              "Resource": "*"
            }
          ]
        }

      12. Click Review policy, name itPrevasioECRExclusionsPolicy, then click Create Policy

      13. On the AWS CLI:

        # 1. Create the custom policy

        Copy 
        aws iam create-policy \
          --policy-name PrevasioECRExclusionsPolicy \
          --policy-document '{
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Action": [
                "ecr:GetRepositoryPolicy",
                "ecr:SetRepositoryPolicy",
                "ecr:DescribeRepositories"
              ],
              "Resource": "*"
            }]
          }'

        # 2. Create the role

        Copy 
        aws iam create-role \
          --role-name PrevasioECRExclusionsRole \
          --assume-role-policy-document '{
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Principal": {"Service": "lambda.amazonaws.com"},
              "Action": "sts:AssumeRole"
            }]
          }'

        # 3. Attach the built-in policy

        Copy 
        aws iam attach-role-policy \
          --role-name PrevasioECRExclusionsRole \
          --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

        # 4. Attach the custom policy (replace <ACCOUNT_ID> with your AWS account ID)

        Copy 
        aws iam attach-role-policy \
          --role-name PrevasioECRExclusionsRole \
          --policy-arn arn:aws:iam::<ACCOUNT_ID>:policy/PrevasioECRExclusionsPolicy

    1. PrevasioECRExclusionsFunction (Lambda Function)

      This Lambda function updates ECR repository policies to add App Analyzer IAM roles from access exclusions.

      Do the following:

      2. Save the code as index.py and zip it as function.zip.

      3. Create a lambda function following the steps in either I or II below:

        1. Open the AWS Lambda Console.

          1. Click Create function

          2. Select the option Author from scratch:

          3. Enter the function Name: PrevasioECRExclusionsFunction <TenantId> (replace <TenantId> as needed)

          4. Select from the Runtime dropdown: Python 3.11

          5. Under Role: select Use existing role and then select PrevasioECRExclusionsRole

          6. After the lambda function creation finishes,go to the Code source of the lambda function, andclick Upload from > .zip file > Upload function.zip

          7. Set Handler to index.handler

          8. Set Memory: 128 MB

          9. Set Timeout: 60 seconds

          10. Under Configuration > Environment variables, add:

            1. Key: algosecRole

            2. Value: The role ARN that you have created in step 1.

          11. For the source code,upload the function.zip you downloaded or created from the above link.

          12. Click Create function

        2. On the AWS CLI, run the following:

          Copy 
          aws lambda create-function \
            --function-name PrevasioECRExclusionsFunction<TenantId> \
            --runtime python3.11 \
            --role arn:aws:iam::<ACCOUNT_ID>:role/PrevasioECRExclusionsRole \
            --handler index.handler \
            --timeout 60 \
            --memory-size 128 \
            --environment Variables={algosecRole=<AlgosecRoleArn>} \
            --zip-file fileb://function.zip

          3. Note: Replace <ACCOUNT_ID>, <TenantId>, <AlgosecRoleArn>, and use the code from the provided link as index.py.

    1. PrevasioImagePushHandlerFunction (Lambda Function)

      This Lambda function is triggered when an image is pushed to a repository, and sends a request to App Analyzer to scan the image.

      Do the following:

      2. Save the code as index.py and zip it as function.zip.

      3. In the downloaded file, replace the following values :

        For the value of the <algosaas_host> and <prevasio_host>, use the url for your region:

        To generate the value of <additionals> do the following:

        1. Create this JSON:

          Copy 
          {"tenantId":"ALGOSEC_TENANT_ID","clientId":"ALGOSEC_CLIENT_ID","clientSecret":"ALGOSEC_CLIENT_SECRET"}
        2. Convert it to a string
        3. Convert the string to UTF-8 bytes

        4. Base64-encode it using your preferred method

          For example (bash):

          Copy 
          tenantId="your-tenant-id"
          clientId="your-client-id"
          clientSecret="your-client-secret"
           
          json=$(printf '{"tenantId":"%s","clientId":"%s","clientSecret":"%s"}' "$tenantId" "$clientId" "$clientSecret")
          encoded=$(echo -n "$json" | base64)
           
          echo "$encoded"

      4. Create a lambda function following the steps in either I or II below:

        1. Open the AWS Lambda Console. .

          1. Click Create function.

          2. Select the option: Author from scratch

          3. Enter the function Name:PrevasioImagePushHandlerFunction<TenantId>(replace <TenantId> as needed)

          4. Select from the Runtime dropdown:Python 3.11

          5. Under Role: select Use existing role and then select PrevasioImagePushHandlerRole

          6. After the Lambda function is created, go to Code source, click Upload from > .zip file > Upload function.zip

          7. Set Handler toindex.handler

          8. Set Memory:128 MB

          9. Set Timeout:10 seconds

          10. ClickCreate function

        2. On the AWS CLI, run the following:

          Copy 
          aws lambda create-function \
            --function-name PrevasioImagePushHandlerFunction<TenantId> \
            --runtime python3.11 \
            --role arn:aws:iam::<ACCOUNT_ID>:role/PrevasioImagePushHandlerRole \
            --handler index.handler \
            --timeout 10 \
            --memory-size 128 \
            --zip-file fileb://function.zip

          Note: Replace <ACCOUNT_ID>, <TenantId>, and use the code from the provided link as index.py.

    1. PrevasioImagePushedEventBridgeRule (EventBridge Rule)

      PrevasioImagePushedEventBridgeRule is an EventBridge rule that listens for successful ECR image push events and triggers the PrevasioImagePushHandlerFunction Lambda function.

      Do the following:

      1. Open Amazon EventBridge Console.

      2. ClickCreate rule.

      3. Enter Rule Name: PrevasioImagePushedEventBridgeRule.

      4. Choose Rule with an event pattern as the Rule type.

      5. In the Event Pattern section, select Custom pattern (JSON editor) and paste:

        Copy 
        {
          "source": ["aws.ecr"],
          "detail-type": ["ECR Image Action"],
          "detail": {
            "result": ["SUCCESS"]
          }
        }

      6. Under Target:

        • Target type:AWS service
        • Function:Select PrevasioImagePushHandlerFunction

      7. Click Next, review, and click Create rule.

      8. On the AWS CLI:

        • Create the rule:

        Copy 
        aws events put-rule \
          --name PrevasioImagePushedEventBridgeRule \
          --event-pattern '{
            "source": ["aws.ecr"],
            "detail-type": ["ECR Image Action"],
            "detail": {"result": ["SUCCESS"]}
          }'
         
        aws events put-targets \
          --rule PrevasioImagePushedEventBridgeRule \
          --targets '[{"Id": "PrevasioImagePushHandlerFunction<TenantId>", "Arn": "<LambdaFunctionArn>"}]'

        • Add the target:

        Copy 
        aws events put-targets \
          --rule PrevasioImagePushedEventBridgeRule \
          --targets '[{"Id": "PrevasioImagePushHandlerFunction<TenantId>", "Arn": "<LambdaFunctionArn>"}]'

      Note: Replace <TenantId> and <LambdaFunctionArn> with your actual values.

    1. PrevasioInvokeImagePushHandlerFunctionPermission (Lambda Permission)

      PrevasioInvokeImagePushHandlerFunctionPermission is a Lambda permission that allows EventBridge to invoke the PrevasioImagePushHandlerFunction when an event (such as an ECR image push) matches a defined rule.

      Do the following:

      1. Open the AWS Lambda Console.

      2. Find the Lambda function:PrevasioImagePushHandlerFunction

      3. Open the function and navigate to theConfiguration tab > Permissions

      4. Under Resource-based policy, clickAdd permissions > Add permissions to Lambda function

      5. Set the following values:

        • Principal: events.amazonaws.com
        • Action: lambda:InvokeFunction
        • Source ARN: Use the ARN of the EventBridge rule that triggers the function

      6. On the AWS CLI:

        Copy 
        aws lambda add-permission \
          --function-name PrevasioImagePushHandlerFunction \
          --action lambda:InvokeFunction \
          --principal events.amazonaws.com \
          --source-arn arn:aws:events:<REGION>:<ACCOUNT_ID>:rule/<RULE_NAME> \
          --statement-id AllowEventBridgeInvoke

      Note: Replace <REGION>, <ACCOUNT_ID>, and <RULE_NAME> with your actual values.

    1. Run PrevasioECRExclusionsFunction

      This step executes the PrevasioECRExclusionsFunction Lambda manually to apply ECR access exclusions.

      Do the following:

      1. Open the AWS Lambda Console.

      2. Search for and open the function: PrevasioECRExclusionsFunction

      3. ClickTest

      4. In the test event dialog:

        1. Enter any name (e.g., TestInvoke)
        2. Input the following JSON payload:
          Copy 
          {"RequestType": "Create"}
        3. Click Save

      5. Click Test again to execute the function

      6. Review logs and output in the Execution resultspanel

      7. On the AWS CLI:

        Copy 
        aws lambda invoke \
          --function-name PrevasioECRExclusionsFunction \
          --payload '{"RequestType": "Create"}' \
          response.json

  7. Onboard the account through the API. For details, refer to the API documentation on adding or editing an AWS account. See Add/edit an AWS account.

  8. (optional) Set up data collection for CloudTrail events. See Collect Data Events with CloudTrail .

You can leverage Terraform, the infrastructure-as-code solution, as another option for onboarding your AWS accounts into ACE.

Do the following:

  1. Create an AWS IAM Role for ACE that includes the required permissions (referenced HERE). For detailed steps on setting up the role, see HERE. After creating the role, copy its ARN roleArn for use in the request.

  2. Define your externalId using the following suggested format: algosec-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

  3. Add AWS AlgoSec Account ID (ALGOSEC_ACCOUNT_ID) to the IAM role Trust relationships with a condition to provide the externalId. Use the ALGOSEC_ACCOUNT_ID based on the region of the AlgoSec environment you are onboarded to as provided HERE.

    For example:

    Copy 
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::<ALGOSEC_ACCOUNT_ID>:root"
                },
                "Action": "sts:AssumeRole",
                "Condition": {
                    "StringEquals": {
                        "sts:ExternalId": "algosec-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
                    }
                }
            }
        ]
    }

  4. Manually Add VM permissions (Optional): Add the AWS EC2 scanning IAM permissions to the created IAM role. You can find the permissions under Additional optional permissions.

  5. Manually onboard KSPM (Optional): The permissions for Kubernetes scan should be granted at the level of the Cluster. Follow the For Kubernetes Cluster Scan instructions under Additional optional permissions.

    1. PrevasioImagePushHandlerRole (IAM Role)

      PrevasioImagePushHandlerRoleis an IAM role assumed by thePrevasioImagePushHandlerFunctionLambda, granting it basic execution permissions.

      Do the following:

      1. Open IAM Console.
      2. Go toRoles > Click Create role.
      3. In the Trusted Entity Type field: Choose theAWS service.
      4. In the Use case dropdown: Choose Lambda.
      5. Click Next
      6. Permissions: Attach the policy:AWSLambdaBasicExecutionRole.
      7. Click Next
      8. Enter Role name: PrevasioImagePushHandlerRole.
      9. Click Create role

      10. On the AWS CLI, enter:

        Copy 
        aws iam create-role \
          --role-name PrevasioImagePushHandlerRole \
          --assume-role-policy-document '{
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Principal": {"Service": "lambda.amazonaws.com"},
              "Action": "sts:AssumeRole"
            }]
          }'
         
        aws iam attach-role-policy \
          --role-name PrevasioImagePushHandlerRole \
          --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

    1. PrevasioECRExclusionsRole (IAM Role)

      PrevasioECRExclusionsRoleis an IAM role for thePrevasioECRExclusionsFunctionLambda, granting it basic execution rights and permissions to read and update ECR repository policies.

      Do the following:

      1. Open IAM Console
      2. Go to Roles > Click Create Role.
      3. In the Trusted Entity Type field: Choose theAWS service.
      4. In the Use case dropdown: Choose Lambda.
      5. Click Next.
      6. Permissions: Attach: AWSLambdaBasicExecutionRole.
      7. Click Next.
      8. Enter Role name: PrevasioECRExclusionsRole.
      9. Click Create Role.
      10. Go to the Role Permissions, click Add inline policy.

      11. On the JSON tab, enter:

        Copy 
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "ecr:GetRepositoryPolicy",
                "ecr:SetRepositoryPolicy",
                "ecr:DescribeRepositories"
              ],
              "Resource": "*"
            }
          ]
        }

      12. Click Review policy, name itPrevasioECRExclusionsPolicy, then click Create Policy

      13. On the AWS CLI:

        # 1. Create the custom policy

        Copy 
        aws iam create-policy \
          --policy-name PrevasioECRExclusionsPolicy \
          --policy-document '{
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Action": [
                "ecr:GetRepositoryPolicy",
                "ecr:SetRepositoryPolicy",
                "ecr:DescribeRepositories"
              ],
              "Resource": "*"
            }]
          }'

        # 2. Create the role

        Copy 
        aws iam create-role \
          --role-name PrevasioECRExclusionsRole \
          --assume-role-policy-document '{
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Principal": {"Service": "lambda.amazonaws.com"},
              "Action": "sts:AssumeRole"
            }]
          }'

        # 3. Attach the built-in policy

        Copy 
        aws iam attach-role-policy \
          --role-name PrevasioECRExclusionsRole \
          --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

        # 4. Attach the custom policy (replace <ACCOUNT_ID> with your AWS account ID)

        Copy 
        aws iam attach-role-policy \
          --role-name PrevasioECRExclusionsRole \
          --policy-arn arn:aws:iam::<ACCOUNT_ID>:policy/PrevasioECRExclusionsPolicy

    1. PrevasioECRExclusionsFunction (Lambda Function)

      This Lambda function updates ECR repository policies to add App Analyzer IAM roles from access exclusions.

      Do the following:

      2. Save the code as index.py and zip it as function.zip.

      3. Create a lambda function following the steps in either I or II below:

        1. Open the AWS Lambda Console.

          1. Click Create function

          2. Select the option Author from scratch:

          3. Enter the function Name: PrevasioECRExclusionsFunction <TenantId> (replace <TenantId> as needed)

          4. Select from the Runtime dropdown: Python 3.11

          5. Under Role: select Use existing role and then select PrevasioECRExclusionsRole

          6. After the lambda function creation finishes,go to the Code source of the lambda function, andclick Upload from > .zip file > Upload function.zip

          7. Set Handler to index.handler

          8. Set Memory: 128 MB

          9. Set Timeout: 60 seconds

          10. Under Configuration > Environment variables, add:

            1. Key: algosecRole

            2. Value: The role ARN that you have created in step 1.

          11. For the source code,upload the function.zip you downloaded or created from the above link.

          12. Click Create function

        2. On the AWS CLI, run the following:

          Copy 
          aws lambda create-function \
            --function-name PrevasioECRExclusionsFunction<TenantId> \
            --runtime python3.11 \
            --role arn:aws:iam::<ACCOUNT_ID>:role/PrevasioECRExclusionsRole \
            --handler index.handler \
            --timeout 60 \
            --memory-size 128 \
            --environment Variables={algosecRole=<AlgosecRoleArn>} \
            --zip-file fileb://function.zip

          3. Note: Replace <ACCOUNT_ID>, <TenantId>, <AlgosecRoleArn>, and use the code from the provided link as index.py.

    1. PrevasioImagePushHandlerFunction (Lambda Function)

      This Lambda function is triggered when an image is pushed to a repository, and sends a request to App Analyzer to scan the image.

      Do the following:

      2. Save the code as index.py and zip it as function.zip.

      3. In the downloaded file, replace the following values :

        For the value of the <algosaas_host> and <prevasio_host>, use the url for your region:

        To generate the value of <additionals> do the following:

        1. Create this JSON:

          Copy 
          {"tenantId":"ALGOSEC_TENANT_ID","clientId":"ALGOSEC_CLIENT_ID","clientSecret":"ALGOSEC_CLIENT_SECRET"}
        2. Convert it to a string
        3. Convert the string to UTF-8 bytes

        4. Base64-encode it using your preferred method

          For example (bash):

          Copy 
          tenantId="your-tenant-id"
          clientId="your-client-id"
          clientSecret="your-client-secret"
           
          json=$(printf '{"tenantId":"%s","clientId":"%s","clientSecret":"%s"}' "$tenantId" "$clientId" "$clientSecret")
          encoded=$(echo -n "$json" | base64)
           
          echo "$encoded"

      4. Create a lambda function following the steps in either I or II below:

        1. Open the AWS Lambda Console. .

          1. Click Create function.

          2. Select the option: Author from scratch

          3. Enter the function Name:PrevasioImagePushHandlerFunction<TenantId>(replace <TenantId> as needed)

          4. Select from the Runtime dropdown:Python 3.11

          5. Under Role: select Use existing role and then select PrevasioImagePushHandlerRole

          6. After the Lambda function is created, go to Code source, click Upload from > .zip file > Upload function.zip

          7. Set Handler toindex.handler

          8. Set Memory:128 MB

          9. Set Timeout:10 seconds

          10. ClickCreate function

        2. On the AWS CLI, run the following:

          Copy 
          aws lambda create-function \
            --function-name PrevasioImagePushHandlerFunction<TenantId> \
            --runtime python3.11 \
            --role arn:aws:iam::<ACCOUNT_ID>:role/PrevasioImagePushHandlerRole \
            --handler index.handler \
            --timeout 10 \
            --memory-size 128 \
            --zip-file fileb://function.zip

          Note: Replace <ACCOUNT_ID>, <TenantId>, and use the code from the provided link as index.py.

    1. PrevasioImagePushedEventBridgeRule (EventBridge Rule)

      PrevasioImagePushedEventBridgeRule is an EventBridge rule that listens for successful ECR image push events and triggers the PrevasioImagePushHandlerFunction Lambda function.

      Do the following:

      1. Open Amazon EventBridge Console.

      2. ClickCreate rule.

      3. Enter Rule Name: PrevasioImagePushedEventBridgeRule.

      4. Choose Rule with an event pattern as the Rule type.

      5. In the Event Pattern section, select Custom pattern (JSON editor) and paste:

        Copy 
        {
          "source": ["aws.ecr"],
          "detail-type": ["ECR Image Action"],
          "detail": {
            "result": ["SUCCESS"]
          }
        }

      6. Under Target:

        • Target type:AWS service
        • Function:Select PrevasioImagePushHandlerFunction

      7. Click Next, review, and click Create rule.

      8. On the AWS CLI:

        • Create the rule:

        Copy 
        aws events put-rule \
          --name PrevasioImagePushedEventBridgeRule \
          --event-pattern '{
            "source": ["aws.ecr"],
            "detail-type": ["ECR Image Action"],
            "detail": {"result": ["SUCCESS"]}
          }'
         
        aws events put-targets \
          --rule PrevasioImagePushedEventBridgeRule \
          --targets '[{"Id": "PrevasioImagePushHandlerFunction<TenantId>", "Arn": "<LambdaFunctionArn>"}]'

        • Add the target:

        Copy 
        aws events put-targets \
          --rule PrevasioImagePushedEventBridgeRule \
          --targets '[{"Id": "PrevasioImagePushHandlerFunction<TenantId>", "Arn": "<LambdaFunctionArn>"}]'

      Note: Replace <TenantId> and <LambdaFunctionArn> with your actual values.

    1. PrevasioInvokeImagePushHandlerFunctionPermission (Lambda Permission)

      PrevasioInvokeImagePushHandlerFunctionPermission is a Lambda permission that allows EventBridge to invoke the PrevasioImagePushHandlerFunction when an event (such as an ECR image push) matches a defined rule.

      Do the following:

      1. Open the AWS Lambda Console.

      2. Find the Lambda function:PrevasioImagePushHandlerFunction

      3. Open the function and navigate to theConfiguration tab > Permissions

      4. Under Resource-based policy, clickAdd permissions > Add permissions to Lambda function

      5. Set the following values:

        • Principal: events.amazonaws.com
        • Action: lambda:InvokeFunction
        • Source ARN: Use the ARN of the EventBridge rule that triggers the function

      6. On the AWS CLI:

        Copy 
        aws lambda add-permission \
          --function-name PrevasioImagePushHandlerFunction \
          --action lambda:InvokeFunction \
          --principal events.amazonaws.com \
          --source-arn arn:aws:events:<REGION>:<ACCOUNT_ID>:rule/<RULE_NAME> \
          --statement-id AllowEventBridgeInvoke

      Note: Replace <REGION>, <ACCOUNT_ID>, and <RULE_NAME> with your actual values.

    1. Run PrevasioECRExclusionsFunction

      This step executes the PrevasioECRExclusionsFunction Lambda manually to apply ECR access exclusions.

      Do the following:

      1. Open the AWS Lambda Console.

      2. Search for and open the function: PrevasioECRExclusionsFunction

      3. ClickTest

      4. In the test event dialog:

        1. Enter any name (e.g., TestInvoke)
        2. Input the following JSON payload:
          Copy 
          {"RequestType": "Create"}
        3. Click Save

      5. Click Test again to execute the function

      6. Review logs and output in the Execution resultspanel

      7. On the AWS CLI:

        Copy 
        aws lambda invoke \
          --function-name PrevasioECRExclusionsFunction \
          --payload '{"RequestType": "Create"}' \
          response.json

  1. Integrate the code below into your Terraform toolkit. In the code below, enter your roleArn and externalId values.

    Also, make the following parameter value replacements in the Locals section:

    Parameter Description Notes 
    auth_url

    URL to authorize ACE

    • For US use: 

      https://us.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For EMEA use: 

      https://eu.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For ANZ use: 

      https://.anz.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For ME use: 

      https://me.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For UAE use: 

      https://uae.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For IND use: 

      https://ind.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For SGP use: 

      https://sgp.app.algosec.com/api/algosaas/auth/v1/access-keys/login
    		 
    url

    URL to onboard AWS

    • For US use: 

      https://us.app.algosec.com/api/algosaas/onboarding/v1/aws

    • For EMEA use: 

      https://eu.app.algosec.com/api/algosaas/onboarding/v1/aws

    • For ANZ use: 

      https://anz.app.algosec.com/api/algosaas/onboarding/v1/aws

    • For ME use: 

      https://me.app.algosec.com/api/algosaas/onboarding/v1/aws

    • For UAE use: 

      https://uae.app.algosec.com/api/algosaas/onboarding/v1/aws

    • For IND use: 

      https://ind.app.algosec.com/api/algosaas/onboarding/v1/aws

    • For SGP use: 

    • https://sgp.app.algosec.com/api/algosaas/onboarding/v1/aws

    • For SGP use: 

      https://api.cloudflow.sgp.app.algosec.com/cloudflow/api/admin/v1/onboarding/aws/api
    		 
    tenant

    Your ACE Tenant ID

    		 
    clientId

    Client ID

    		 This is part of Access Key details. In ACE, go to Access Management > API ACCESS tab. Create a new API Access Key or use an existing one. See here. 
    secret

    Client Secret of the API Access Key

    		 This is part of Access Key details. In ACE, go to Access Management > API ACCESS tab. Create a new API Access Key or use an existing one. See here.
    Copy 
    locals {
                                        auth_url  = "xxxxxxxxxxxxxxxxx"
                                        url       = "xxxxxxxxxxxxxxxxx"
                                        tenant    = "xxxxxxxxxxxxxxxxx"
                                        clientId = "xxxxxxxxxxxxxxxxx"
                                        secret    = "xxxxxxxxxxxxxxxxx"
                                        }

                                        data "http" "auth" {
                                        url    = local.auth_url
                                        method = "POST"
                                        # Optional request headers
                                        request_headers = {
                                        Accept = "application/json"
                                        }
                                        request_body = jsonencode({ tenantId : local.tenant, clientId : local.clientId, clientSecret : local.secret })
                                        lifecycle {
                                        postcondition {
                                        condition     = contains([200, 201, 204], self.status_code)
                                        error_message = "Authorization failed"

                                        }
                                        }
                                        }

                                        locals {
                                        auth_response = jsondecode(data.http.auth.response_body)
                                        auth_token    = local.auth_response.access_token
                                        }

                                        data "http" "onboard_account" {
                                        url    = local.url
                                        method = "POST"
                                        request_headers = {
                                        Accept        = "application/json"
                                        Authorization = "Bearer ${local.auth_token}"
                                        }
                                        request_body = jsonencode({
                                        "roleArn" : "arn:aws:iam::xxx:role/AceRole ",
                                        "externalId" : "algosec-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
                                        "name" : "test",
                                        "supportChanges" : false, //to enable change policy permissions, see AWS permissions page in the tech docs
                                        "flowLogs" : true/false, //For more information VPC Flow Logs section in tech docs
                                        "event" : { "RequestType" : "Create"}
                                        })
                                        lifecycle {
                                        postcondition {
                                        condition     = contains([200, 201, 204], self.status_code)
                                        error_message = "Authorization failed",
                                        }
                                        }
                                        }

                                        ######################################################################
                                        # Print the created data to console

                                        output "onboard_status" {
                                        value = data.http.onboard_account.status_code
                                    }

  1. (optional) Set up data collection for CloudTrail events. See Collect Data Events with CloudTrail .

Permissions required for AWS roles

See Permissions Required for AWS Accounts.

VPC Flow Logs

Tip: For background about VPC Flow Logs, see these: AWS Article: VPC Flow Logs, AWS Blog: VPC Flow Logs.

By enabling VPC flow logs, ACE can retrieve and analyze flow logs. This provides you with data, shown on the ACE Risk Trigger and Network Policy pages, about the date when SG rules were last used. On the network policy pages, you can use this data to clean out old or unused rules from your policies.

For more details on the benefits of enabling VPC flow logging, see Last used and Clean Up Policies

Once flow logs are enabled, ACE will start displaying details about the last used date for each triggered rule. Follow the steps in Enable AWS VPC flow logging to get started.

Notes:
(1) Allow up to 24 hours for relevant rule usage information to be displayed when enabling flow logs for the first time and when adding accounts that already had flow logs enabled.

(2) VPC flow logs can be stored on either S3 or CloudWatch. ACE supports collecting flow logs from either option.

(3) ACE supports processing flow logs only when they are stored in the default log format. More details in this AWS article.

(4) If you configure both S3 and CloudWatch as your VPC Flow Logs targets, ACE will collect only from the S3 buckets.

(5) ACE collects only VPC Flow Logs of traffic type “accept”. Make sure that you configure the VPC Flow Logs traffic type to either “Accepted traffic” or “All traffic” (more details in this AWS article)

Enable AWS VPC flow logging

ACE can work with flow logging enabled at the various levels that AWS allows: VPC, Subnet, Network Interfaces.

To provide optimal performance, the following procedure explains how to enable flow logging at the Network Interface level. Repeat it for each Network Interface requiring flow logging.

Note for shared VPCs:

  • To support flow logs defined on the VPC level, the AWS owner account must have at least a single Network Interface (NIC) defined on the shared VPC.

  • To support flow logs defined on the Subnet level, the AWS owner account must have at least a single Network Interface (NIC) defined on the shared VPC Subnet.

These instructions rely on the creation of an S3 (Simple Storage Service) bucket and configuring VPC Flow Logs to store on it. If you want to create cross account flow logs provide additional permissions to your S3 bucket, as explained below.

Do the following:

  1. Enter your AWS account and open the AWS Management Console.

  2. In the Storage Section, click on S3.
  3. Click the Create Bucket button.
  4. In the dialog that is displayed:
    1. Enter a DNS compliant name for the S3 Bucket.
    2. Verify that the correct region is selected.
    3. Click Next.

    4. Continue clicking Next until you see the Create Bucket button at the bottom right of your screen.

      Note: By clicking Next until now, you have skipped parameters that do not require changes. The S3 Buckets page you just created is displayed.

  5. (Optional) To create cross account flow logs, provide additional permissions to your S3 bucket, see AWS documentation.

  6. Click on your S3 Bucket name.
    On the right, a panel displays the properties of this S3 bucket, permissions and management details. At the top is the Copy Bucket ARN button.

  7. Click the Copy Bucket ARN button.

    The ARN (Amazon Resource Name) is now in your copy buffer. You will use it soon.

    Important: Be sure not to copy anything else into your copy buffer until you are asked to paste this into a field in one of the last steps of this procedure.

  8. From the main AWS page, in the Compute section, click EC2.
  9. On the EC2 dashboard that is displayed, in the left panel Network and Security section, click on Network Interfaces.
    A list of Network Interfaces is displayed.
  10. Select a network interface on which you wish to enable flow logging.
  11. Under the network interface list, click the Flow Logs tab.
  12. Click the Create flow log button.
  13. In the Create flow log page that is displayed:
    1. Select Accept from the Filter dropdown list to indicate that only Accepted Traffic should be collected.
    2. For the Maximum aggregation interval select 10 minutes.
    3. For Destination, select Send to S3 Bucket.
    4. In the ARN field, paste the ARN that you copied in Step #7, above. It should still be in your copy buffer.
    5. Click Create at the bottom of the page.
  14. Optional: View your new flow log:
    1. Go to the Network Interfaces list
    2. Select the Network Interface for which you created the Flow Log.
    3. Click Flow Logs tab under the Network Interface List.
    4. In the Destination Tabs column, click the name of your S3 Bucket.

    You must configure both of the elements below to store VPC Flow Logs in CloudWatch. See this AWS article for more details.

    1. Configure this role trust relationship:

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

    2. Configure the following role permissions:

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

      Note: For info about required permissions see Permissions Required for AWS Accounts.

Modify the following parameters as needed:

Parameter Description

TRAFFIC_LOG_FREQUENCY_PERIOD_MINUTES

Determines the frequency, in minutes, at which ACE collects traffic logs from AWS SGs.

Value: Integer

Default: 60
ENABLE_TRAFFIC_LOGS

Determines whether traffic log collection is enabled for AWS SGs.

Disabling this parameter will cause ACE to display Flow logs disabled in the Last used column on the risk trigger details pages, even when flow logging is enabled in the AWS SG itself.

Value: Boolean

Default: Enabled
INACTIVE_RULE_PERIOD

Determines the number of days counting back from current day for which ACE checks flow logs for unused rules.

Range = 1 to 365 days

Default = 30

If flow logs were enabled, available and collected byACE for the entire period, SG Rules that did not have a single hit during the period are by definition unused rules.

In the Last used column, unused rules are marked as No traffic logged.

For details, see Last used.

Note: This parameter can also be configured in the Network Policies web interface, when selecting the “Unused rules” cleanup view.

To modify any of these parameters, contact AlgoSec support.

Update details of onboarded AWS accounts

You can update the details for AWS resources already onboarded to ACE. This is helpful if you need to add or remove write permissions.

Do the following:

  1. In the ACE Settings area, click ONBOARDING.

  2. On the Onboarding Management page that opens, click +Onboard Accounts. The Onboard Account Wizard opens.

  3. Click the Amazon Web Services button and click Next.

    The AWS Onboarding Wizard Access Permissions step opens.

  4. (Optional) Account Properties:

    Note: The download CloudFormation File button on this step is tied to Account Management and is different from the file downloaded at the end of the onboarding wizard.

    If you plan to onboard multiple AWS accounts and you want to display AWS Account names, Organizational Unit and information about suspended accounts in ACE, it's necessary to establish a role within your management account that grants ACE permissions. For more details, see Management accounts flow .

    1. Click and save to a local folder on your computer.

    2. Log on to AWS Console on your management account (with administrative permissions) to deploy a CloudFormation stack.

    3. Follow the steps in the AWS documentation .

  5. Specify the details below; they will be included in the file available for download at the end of the onboarding wizard.

    Optional settings Description
    Use the same external ID for all accounts Select to use the same external ID for all accounts
    Retrieve VPC Flow Logs Select to retrieve VPC Flow Logs (flow logs must enabled in AWS for them to be visible in Cloud Network Security). For more information, see VPC Flow Logs. During the onboarding process, Cloud Network Security connects with your AWS StackSets and any subsequent changes made to StackSets in AWS such as addition or removal of Stacks (accounts) are automatically reflected in ACE.
    Enable permissions for policy change

    AlgoSec only needs READ permissions to provide support for your AWS security policy management. This requirement ensures you can still receive complete security analysis and recommendations while granting the minimal level of access.

    Write permissions can optionally be added for advanced policy change capabilities.

  1. Click Next. The Features Permissions step of the wizard opens.

  2. VM Scanner (optional)

    The VM Scanner feature enables scanning Elastic Block Store (EBS) volumes attached to EC2 instances across multiple regions in an AWS account. ACE Cloud App Analyzer's VM Scanner enhances cloud workload security by providing agentless scanning for AWS EC2 instances that have volumes attached. For more information, see Enable Virtual Machine Security.

  3. Kubernetes agentless security (optional)

    Cloud App Analyzer provides agentless discovery and detection of vulnerabilities, compliance, and configuration risks for Kubernetes components. For more information, see Kubernetes Services Risks Management.

  1. Click Download File. The CloudFormation template file is downloaded to your machine. You will use it later in these steps.

  2. Log in to the AWS Console Home.

  3. In the AWS Console Home, click CloudFormation.

  4. Update single or multiple accounts.

    1. Click Stacks.

    2. After locating the stack to update, select the bullet to the left of the Stack name and click Update.

    3. In the Specify Template section, click Upload a Template File. Click Choose file. Browse and select the CloudFormation Template that you downloaded previously. Then click Next.

    4. In the Specify Stack details section, click Next.

    5. On the Configure Stack options screen, click Next.

    6. Review the Stack. Select I acknowledge that AWS CloudFormation might create IAM resources.

    7. Click Submit. It may take several minutes for the Stack to be updated in ACE.

    1. Click StackSets.

    2. After locating the StackSet to update, select the bullet to the left of the StackSet name, click Actions and select Edit StackSet details.

    3. In the Prerequisite - Prepare template section, click Replace current template. Select Upload a Template File. Click Choose File. Slect the file from the list and click Open.

    4. In the Specify StackSet details section, click Next.

      The Configure StackSet options screen appears.

    5. On the Configure StackSet options screen, click Next.

      The Set Deployment Options section appears.

    6. In Set Deployment Options, click either: Deploy to organizational Units (OUs) or Deploy to accounts. Update fields as required.

    7. In the Specify Regions section, select the region(s) where the stacks were created.

    8. Set Deployment Options based on the needs and requirements of your system. Then click Next.

    9. Review the StackSet. Select I acknowledge that AWS CloudFormation might create IAM resources.

    10. Click Submit. It may take several minutes for the StackSets to be updated in ACE.

Note: For issues onboarding AWS accounts, see Troubleshoot Onboarding.

  1. (optional) Set up data collection for CloudTrail events. See Collect Data Events with CloudTrail .

Do the following:

  1. Create an AWS IAM Role for ACE that includes the required permissions (referenced HERE). For detailed steps on setting up the role, see HERE. After creating the role, copy its ARN roleArn for use in the request.

  2. Define your externalId using the following suggested format: algosec-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

  3. Add AWS AlgoSec Account ID (ALGOSEC_ACCOUNT_ID) to the IAM role Trust relationships with a condition to provide the externalId. Use the ALGOSEC_ACCOUNT_ID based on the region of the AlgoSec environment you are onboarded to as provided HERE.

    For example:

    Copy 
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::<ALGOSEC_ACCOUNT_ID>:root"
                },
                "Action": "sts:AssumeRole",
                "Condition": {
                    "StringEquals": {
                        "sts:ExternalId": "algosec-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
                    }
                }
            }
        ]
    }

  4. Manually Add VM permissions (Optional): Add the AWS EC2 scanning IAM permissions to the created IAM role. You can find the permissions under Additional optional permissions.

  5. Manually onboard KSPM (Optional): The permissions for Kubernetes scan should be granted at the level of the Cluster. Follow the For Kubernetes Cluster Scan instructions under Additional optional permissions.

    1. PrevasioImagePushHandlerRole (IAM Role)

      PrevasioImagePushHandlerRoleis an IAM role assumed by thePrevasioImagePushHandlerFunctionLambda, granting it basic execution permissions.

      Do the following:

      1. Open IAM Console.
      2. Go toRoles > Click Create role.
      3. In the Trusted Entity Type field: Choose theAWS service.
      4. In the Use case dropdown: Choose Lambda.
      5. Click Next
      6. Permissions: Attach the policy:AWSLambdaBasicExecutionRole.
      7. Click Next
      8. Enter Role name: PrevasioImagePushHandlerRole.
      9. Click Create role

      10. On the AWS CLI, enter:

        Copy 
        aws iam create-role \
          --role-name PrevasioImagePushHandlerRole \
          --assume-role-policy-document '{
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Principal": {"Service": "lambda.amazonaws.com"},
              "Action": "sts:AssumeRole"
            }]
          }'
         
        aws iam attach-role-policy \
          --role-name PrevasioImagePushHandlerRole \
          --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

    1. PrevasioECRExclusionsRole (IAM Role)

      PrevasioECRExclusionsRoleis an IAM role for thePrevasioECRExclusionsFunctionLambda, granting it basic execution rights and permissions to read and update ECR repository policies.

      Do the following:

      1. Open IAM Console
      2. Go to Roles > Click Create Role.
      3. In the Trusted Entity Type field: Choose theAWS service.
      4. In the Use case dropdown: Choose Lambda.
      5. Click Next.
      6. Permissions: Attach: AWSLambdaBasicExecutionRole.
      7. Click Next.
      8. Enter Role name: PrevasioECRExclusionsRole.
      9. Click Create Role.
      10. Go to the Role Permissions, click Add inline policy.

      11. On the JSON tab, enter:

        Copy 
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "ecr:GetRepositoryPolicy",
                "ecr:SetRepositoryPolicy",
                "ecr:DescribeRepositories"
              ],
              "Resource": "*"
            }
          ]
        }

      12. Click Review policy, name itPrevasioECRExclusionsPolicy, then click Create Policy

      13. On the AWS CLI:

        # 1. Create the custom policy

        Copy 
        aws iam create-policy \
          --policy-name PrevasioECRExclusionsPolicy \
          --policy-document '{
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Action": [
                "ecr:GetRepositoryPolicy",
                "ecr:SetRepositoryPolicy",
                "ecr:DescribeRepositories"
              ],
              "Resource": "*"
            }]
          }'

        # 2. Create the role

        Copy 
        aws iam create-role \
          --role-name PrevasioECRExclusionsRole \
          --assume-role-policy-document '{
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Principal": {"Service": "lambda.amazonaws.com"},
              "Action": "sts:AssumeRole"
            }]
          }'

        # 3. Attach the built-in policy

        Copy 
        aws iam attach-role-policy \
          --role-name PrevasioECRExclusionsRole \
          --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

        # 4. Attach the custom policy (replace <ACCOUNT_ID> with your AWS account ID)

        Copy 
        aws iam attach-role-policy \
          --role-name PrevasioECRExclusionsRole \
          --policy-arn arn:aws:iam::<ACCOUNT_ID>:policy/PrevasioECRExclusionsPolicy

    1. PrevasioECRExclusionsFunction (Lambda Function)

      This Lambda function updates ECR repository policies to add App Analyzer IAM roles from access exclusions.

      Do the following:

      2. Save the code as index.py and zip it as function.zip.

      3. Create a lambda function following the steps in either I or II below:

        1. Open the AWS Lambda Console.

          1. Click Create function

          2. Select the option Author from scratch:

          3. Enter the function Name: PrevasioECRExclusionsFunction <TenantId> (replace <TenantId> as needed)

          4. Select from the Runtime dropdown: Python 3.11

          5. Under Role: select Use existing role and then select PrevasioECRExclusionsRole

          6. After the lambda function creation finishes,go to the Code source of the lambda function, andclick Upload from > .zip file > Upload function.zip

          7. Set Handler to index.handler

          8. Set Memory: 128 MB

          9. Set Timeout: 60 seconds

          10. Under Configuration > Environment variables, add:

            1. Key: algosecRole

            2. Value: The role ARN that you have created in step 1.

          11. For the source code,upload the function.zip you downloaded or created from the above link.

          12. Click Create function

        2. On the AWS CLI, run the following:

          Copy 
          aws lambda create-function \
            --function-name PrevasioECRExclusionsFunction<TenantId> \
            --runtime python3.11 \
            --role arn:aws:iam::<ACCOUNT_ID>:role/PrevasioECRExclusionsRole \
            --handler index.handler \
            --timeout 60 \
            --memory-size 128 \
            --environment Variables={algosecRole=<AlgosecRoleArn>} \
            --zip-file fileb://function.zip

          3. Note: Replace <ACCOUNT_ID>, <TenantId>, <AlgosecRoleArn>, and use the code from the provided link as index.py.

    1. PrevasioImagePushHandlerFunction (Lambda Function)

      This Lambda function is triggered when an image is pushed to a repository, and sends a request to App Analyzer to scan the image.

      Do the following:

      2. Save the code as index.py and zip it as function.zip.

      3. In the downloaded file, replace the following values :

        For the value of the <algosaas_host> and <prevasio_host>, use the url for your region:

        To generate the value of <additionals> do the following:

        1. Create this JSON:

          Copy 
          {"tenantId":"ALGOSEC_TENANT_ID","clientId":"ALGOSEC_CLIENT_ID","clientSecret":"ALGOSEC_CLIENT_SECRET"}
        2. Convert it to a string
        3. Convert the string to UTF-8 bytes

        4. Base64-encode it using your preferred method

          For example (bash):

          Copy 
          tenantId="your-tenant-id"
          clientId="your-client-id"
          clientSecret="your-client-secret"
           
          json=$(printf '{"tenantId":"%s","clientId":"%s","clientSecret":"%s"}' "$tenantId" "$clientId" "$clientSecret")
          encoded=$(echo -n "$json" | base64)
           
          echo "$encoded"

      4. Create a lambda function following the steps in either I or II below:

        1. Open the AWS Lambda Console. .

          1. Click Create function.

          2. Select the option: Author from scratch

          3. Enter the function Name:PrevasioImagePushHandlerFunction<TenantId>(replace <TenantId> as needed)

          4. Select from the Runtime dropdown:Python 3.11

          5. Under Role: select Use existing role and then select PrevasioImagePushHandlerRole

          6. After the Lambda function is created, go to Code source, click Upload from > .zip file > Upload function.zip

          7. Set Handler toindex.handler

          8. Set Memory:128 MB

          9. Set Timeout:10 seconds

          10. ClickCreate function

        2. On the AWS CLI, run the following:

          Copy 
          aws lambda create-function \
            --function-name PrevasioImagePushHandlerFunction<TenantId> \
            --runtime python3.11 \
            --role arn:aws:iam::<ACCOUNT_ID>:role/PrevasioImagePushHandlerRole \
            --handler index.handler \
            --timeout 10 \
            --memory-size 128 \
            --zip-file fileb://function.zip

          Note: Replace <ACCOUNT_ID>, <TenantId>, and use the code from the provided link as index.py.

    1. PrevasioImagePushedEventBridgeRule (EventBridge Rule)

      PrevasioImagePushedEventBridgeRule is an EventBridge rule that listens for successful ECR image push events and triggers the PrevasioImagePushHandlerFunction Lambda function.

      Do the following:

      1. Open Amazon EventBridge Console.

      2. ClickCreate rule.

      3. Enter Rule Name: PrevasioImagePushedEventBridgeRule.

      4. Choose Rule with an event pattern as the Rule type.

      5. In the Event Pattern section, select Custom pattern (JSON editor) and paste:

        Copy 
        {
          "source": ["aws.ecr"],
          "detail-type": ["ECR Image Action"],
          "detail": {
            "result": ["SUCCESS"]
          }
        }

      6. Under Target:

        • Target type:AWS service
        • Function:Select PrevasioImagePushHandlerFunction

      7. Click Next, review, and click Create rule.

      8. On the AWS CLI:

        • Create the rule:

        Copy 
        aws events put-rule \
          --name PrevasioImagePushedEventBridgeRule \
          --event-pattern '{
            "source": ["aws.ecr"],
            "detail-type": ["ECR Image Action"],
            "detail": {"result": ["SUCCESS"]}
          }'
         
        aws events put-targets \
          --rule PrevasioImagePushedEventBridgeRule \
          --targets '[{"Id": "PrevasioImagePushHandlerFunction<TenantId>", "Arn": "<LambdaFunctionArn>"}]'

        • Add the target:

        Copy 
        aws events put-targets \
          --rule PrevasioImagePushedEventBridgeRule \
          --targets '[{"Id": "PrevasioImagePushHandlerFunction<TenantId>", "Arn": "<LambdaFunctionArn>"}]'

      Note: Replace <TenantId> and <LambdaFunctionArn> with your actual values.

    1. PrevasioInvokeImagePushHandlerFunctionPermission (Lambda Permission)

      PrevasioInvokeImagePushHandlerFunctionPermission is a Lambda permission that allows EventBridge to invoke the PrevasioImagePushHandlerFunction when an event (such as an ECR image push) matches a defined rule.

      Do the following:

      1. Open the AWS Lambda Console.

      2. Find the Lambda function:PrevasioImagePushHandlerFunction

      3. Open the function and navigate to theConfiguration tab > Permissions

      4. Under Resource-based policy, clickAdd permissions > Add permissions to Lambda function

      5. Set the following values:

        • Principal: events.amazonaws.com
        • Action: lambda:InvokeFunction
        • Source ARN: Use the ARN of the EventBridge rule that triggers the function

      6. On the AWS CLI:

        Copy 
        aws lambda add-permission \
          --function-name PrevasioImagePushHandlerFunction \
          --action lambda:InvokeFunction \
          --principal events.amazonaws.com \
          --source-arn arn:aws:events:<REGION>:<ACCOUNT_ID>:rule/<RULE_NAME> \
          --statement-id AllowEventBridgeInvoke

      Note: Replace <REGION>, <ACCOUNT_ID>, and <RULE_NAME> with your actual values.

    1. Run PrevasioECRExclusionsFunction

      This step executes the PrevasioECRExclusionsFunction Lambda manually to apply ECR access exclusions.

      Do the following:

      1. Open the AWS Lambda Console.

      2. Search for and open the function: PrevasioECRExclusionsFunction

      3. ClickTest

      4. In the test event dialog:

        1. Enter any name (e.g., TestInvoke)
        2. Input the following JSON payload:
          Copy 
          {"RequestType": "Create"}
        3. Click Save

      5. Click Test again to execute the function

      6. Review logs and output in the Execution resultspanel

      7. On the AWS CLI:

        Copy 
        aws lambda invoke \
          --function-name PrevasioECRExclusionsFunction \
          --payload '{"RequestType": "Create"}' \
          response.json

  7. Onboard the account through the API. For details, refer to the API documentation on adding or editing an AWS account. See Add/edit an AWS account.

  8. (optional) Set up data collection for CloudTrail events. See Collect Data Events with CloudTrail .

Do the following:

  1. Create an AWS IAM Role for ACE that includes the required permissions (referenced HERE). For detailed steps on setting up the role, see HERE. After creating the role, copy its ARN roleArn for use in the request.

  2. Define your externalId using the following suggested format: algosec-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

  3. Add AWS AlgoSec Account ID (ALGOSEC_ACCOUNT_ID) to the IAM role Trust relationships with a condition to provide the externalId. Use the ALGOSEC_ACCOUNT_ID based on the region of the AlgoSec environment you are onboarded to as provided HERE.

    For example:

    Copy 
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::<ALGOSEC_ACCOUNT_ID>:root"
                },
                "Action": "sts:AssumeRole",
                "Condition": {
                    "StringEquals": {
                        "sts:ExternalId": "algosec-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
                    }
                }
            }
        ]
    }

  4. Manually Add VM permissions (Optional): Add the AWS EC2 scanning IAM permissions to the created IAM role. You can find the permissions under Additional optional permissions.

  5. Manually onboard KSPM (Optional): The permissions for Kubernetes scan should be granted at the level of the Cluster. Follow the For Kubernetes Cluster Scan instructions under Additional optional permissions.

    1. PrevasioImagePushHandlerRole (IAM Role)

      PrevasioImagePushHandlerRoleis an IAM role assumed by thePrevasioImagePushHandlerFunctionLambda, granting it basic execution permissions.

      Do the following:

      1. Open IAM Console.
      2. Go toRoles > Click Create role.
      3. In the Trusted Entity Type field: Choose theAWS service.
      4. In the Use case dropdown: Choose Lambda.
      5. Click Next
      6. Permissions: Attach the policy:AWSLambdaBasicExecutionRole.
      7. Click Next
      8. Enter Role name: PrevasioImagePushHandlerRole.
      9. Click Create role

      10. On the AWS CLI, enter:

        Copy 
        aws iam create-role \
          --role-name PrevasioImagePushHandlerRole \
          --assume-role-policy-document '{
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Principal": {"Service": "lambda.amazonaws.com"},
              "Action": "sts:AssumeRole"
            }]
          }'
         
        aws iam attach-role-policy \
          --role-name PrevasioImagePushHandlerRole \
          --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

    1. PrevasioECRExclusionsRole (IAM Role)

      PrevasioECRExclusionsRoleis an IAM role for thePrevasioECRExclusionsFunctionLambda, granting it basic execution rights and permissions to read and update ECR repository policies.

      Do the following:

      1. Open IAM Console
      2. Go to Roles > Click Create Role.
      3. In the Trusted Entity Type field: Choose theAWS service.
      4. In the Use case dropdown: Choose Lambda.
      5. Click Next.
      6. Permissions: Attach: AWSLambdaBasicExecutionRole.
      7. Click Next.
      8. Enter Role name: PrevasioECRExclusionsRole.
      9. Click Create Role.
      10. Go to the Role Permissions, click Add inline policy.

      11. On the JSON tab, enter:

        Copy 
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "ecr:GetRepositoryPolicy",
                "ecr:SetRepositoryPolicy",
                "ecr:DescribeRepositories"
              ],
              "Resource": "*"
            }
          ]
        }

      12. Click Review policy, name itPrevasioECRExclusionsPolicy, then click Create Policy

      13. On the AWS CLI:

        # 1. Create the custom policy

        Copy 
        aws iam create-policy \
          --policy-name PrevasioECRExclusionsPolicy \
          --policy-document '{
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Action": [
                "ecr:GetRepositoryPolicy",
                "ecr:SetRepositoryPolicy",
                "ecr:DescribeRepositories"
              ],
              "Resource": "*"
            }]
          }'

        # 2. Create the role

        Copy 
        aws iam create-role \
          --role-name PrevasioECRExclusionsRole \
          --assume-role-policy-document '{
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Principal": {"Service": "lambda.amazonaws.com"},
              "Action": "sts:AssumeRole"
            }]
          }'

        # 3. Attach the built-in policy

        Copy 
        aws iam attach-role-policy \
          --role-name PrevasioECRExclusionsRole \
          --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

        # 4. Attach the custom policy (replace <ACCOUNT_ID> with your AWS account ID)

        Copy 
        aws iam attach-role-policy \
          --role-name PrevasioECRExclusionsRole \
          --policy-arn arn:aws:iam::<ACCOUNT_ID>:policy/PrevasioECRExclusionsPolicy

    1. PrevasioECRExclusionsFunction (Lambda Function)

      This Lambda function updates ECR repository policies to add App Analyzer IAM roles from access exclusions.

      Do the following:

      2. Save the code as index.py and zip it as function.zip.

      3. Create a lambda function following the steps in either I or II below:

        1. Open the AWS Lambda Console.

          1. Click Create function

          2. Select the option Author from scratch:

          3. Enter the function Name: PrevasioECRExclusionsFunction <TenantId> (replace <TenantId> as needed)

          4. Select from the Runtime dropdown: Python 3.11

          5. Under Role: select Use existing role and then select PrevasioECRExclusionsRole

          6. After the lambda function creation finishes,go to the Code source of the lambda function, andclick Upload from > .zip file > Upload function.zip

          7. Set Handler to index.handler

          8. Set Memory: 128 MB

          9. Set Timeout: 60 seconds

          10. Under Configuration > Environment variables, add:

            1. Key: algosecRole

            2. Value: The role ARN that you have created in step 1.

          11. For the source code,upload the function.zip you downloaded or created from the above link.

          12. Click Create function

        2. On the AWS CLI, run the following:

          Copy 
          aws lambda create-function \
            --function-name PrevasioECRExclusionsFunction<TenantId> \
            --runtime python3.11 \
            --role arn:aws:iam::<ACCOUNT_ID>:role/PrevasioECRExclusionsRole \
            --handler index.handler \
            --timeout 60 \
            --memory-size 128 \
            --environment Variables={algosecRole=<AlgosecRoleArn>} \
            --zip-file fileb://function.zip

          3. Note: Replace <ACCOUNT_ID>, <TenantId>, <AlgosecRoleArn>, and use the code from the provided link as index.py.

    1. PrevasioImagePushHandlerFunction (Lambda Function)

      This Lambda function is triggered when an image is pushed to a repository, and sends a request to App Analyzer to scan the image.

      Do the following:

      2. Save the code as index.py and zip it as function.zip.

      3. In the downloaded file, replace the following values :

        For the value of the <algosaas_host> and <prevasio_host>, use the url for your region:

        To generate the value of <additionals> do the following:

        1. Create this JSON:

          Copy 
          {"tenantId":"ALGOSEC_TENANT_ID","clientId":"ALGOSEC_CLIENT_ID","clientSecret":"ALGOSEC_CLIENT_SECRET"}
        2. Convert it to a string
        3. Convert the string to UTF-8 bytes

        4. Base64-encode it using your preferred method

          For example (bash):

          Copy 
          tenantId="your-tenant-id"
          clientId="your-client-id"
          clientSecret="your-client-secret"
           
          json=$(printf '{"tenantId":"%s","clientId":"%s","clientSecret":"%s"}' "$tenantId" "$clientId" "$clientSecret")
          encoded=$(echo -n "$json" | base64)
           
          echo "$encoded"

      4. Create a lambda function following the steps in either I or II below:

        1. Open the AWS Lambda Console. .

          1. Click Create function.

          2. Select the option: Author from scratch

          3. Enter the function Name:PrevasioImagePushHandlerFunction<TenantId>(replace <TenantId> as needed)

          4. Select from the Runtime dropdown:Python 3.11

          5. Under Role: select Use existing role and then select PrevasioImagePushHandlerRole

          6. After the Lambda function is created, go to Code source, click Upload from > .zip file > Upload function.zip

          7. Set Handler toindex.handler

          8. Set Memory:128 MB

          9. Set Timeout:10 seconds

          10. ClickCreate function

        2. On the AWS CLI, run the following:

          Copy 
          aws lambda create-function \
            --function-name PrevasioImagePushHandlerFunction<TenantId> \
            --runtime python3.11 \
            --role arn:aws:iam::<ACCOUNT_ID>:role/PrevasioImagePushHandlerRole \
            --handler index.handler \
            --timeout 10 \
            --memory-size 128 \
            --zip-file fileb://function.zip

          Note: Replace <ACCOUNT_ID>, <TenantId>, and use the code from the provided link as index.py.

    1. PrevasioImagePushedEventBridgeRule (EventBridge Rule)

      PrevasioImagePushedEventBridgeRule is an EventBridge rule that listens for successful ECR image push events and triggers the PrevasioImagePushHandlerFunction Lambda function.

      Do the following:

      1. Open Amazon EventBridge Console.

      2. ClickCreate rule.

      3. Enter Rule Name: PrevasioImagePushedEventBridgeRule.

      4. Choose Rule with an event pattern as the Rule type.

      5. In the Event Pattern section, select Custom pattern (JSON editor) and paste:

        Copy 
        {
          "source": ["aws.ecr"],
          "detail-type": ["ECR Image Action"],
          "detail": {
            "result": ["SUCCESS"]
          }
        }

      6. Under Target:

        • Target type:AWS service
        • Function:Select PrevasioImagePushHandlerFunction

      7. Click Next, review, and click Create rule.

      8. On the AWS CLI:

        • Create the rule:

        Copy 
        aws events put-rule \
          --name PrevasioImagePushedEventBridgeRule \
          --event-pattern '{
            "source": ["aws.ecr"],
            "detail-type": ["ECR Image Action"],
            "detail": {"result": ["SUCCESS"]}
          }'
         
        aws events put-targets \
          --rule PrevasioImagePushedEventBridgeRule \
          --targets '[{"Id": "PrevasioImagePushHandlerFunction<TenantId>", "Arn": "<LambdaFunctionArn>"}]'

        • Add the target:

        Copy 
        aws events put-targets \
          --rule PrevasioImagePushedEventBridgeRule \
          --targets '[{"Id": "PrevasioImagePushHandlerFunction<TenantId>", "Arn": "<LambdaFunctionArn>"}]'

      Note: Replace <TenantId> and <LambdaFunctionArn> with your actual values.

    1. PrevasioInvokeImagePushHandlerFunctionPermission (Lambda Permission)

      PrevasioInvokeImagePushHandlerFunctionPermission is a Lambda permission that allows EventBridge to invoke the PrevasioImagePushHandlerFunction when an event (such as an ECR image push) matches a defined rule.

      Do the following:

      1. Open the AWS Lambda Console.

      2. Find the Lambda function:PrevasioImagePushHandlerFunction

      3. Open the function and navigate to theConfiguration tab > Permissions

      4. Under Resource-based policy, clickAdd permissions > Add permissions to Lambda function

      5. Set the following values:

        • Principal: events.amazonaws.com
        • Action: lambda:InvokeFunction
        • Source ARN: Use the ARN of the EventBridge rule that triggers the function

      6. On the AWS CLI:

        Copy 
        aws lambda add-permission \
          --function-name PrevasioImagePushHandlerFunction \
          --action lambda:InvokeFunction \
          --principal events.amazonaws.com \
          --source-arn arn:aws:events:<REGION>:<ACCOUNT_ID>:rule/<RULE_NAME> \
          --statement-id AllowEventBridgeInvoke

      Note: Replace <REGION>, <ACCOUNT_ID>, and <RULE_NAME> with your actual values.

    1. Run PrevasioECRExclusionsFunction

      This step executes the PrevasioECRExclusionsFunction Lambda manually to apply ECR access exclusions.

      Do the following:

      1. Open the AWS Lambda Console.

      2. Search for and open the function: PrevasioECRExclusionsFunction

      3. ClickTest

      4. In the test event dialog:

        1. Enter any name (e.g., TestInvoke)
        2. Input the following JSON payload:
          Copy 
          {"RequestType": "Create"}
        3. Click Save

      5. Click Test again to execute the function

      6. Review logs and output in the Execution resultspanel

      7. On the AWS CLI:

        Copy 
        aws lambda invoke \
          --function-name PrevasioECRExclusionsFunction \
          --payload '{"RequestType": "Create"}' \
          response.json

  1. Integrate the code below into your Terraform toolkit. In the code below, enter your roleArn and externalId values.

    Also, make the following parameter value replacements in the Locals section:

    Parameter Description Notes 
    auth_url

    URL to authorize ACE

    • For US use: 

      https://us.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For EMEA use: 

      https://eu.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For ANZ use: 

      https://.anz.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For ME use: 

      https://me.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For UAE use: 

      https://uae.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For IND use: 

      https://ind.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For SGP use: 

      https://sgp.app.algosec.com/api/algosaas/auth/v1/access-keys/login
    		 
    url

    URL to onboard AWS

    • For US use: 

      https://us.app.algosec.com/api/algosaas/onboarding/v1/aws

    • For EMEA use: 

      https://eu.app.algosec.com/api/algosaas/onboarding/v1/aws

    • For ANZ use: 

      https://anz.app.algosec.com/api/algosaas/onboarding/v1/aws

    • For ME use: 

      https://me.app.algosec.com/api/algosaas/onboarding/v1/aws

    • For UAE use: 

      https://uae.app.algosec.com/api/algosaas/onboarding/v1/aws

    • For IND use: 

      https://ind.app.algosec.com/api/algosaas/onboarding/v1/aws

    • For SGP use: 

    • https://sgp.app.algosec.com/api/algosaas/onboarding/v1/aws

    • For SGP use: 

      https://api.cloudflow.sgp.app.algosec.com/cloudflow/api/admin/v1/onboarding/aws/api
    		 
    tenant

    Your ACE Tenant ID

    		 
    clientId

    Client ID

    		 This is part of Access Key details. In ACE, go to Access Management > API ACCESS tab. Create a new API Access Key or use an existing one. See here. 
    secret

    Client Secret of the API Access Key

    		 This is part of Access Key details. In ACE, go to Access Management > API ACCESS tab. Create a new API Access Key or use an existing one. See here.
    Copy 
    locals {
                                        auth_url  = "xxxxxxxxxxxxxxxxx"
                                        url       = "xxxxxxxxxxxxxxxxx"
                                        tenant    = "xxxxxxxxxxxxxxxxx"
                                        clientId = "xxxxxxxxxxxxxxxxx"
                                        secret    = "xxxxxxxxxxxxxxxxx"
                                        }

                                        data "http" "auth" {
                                        url    = local.auth_url
                                        method = "POST"
                                        # Optional request headers
                                        request_headers = {
                                        Accept = "application/json"
                                        }
                                        request_body = jsonencode({ tenantId : local.tenant, clientId : local.clientId, clientSecret : local.secret })
                                        lifecycle {
                                        postcondition {
                                        condition     = contains([200, 201, 204], self.status_code)
                                        error_message = "Authorization failed"

                                        }
                                        }
                                        }

                                        locals {
                                        auth_response = jsondecode(data.http.auth.response_body)
                                        auth_token    = local.auth_response.access_token
                                        }

                                        data "http" "onboard_account" {
                                        url    = local.url
                                        method = "POST"
                                        request_headers = {
                                        Accept        = "application/json"
                                        Authorization = "Bearer ${local.auth_token}"
                                        }
                                        request_body = jsonencode({
                                        "roleArn" : "arn:aws:iam::xxx:role/AceRole ",
                                        "externalId" : "algosec-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
                                        "name" : "test",
                                        "supportChanges" : false, //to enable change policy permissions, see AWS permissions page in the tech docs
                                        "flowLogs" : true/false, //For more information VPC Flow Logs section in tech docs
                                        "event" : { "RequestType" : "Create"}
                                        })
                                        lifecycle {
                                        postcondition {
                                        condition     = contains([200, 201, 204], self.status_code)
                                        error_message = "Authorization failed",
                                        }
                                        }
                                        }

                                        ######################################################################
                                        # Print the created data to console

                                        output "onboard_status" {
                                        value = data.http.onboard_account.status_code
                                    }

  1. (optional) Set up data collection for CloudTrail events. See Collect Data Events with CloudTrail .

Offboard AWS accounts from ACE

If you remove onboarded accounts from AWS, they will not automatically disappear from Cloud Network Security. Avoid discrepancies in your account management by following these steps to manually offboard accounts from ACE.

You can offboard AWS accounts from ACE using any of the following methods:

  • AWS Console

    1. Go to the page Delete an AWS account.

    2. Follow the instructions on the page.

  • Do the following:

    From the AWS CLI run the following command:

    aws cloudformation delete-stack --stack-name <stack-name>

    Note: Replace <stack-name> with the name of the stack to offboard.

 

â See also: