Security Performance Management
Continuous Monitoring
Cyber Insurance
National Cybersecurity

Articles in this section

See more

Enabling Cloud Infrastructure for AWS Orgs

Avatar
Ingrid
Follow
Publication Date – July 6, 2023

Cloud Infrastructure for Amazon Web Services (AWS) allows us to monitor your company’s cloud IP footprint and automatically update it when addresses are changed or replaced.

To sync an entire AWS tree of accounts into a Bitsight entity, use the AWS Management Account ID. This is done by using the AWS Organizations account to apply the necessary permissions to the entire tree at once. It also enables automatic synchronization for any new AWS accounts added below the main Organizations account, and in the same manner, end-date the scanned assets if an AWS account gets removed.

To scan an entire AWS Tree and all its organizational units in one single set up, use the following instructions. Setting up this feature takes less than 15 minutes. Once complete, we begin collecting your IPs and a self-published report is generated within 3-5 business days. Your AWS infrastructure will be updated daily.

To sync a single AWS account into a Bitsight entity, refer to the standard guide.

Step 1: Integrate Amazon Web Services (AWS)/Add Account

Enable Cloud Infrastructure for AWS by creating a new AWS role dedicated to Bitsight with CloudFormation. Having Bitsight assume this role allows the automated discovery of publicly-assigned IPs associated with your company in AWS. This cross-account role method is recommended by the AWS Technical Account Management team to grant specific permissions to another party.

You must have CloudFormation stack setup permissions in AWS to complete Cloud Infrastructure setup.

Integrate AWS by providing your AWS Organizations Account ID (management account) and its AWS Region, and then creating an AWS CloudFormation stack. We will connect to your AWS account with limited permissions. We use this access to identify your public AWS assigned resources as attributed infrastructure.

  1. Select the + Add Account link at the bottom of the Cloud Infrastructure tab of the Attribution page [ Attack Surface ➔ Attribution].
  2. Enter and confirm your AWS Management Account ID in the provided fields. Your 12-digit account ID is displayed under your user name in the AWS platform dropdown menu.
  3. Select the AWS Region your AWS Organization account and user are in. The correct AWS Region is necessary for the integration to work. Please contact support if your AWS Region is not in the list of options to get it supported.
  4. Select Continue.

Step 2: Create CloudFormation Stack

To create a CloudFormation Stack:

  1. Select Continue Process in CloudFormation to open a new stack creation tab in your instance of AWS using the Bitsight Cloud Infrastructure template. Only deploy the Stack and/or StackSets to the same single region selected previously on the Bitsight UI. Don’t worry - we still scan assets in all your regions.
  2. In the AWS Create stack page, specify a template. See permissions that are included in the template.
  3. Take note of and save the CloudFormation stack S3 URL that is in the form, as it’s going to be needed to create a stack set.
  4. Select the Next button at the bottom-right.
  5. Select the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox.
  6. Select Submit.

Creating a Stack Set with Service Management Permissions

Ensure you’ve successfully integrated AWS/added account and then create a stack set on the same account with service management permissions. The detailed guide on how to create a stack set with service management permissions can be followed on AWS instructions.

Use the same stack formation template as before by extracting it from the S3 URL. If you lost the S3 URL, the content of the original stack formation template can be found under the AWS Management console [CloudFormation ➔ Stack ➔ Template].

It is important to manually remove the PhoneHome permission from the template before applying it as a stack set. This can be done by simply removing the PhoneHomeCustomResource block from the template - it should be around lines 79 through 96, as depicted in the following sample:

Step 3: Set up AWS Self-Published Company/Create Self-Published Company

A new self-published company based on the AWS infrastructure in the account you added will be created. This way, you can have a self-published company and rating for your AWS infrastructure.

Self-published companies are managed like any other subsidiary in your Ratings Tree. It’s classified as a company-provided infrastructure, as the IPs are provided via an automated sync with your company.

See Setting Up an AWS Self-Published Company.

Troubleshooting

Applying StackSets on an AWS Organization account can fail on the AWS end, such as when:

  • The maximum number of IAM roles exists on an account.
  • The account is locked down to prevent automated deployment of IAM resources.
  • There’s too many AWS accounts under the Org and AWS resources throttle in order to apply the StackFormation template.

In those circumstances, try the following:

  • Clean up prior StackSet deployment attempts.
  • Increase the fault tolerance value from the StackSet creation wizard.
  • Inspect for failure reasons from the Stack Instance screen.

AWS has published a lot of information online on the subject, including this useful video: AWS CloudFormation Stack Failure Options | Amazon Web Services. Reach out to Bitsight Support if you need any assistance.

Related articles