Skip to content

Configure AWS Cloud Security Posture Management (CSPM)

Estimated Time to Complete: 10 minutes

Contact us to learn more about adding Managed Detection & Response (MDR) services to your AWS endpoints

To enable the ActZero team to monitor your AWS environment, you need to complete a few steps to configure a connection from your cloud environment to ActZero. Use the instructions below to set up an AWS IAM role with the necessary read-only permissions

Overview

  • The CloudFormation template will create a read-only IAM Role that is assumable by ActZero to analyze AWS services and their configurations
  • Once ActZero receives the data over a secure HTTPS connection, it will remain encrypted at rest

Run CloudFormation Automation

For a single AWS account

  1. Obtain the cspm-iam-role.yml CloudFormation template from your Technical Account Manager
  2. Log in to your AWS Management Console
  3. Use the Find Services search field to find and select CloudFormation
  4. In the CloudFormation Dashboard, click Create stack, and choose with new resources (standard)
  5. Under Prerequisite - Prepare template, leave the default option Template is ready selected
  6. Under Specify template, choose Upload a template file. Click Choose file and select the cspm-iam-role.yml file mentioned in step 1, then click Next
  7. Enter a Stack name
    • This template does not require any inputs, and should be deployed with only the default values
  8. On the Configure stack options page, leave all options as default, and click Next
  9. Scroll to the bottom of the Review page, and under Capabilities, click the button to acknowledge that CloudFormation may create IAM resources on your behalf, and then click Create Stack
  10. Within a few minutes, the automation will complete, which can be noted by the Status of the CloudFormation Stack
  11. Once the deployment is complete, notify your Technical Account Manager

For multiple AWS accounts

Ensure you are able to perform CloudFormation stack set operations through either self-managed, or AWS Organizations permissions in your environment by following the Official AWS Documentation

Once CloudFormation stack set operations have been enabled in your environment

  1. Obtain the cspm-iam-role.yml CloudFormation template from your Technical Account Manager
  2. Log in to your AWS Organization root or Administrator account via the AWS Management Console
  3. Use the Find Services search field to find and select CloudFormation
  4. In the left hand menu, click StackSets
  5. Click Create StackSet
  6. Depending on whether you're using AWS Organizations or creating the necessary IAM roles yourself, choose either Service-managed permisisons or Self-service permissions
  7. Select Template is ready
  8. Select Upload a template file and choose the cspm-iam-role.yml template mentioned in step 1, then click Next
  9. Enter a StackSet name, and optionally, a StackSet description
    • The recommended name for the StackSet is CSPMCustomerAccountRole
    • This template does not require any inputs, and should be deployed with only the default values
    • Click Next
  10. On the Configure StackSet options page, add any desired tags, select Active in the Execution configuration section, and click Next
  11. On the Set deployment options page
    • Select Deploy new stacks
    • Select either Deploy to organization or Deploy to organizational units (OUs)
      • If you choose to deploy to OUs, Add up to 10 OU IDs and any desired account filters
    • Select Activated under Automatic deployment and Delete stacks under Account removal behavior
    • Add the desired region to the Specify regions box
      NOTE: Select only one region as IAM roles are global and conflicts will happen when choosing more than one region
  12. In the Deployment options section
    • Select the Maximum concurrent accounts to deploy to. For larger AWS environments, we recommend configuring this value to deploy to a few accounts at a time
    • Select the Failure tolerance which will stop the deployment if the number of failed deployments is equal to the failure tolerance
    • Leave Region concurrency as is, and click Next
  13. Scroll to the bottom of the Review page, and under Capabilities, click the button to acknowledge that CloudFormation may create IAM resources on your behalf, and then click Submit
  14. Within a few minutes, the deployment will complete, which can be noted by the Detailed Status on the Stack instances tab of the CSPMCustomerAccountRole StackSet
  15. Once the deployment is complete, notify your Technical Account Manager