Posture Control (DSPM)
Deploying the Orchestrator Template
After adding the orchestrator details, deploy the orchestrator template that includes policies and permissions to create IAM roles that provide DSPM with read-only access to the account.
To download and deploy the template:
- For Template Type, select CloudFormation or Terraform.
- To deploy the CloudFormation template
- a. Download the orchestrator template.
Click Orchestrator to download the template as a ZIP file and extract it to your local system.
Close - b. Create StackSets in the orchestrator account.
- Sign in to the orchestrator account on the AWS console and go to CloudFormation.
- In the left-side navigation, select StackSets.
Click Create StackSet.
On the Choose a template page:
- IAM admin role ARN - optional: Select the IAM role name from the drop-down menu, and then select AWSCloudformationStackSetAdministratorRole.
- IAM execution role name: AWSCloudformationStackSetExecutionRole is populated by default.
- Prerequisite - Prepare template: Select Template is ready.
- Specify template: Select Upload a template file and click Choose file. Select the downloaded template (YAML file), then click Open.
- Click Next.
On the Specify StackSet Details page:
- StackSet name: Enter a unique name for the StackSet.
- Description (Optional): Enter a description for the StackSet.
- Verify the other fields that are auto-populated.
- Click Next.
On the Configure StackSet options page, under Capabilities, select the I acknowledge checkbox for AWS CloudFormation to create IAM resources with custom names and click Next.
On the Set deployment options page:
- Add stacks to stack set: Select Deploy new stacks.
- Accounts:
- Deployment locations: Select Deploy stacks in accounts.
- Account numbers: Enter the orchestrator account ID that you selected in the DSPM Admin Portal.
Specify regions: Select the regions in which DSPM templates must be deployed.
Select the primary region of the orchestrator as the first region, followed by other regions. DSPM supports all the 29 global regions that are supported by AWS.
- Deployment options:
- Region concurrency: Select Sequential to deploy StackSets in one region at a time.
- Click Next.
On the Review page, review the StackSet details and then click Submit.
On the Operations tab, you can see that the StackSet is successfully deployed.
- a. Download the orchestrator template.
- To deploy the Terraform template
- a. Download the orchestrator template.
Click Orchestrator to download the template as a ZIP file and extract it to your local system. The file includes:
- Multiple Terraform files.
- A README file with instructions for running the template.
- b. Update and deploy the Terraform files.
Update the
backend.tffile with the name of the storage services where you want to store the Terraform state files in the orchestrator account. For example:- bucket: Enter the S3 bucket name.
- region: Enter the primary region.
- dynamoDB_table: Enter the DynamoDB table name.
- Open the Command Prompt or any other CLI app in your local system.
- Switch to the directory that contains the terraform template.
- Copy and paste the access keys of the orchestrator account and press
Enter. - Run the following commands:
To initialize the Terraform working directory:
terraform initTo verify the changes in the Terraform configuration:
terraform planTo run the Terraform script:
terraform applyUnder Do you want to perform these actions?, enter
yesand then pressEnter.
- a. Download the orchestrator template.
- To deploy the CloudFormation template
Click Validate.
If the template is successfully deployed, you are directed to the Overview page to add the target accounts that must be monitored.
