Onboard AWS accounts to Cloud Network Security

This topic explains how to onboard AWS accounts to AppViz Cloud Network Security.

Note: Seamless AWS Account Onboarding: An early availability feature in ASMS A33.00 is the ability to onboard AWS accounts to both AppViz and ASMS simultaneously. This capability streamlines your onboarding process. Once accounts are added to AppViz, they are automatically onboarded to ASMS. For more details, refer to our ASMS tech docs Onboard AWS accounts to both AlgoSec Cloud and ASMS simultaneously.

For list of required permissions see Permissions required for AWS accounts.

You can choose from three onboarding methods to add new AWS accounts. Whether changes to account resources after onboarding are synced from AWS to AppViz depends on the selected onboarding method.

Note: Changes to onboarded account resources are automatically synced with AppViz once every hour.

Onboarding Methods for AWS Accounts

You can onboard new AWS accounts using one of the following methods:

  • With script - Use scripts to onboard AWS resources. Changes to account resources after onboarding are automatically synced from AWS to AppViz Cloud Network Security.

  • API (single account) - Onboard a single AWS account using the API. Changes to account resources after onboarding are not automatically synced.

  • Terraform - Leverage Terraform, an infrastructure-as-code solution, to onboard AWS accounts into AppViz Cloud Network Security. Changes to account resources after onboarding are automatically synced from AWS to AppViz Cloud Network Security.

Note: Deleting AWS accounts is not automatically synced. To remove AWS accounts from Cloud Network Security after deletion in AWS, refer to Offboard AWS accounts from AppViz.

Onboard AWS accounts

Do the following:

  1. In the AppViz Settings area, click ONBOARDING.

    On the Onboarding Managment page that opens, click +Onboard.

  2. If you are onboarding your first account, click the New Cloud Account button on the welcome page.

  3. Otherwise, click the button and click Next.

    The AWS Onboarding wizard appears.

  4. Select your preferred method to onboard using the Select Onboarding Method dropdown.

    *Automatically syncs changes to accounts from AWS to AppViz after onboarding.
    Onboarding Method Description Automatic sync*
    With script Uses scripts to onboard AWS resources Yes
    API (single account) Onboard a single subscription via API No
    Terraform Onboard AWS resources using Terraform Yes

  5. Onboard AWS accounts using your preferred method:

    During the onboarding process, AppViz connects with your AWS StackSets and any subsequent changes made to StackSets in AWS such as addition or removal of Stacks (accounts) are automatically reflected in AppViz.

    Do the following:

    1. In the Onboarding wizard for AWS, from the Select Onboarding Method dropdown, select With script to select the onboarding method using scripts.

      The Generate CloudFormation template for account(s) onboarding page appears.

    2. Specify the permissions for the role in AWS (these will be embedded in a downloadable CloudFormation template file).

      Permissions settings Description
      Role permissions

      AlgoSec only needs   READ   permissions to provide support for your AWS security policy management. This requirement ensures you can still receive complete security analysis and recommendations while granting the minimal level of access.

      Write permissions can optionally be added for advanced policy change capabilities.

      Retrieve VPC Flow Logs Select to retrieve VPC Flow Logs (flow logs must enabled in AWS for them to be visible in Cloud Network Security). For more information, see VPC Flow Logs. During the onboarding process, Cloud Network Security connects with your AWS StackSets and any subsequent changes made to StackSets in AWS such as addition or removal of Stacks (accounts) are automatically reflected in AppViz.
      Use the same external ID for all accounts Select to use the same external ID for all accounts

    3. Click Download Template. The CloudFormation template file is downloaded to your machine.

    4. Log in to the AWS Console Home.

    5. In the AWS Console Home, click CloudFormation.

    6. Create single or multiple accounts to sync with AppViz.

      1. Click Stacks.

      2. Click Create Stack and select With new resources (standard).

      3. In the Specify Template section, click Upload a Template File. Click Choose file. Browse and select the CloudFormation Template that you downloaded previously. Then click Next.

      4. In the Specify Stack details section, give the Stack a name and then click Next.

        Note: The account name displayed in AppViz is initially the AWS account number (ID) of the user who created the Stack (account) in AWS. To edit the account name in AppViz, see Edit account details.

      5. On the Configure Stack options screen, click Next.

      6. Review the Stack. Select I acknowledge that AWS CloudFormation might create IAM resources.

      7. Click Submit. It may take several minutes for the Stack to be created and the account to appear in AppViz.

      1. Click StackSets.

      2. Click Create StackSet.

      3. In the Specify Template section, click Upload a Template File. Click Choose file. Browse and select the CloudFormation Template that you downloaded previously. Then click Next.

      4. In the Specify StackSet details section, give the StackSet a name and then click Next.

        The Configure StackSet options screen appears.

      5. On the Configure StackSet options screen, click Next.

        The Deployment locations section appears.

      6. In the Deployment locations section, either:

        • Select Deploy stacks in account (and enter the account numbers)

        • Deploy stacks in organizational units (OUs) (and enter the OU IDs)

        Note: The account names displayed in AppViz are initially set to the the AWS account numbers (ID). To edit the account names in AppViz, see Edit account details.

      7. In the Specify regions section, select the region(s) where the stack will be created and managed.

      8. Set Deployment Options based on the needs and requirements of your system. Then click Next.

      9. Review the StackSet. Select I acknowledge that AWS CloudFormation might create IAM resources.

      10. Click Submit. It may take several minutes for the StackSets to be created and the accounts to appear in AppViz.

        Tip: You can check the individual stack instances in CloudFormation>StackSets as follows.

        1. Click the created StackSet.

        2. Click the Stack Instance tab and see which accounts were created and their detailed status.

    Note: For issues onboarding AWS accounts, see Troubleshoot AWS onboarding.

    You can use API calls to add a single AWS account to AppViz.

    Note: Any changes to an account after onboarding are not synced with AppViz. To delete one or more manually added accounts, see Offboard AWS accounts from AppViz.

    Do the following:

    1. Go to the page Add/edit an AWS account.

    2. Follow the instructions on the page.

    You can leverage Terraform, the infrastructure-as-code solution, as another option for onboarding your AWS subscriptions into AppViz.

    Do the following:

    1. Integrate the code below into your Terraform toolkit. Make the following parameter value replacements in the Locals section:

      Parameter Description Notes 
      cf_auth_url

      URL to authorize AppViz

      • For US use: 

        https://app.algosec.com/api/algosaas/auth/v1/access-keys/login

      • For EMEA use: 

        https://api.platform.eu.app.algosec.com/api/algosaas/auth/v1/access-keys/login

      • For ANZ use: 

        https://api.platform.anz.app.algosec.com/api/algosaas/auth/v1/access-keys/login

      • For ME use: 

        https://api.platform.me.app.algosec.com/api/algosaas/auth/v1/access-keys/login

      • For UAE use: 

        https://api.platform.uae.app.algosec.com/api/algosaas/auth/v1/access-keys/login

      • For IND use: 

        https://api.platform.ind.app.algosec.com/api/algosaas/auth/v1/access-keys/login
      		 
      cf_url

      URL to onboard AWS

      • For US use: 

        https://api.cloudflow.us.app.algosec.com/cloudflow/api/admin/v1/onboarding/aws/api

      • For EMEA use: 

        https://api.cloudflow.eu.app.algosec.com/cloudflow/api/admin/v1/onboarding/aws/api

      • For ANZ use: 

        https://api.cloudflow.anz.app.algosec.com/cloudflow/api/admin/v1/onboarding/aws/api

      • For ME use: 

        https://api.cloudflow.me.app.algosec.com/cloudflow/api/admin/v1/onboarding/aws/api

      • For UAE use: 

        https://api.cloudflow.uae.app.algosec.com/cloudflow/api/admin/v1/onboarding/aws/api

      • For IND use: 

        https://api.cloudflow.ind.app.algosec.com/cloudflow/api/admin/v1/onboarding/aws/api
      		 
      tenantId

      Your AppViz Tenant ID

      		   
      clientId

      Client ID

      		 This is part of Access Key details. In AppViz, go to Access Management > API ACCESS tab. Create a new API Access Key or use an existing one. See here. 
      clientSecret

      Client Secret of the API Access Key

      		 This is part of Access Key details. In AppViz, go to Access Management > API ACCESS tab. Create a new API Access Key or use an existing one. See here.
      Copy 
      locals {
        cf_auth_url  = "xxxxxxxxxxxxxxxxx"
        cf_url       = "xxxxxxxxxxxxxxxxx"
        cf_tenant    = "xxxxxxxxxxxxxxxxx"
        cf_client_id = "xxxxxxxxxxxxxxxxx"
        cf_secret    = "xxxxxxxxxxxxxxxxx"
      }

      data "http" "cf_auth" {
        url    = local.cf_auth_url
        method = "POST"
        # Optional request headers
        request_headers = {
          Accept = "application/json"
        }
        request_body = jsonencode({ tenantId : local.cf_tenant, clientId : local.cf_client_id, clientSecret : local.cf_secret })
        lifecycle {
          postcondition {
            condition     = contains([200, 201, 204], self.status_code)
            error_message = "Authorization failed"

          }
        }
      }

      locals {
        auth_response = jsondecode(data.http.cf_auth.response_body)
        auth_token    = local.auth_response.access_token
      }

      data "http" "cf_onboard_account" {
        url    = local.cf_url
        method = "POST"
        request_headers = {
          Accept        = "application/json"
          Authorization = "Bearer ${local.auth_token}"
        }
        request_body = jsonencode({
          "roleArn" : "arn:aws:iam::xxx:role/CloudFlowRole ",
          "externalId" : "algosec-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
          "name" : "test",
          "supportChanges" : false,
          "flowLogs" : false
        })
        lifecycle {
          postcondition {
            condition     = contains([200, 201, 204], self.status_code)
            error_message = "Authorization failed"
          }
        }
      }

      ######################################################################
      # Print the created data to console

      output "onboard_status" {
        value = data.http.cf_onboard_account.status_code
      }

Permissions required for AWS roles

See Permissions required for AWS accounts.

VPC Flow Logs

Tip: For background about VPC Flow Logs, see these: AWS Article: VPC Flow Logs, AWS Blog: VPC Flow Logs.

By enabling VPC flow logs, AppViz can retrieve and analyze flow logs. This provides you with data, shown on the AppViz Risk Trigger and Network Policy pages, about the date when SG rules were last used. On the network policy pages, you can use this data to clean out old or unused rules from your policies.

For more details on the benefits of enabling VPC flow logging, see Last used and Clean up policies

Once flow logs are enabled, AppViz will start displaying details about the last used date for each triggered rule. Follow the steps in Enable AWS VPC flow logging to get started.

Notes:
(1) Allow up to 24 hours for relevant rule usage information to be displayed when enabling flow logs for the first time and when adding accounts that already had flow logs enabled.

(2) VPC flow logs can be stored on either S3 or CloudWatch.AppViz supports collecting flow logs from either option.

(3)AppViz supports processing flow logs only when they are stored in the default log format. More details in this AWS article.

(4) If you configure both S3 and CloudWatch as your VPC Flow Logs targets,AppViz will collect only from the S3 buckets.

(5)AppViz collects only VPC Flow Logs of traffic type “accept”. Make sure that you configure the VPC Flow Logs traffic type to either “Accepted traffic” or “All traffic” (more details in this AWS article)

Enable AWS VPC flow logging

AppViz can work with flow logging enabled at the various levels that AWS allows: VPC, Subnet, Network Interfaces.

To provide optimal performance, the following procedure explains how to enable flow logging at the Network Interface level. Repeat it for each Network Interface requiring flow logging.

Note: For shared VPCs: Enable Flow Logs for Network Interface (ENI) participant accounts (VPC participants can only enable VPC Flow Logs on ENIs they own).

These instructions rely on the creation of an S3 (Simple Storage Service) bucket and configuring VPC Flow Logs to store on it. If you want to create cross account flow logs provide additional permissions to your S3 bucket, as explained below.

Do the following:

  1. Enter your AWS account and open the AWS Management Console.

  2. In the Storage Section, click on S3.
  3. Click the Create Bucket button.
  4. In the dialog that is displayed:
    1. Enter a DNS compliant name for the S3 Bucket.
    2. Verify that the correct region is selected.
    3. Click Next.

    4. Continue clicking Next until you see the Create Bucket button at the bottom right of your screen.

      Note: By clicking Next until now, you have skipped parameters that do not require changes. The S3 Buckets page you just created is displayed.

  5. (Optional) To create cross account flow logs, provide additional permissions to your S3 bucket, see AWS documentation.

  6. Click on your S3 Bucket name.
    On the right, a panel displays the properties of this S3 bucket, permissions and management details. At the top is the Copy Bucket ARN button.

  7. Click the Copy Bucket ARN button.

    The ARN (Amazon Resource Name) is now in your copy buffer. You will use it soon.

    Important: Be sure not to copy anything else into your copy buffer until you are asked to paste this into a field in one of the last steps of this procedure.

  8. From the main AWS page, in the Compute section, click EC2.
  9. On the EC2 dashboard that is displayed, in the left panel Network and Security section, click on Network Interfaces.
    A list of Network Interfaces is displayed.
  10. Select a network interface on which you wish to enable flow logging.
  11. Under the network interface list, click the Flow Logs tab.
  12. Click the Create flow log button.
  13. In the Create flow log page that is displayed:
    1. Select Accept from the Filter dropdown list to indicate that only Accepted Traffic should be collected.
    2. For the Maximum aggregation interval select 10 minutes.
    3. For Destination, select Send to S3 Bucket.
    4. In the ARN field, paste the ARN that you copied in Step #7, above. It should still be in your copy buffer.
    5. Click Create at the bottom of the page.
  14. Optional: View your new flow log:
    1. Go to the Network Interfaces list
    2. Select the Network Interface for which you created the Flow Log.
    3. Click Flow Logs tab under the Network Interface List.
    4. In the Destination Tabs column, click the name of your S3 Bucket.

    You must configure both of the elements below to store VPC Flow Logs in CloudWatch. See this AWS article for more details.

    1. Configure this role trust relationship:

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

    2. Configure the following role permissions:

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

      Note: For info about required permissions see Permissions required for AWS accounts.

Modify the following parameters as needed:

Parameter Description

TRAFFIC_LOG_FREQUENCY_PERIOD_MINUTES

Determines the frequency, in minutes, at which AppViz collects traffic logs from AWS SGs.

Value: Integer

Default: 60
ENABLE_TRAFFIC_LOGS

Determines whether traffic log collection is enabled for AWS SGs.

Disabling this parameter will cause AppViz to display Flow logs disabled in the Last used column on the risk trigger details pages, even when flow logging is enabled in the AWS SG itself.

Value: Boolean

Default: Enabled
INACTIVE_RULE_PERIOD

Determines the number of days counting back from current day for which AppViz checks flow logs for unused rules.

Range = 1 to 365 days

Default = 30

If flow logs were enabled, available and collected byAppViz for the entire period, SG Rules that did not have a single hit during the period are by definition unused rules.

In the Last used column, unused rules are marked as No traffic logged.

For details, see Last used.

Note: This parameter can also be configured in the Network Policies web interface, when selecting the “Unused rules” cleanup view.

To modify any of these parameters, contact AlgoSec support.

Update details of onboarded AWS accounts

You can update the details for AWS resources already onboarded to AppViz. This is helpful if you need to add or remove write permissions.

Do the following:

  1. In the Onboarding wizard for AWS, from the Select Onboarding Method dropdown, select With script to select the onboarding method using scripts.

    The Generate CloudFormation template for account(s) onboarding page appears.

  2. Specify the permissions for the role in AWS (these will be embedded in a downloadable CloudFormation template file).

    Permissions settings Description
    Role permissions

    AlgoSec only needs   READ   permissions to provide support for your AWS security policy management. This requirement ensures you can still receive complete security analysis and recommendations while granting the minimal level of access.

    Write permissions can optionally be added for advanced policy change capabilities.

    Retrieve VPC Flow Logs Select to retrieve VPC Flow Logs (flow logs must enabled in AWS for them to be visible in Cloud Network Security). For more information, see VPC Flow Logs. During the onboarding process, Cloud Network Security connects with your AWS StackSets and any subsequent changes made to StackSets in AWS such as addition or removal of Stacks (accounts) are automatically reflected in AppViz.
    Use the same external ID for all accounts Select to use the same external ID for all accounts

  3. Click Download Template. The CloudFormation template file is downloaded to your machine.

  4. Log in to the AWS Console Home.

  5. In the AWS Console Home, click CloudFormation.

  6. Update single or multiple accounts.

    1. Click Stacks.

    2. After locating the stack to update, select the bullet to the left of the Stack name and click Update.

    3. In the Specify Template section, click Upload a Template File. Click Choose file. Browse and select the CloudFormation Template that you downloaded previously. Then click Next.

    4. In the Specify Stack details section, click Next.

    5. On the Configure Stack options screen, click Next.

    6. Review the Stack. Select I acknowledge that AWS CloudFormation might create IAM resources.

    7. Click Submit. It may take several minutes for the Stack to be updated in AppViz.

    1. Click StackSets.

    2. After locating the StackSet to update, select the bullet to the left of the StackSet name, click Actions and select Edit StackSet details.

    3. In the Prerequisite - Prepare template section, click Replace current template.

    4. In the Specify Template section, click Upload a Template File. Click Choose file. Browse and select the CloudFormation Template that you downloaded previously. Then click Next.

    5. In the Specify StackSet details section, click Next.

      The Configure StackSet options screen appears.

    6. On the Configure StackSet options screen, click Next.

      The Deployment locations section appears.

    7. In the Deployment locations section, either:

      • Select Deploy stacks in account (and enter the account numbers)

      • Deploy stacks in organizational units (OUs) (and enter the OU IDs)

      Note: The account names displayed in AppViz are initially set to the the AWS account numbers (ID). To edit the account names in AppViz, see Edit account details.

    8. In the Specify regions section, select the region(s) where the stack was created.

    9. Set Deployment Options based on the needs and requirements of your system. Then click Next.

    10. Review the StackSet. Select I acknowledge that AWS CloudFormation might create IAM resources.

    11. Click Submit. It may take several minutes for the StackSets to be updated in AppViz.

Note: For issues onboarding AWS accounts, see Troubleshoot AWS onboarding.

Do the following:

  1. Go to the page Add/edit an AWS account.

  2. Follow the instructions on the page.

Do the following:

  1. Integrate the code below into your Terraform toolkit. Make the following parameter value replacements in the Locals section:

    Parameter Description Notes 
    cf_auth_url

    URL to authorize AppViz

    • For US use: 

      https://app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For EMEA use: 

      https://api.platform.eu.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For ANZ use: 

      https://api.platform.anz.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For ME use: 

      https://api.platform.me.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For UAE use: 

      https://api.platform.uae.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For IND use: 

      https://api.platform.ind.app.algosec.com/api/algosaas/auth/v1/access-keys/login
    		 
    cf_url

    URL to onboard AWS

    • For US use: 

      https://api.cloudflow.us.app.algosec.com/cloudflow/api/admin/v1/onboarding/aws/api

    • For EMEA use: 

      https://api.cloudflow.eu.app.algosec.com/cloudflow/api/admin/v1/onboarding/aws/api

    • For ANZ use: 

      https://api.cloudflow.anz.app.algosec.com/cloudflow/api/admin/v1/onboarding/aws/api

    • For ME use: 

      https://api.cloudflow.me.app.algosec.com/cloudflow/api/admin/v1/onboarding/aws/api

    • For UAE use: 

      https://api.cloudflow.uae.app.algosec.com/cloudflow/api/admin/v1/onboarding/aws/api

    • For IND use: 

      https://api.cloudflow.ind.app.algosec.com/cloudflow/api/admin/v1/onboarding/aws/api
    		 
    tenantId

    Your AppViz Tenant ID

    		   
    clientId

    Client ID

    		 This is part of Access Key details. In AppViz, go to Access Management > API ACCESS tab. Create a new API Access Key or use an existing one. See here. 
    clientSecret

    Client Secret of the API Access Key

    		 This is part of Access Key details. In AppViz, go to Access Management > API ACCESS tab. Create a new API Access Key or use an existing one. See here.
    Copy 
    locals {
      cf_auth_url  = "xxxxxxxxxxxxxxxxx"
      cf_url       = "xxxxxxxxxxxxxxxxx"
      cf_tenant    = "xxxxxxxxxxxxxxxxx"
      cf_client_id = "xxxxxxxxxxxxxxxxx"
      cf_secret    = "xxxxxxxxxxxxxxxxx"
    }

    data "http" "cf_auth" {
      url    = local.cf_auth_url
      method = "POST"
      # Optional request headers
      request_headers = {
        Accept = "application/json"
      }
      request_body = jsonencode({ tenantId : local.cf_tenant, clientId : local.cf_client_id, clientSecret : local.cf_secret })
      lifecycle {
        postcondition {
          condition     = contains([200, 201, 204], self.status_code)
          error_message = "Authorization failed"

        }
      }
    }

    locals {
      auth_response = jsondecode(data.http.cf_auth.response_body)
      auth_token    = local.auth_response.access_token
    }

    data "http" "cf_onboard_account" {
      url    = local.cf_url
      method = "POST"
      request_headers = {
        Accept        = "application/json"
        Authorization = "Bearer ${local.auth_token}"
      }
      request_body = jsonencode({
        "roleArn" : "arn:aws:iam::xxx:role/CloudFlowRole ",
        "externalId" : "algosec-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
        "name" : "test",
        "supportChanges" : false,
        "flowLogs" : false
      })
      lifecycle {
        postcondition {
          condition     = contains([200, 201, 204], self.status_code)
          error_message = "Authorization failed"
        }
      }
    }

    ######################################################################
    # Print the created data to console

    output "onboard_status" {
      value = data.http.cf_onboard_account.status_code
    }

Offboard AWS accounts from AppViz

If you remove onboarded accounts from AWS, they will not automatically disappear from Cloud Network Security. Avoid discrepancies in your account management by following these steps to manually offboard accounts from AppViz.

You can offboard AWS accounts from AppViz using any of the following methods:

  • AWS Console

    1. Go to the page Delete an AWS account.

    2. Follow the instructions on the page.

  • Do the following:

    From the AWS CLI run the following command:

    aws cloudformation delete-stack --stack-name <stack-name>

    Note: Replace <stack-name> with the name of the stack to offboard.