icon-zcspm.svg
ZCSPM

Onboarding an AWS Account

You can onboard your AWS cloud account onto ZCSPM. Once onboarded, ZCSPM will be able to provide you with your account's security posture. ZCSPM will run your AWS cloud account deployment against all the security policies we offer. To view the security policies, see AWS Security Policies. To onboard an AWS account with ZCSPM:

    • You need to be a ZCSPM License Admin and an AWS Admin to onboard an AWS account onto ZCSPM.
    • You need to know ZCSPM's AWS account ID and your ZCSPM License ID. You can find these both in the email you have received from ZCSPM.
    Close
  • You must create an AWS IAM role on your AWS cloud account to mark ZCSPM's account as a trusted entity using the SecurityAudit access policy.

      1. Log in to your AWS console.
      2. Click Services, then click IAM.
      3. Click Roles, then Create Role.

      1. Click Another AWS account and enter the ZCSPM's AWS account ID.
      2. Select the Require external ID check box.
      3. Enter the ZCSPM License ID in the External ID field.
      4. Click Next: Permissions

      1. Select the SecurityAudit policy.
      2. Click Next: Tags.

      1. Enter the Role name. You must submit this role name at ZCSPM when you are onboarding your AWS account.
      2. Click Create role

      Close
      1. Make sure AWS CLI is installed. To learn how to install the AWS CLI, see Install AWS CLI.
      2. Download the provision-datacollection-role.yml available here.
      3. Log in to your AWS console.
      4. Click your account name in the top-right corner.
      5. Click My Security Credentials.
      6. Copy the Access key ID or create a new one by clicking Create access key.
      7. Open the AWS CLI and navigate to the folder where you have downloaded the provision-datacollection-role.yml file.
      8. Enter aws configure
      9. Add ZCSPM data provisioning resource by running the following command:
      aws cloudformation deploy --template-file provision-datacollection-role.yml --stack-name <stack-name> --parameter-overrides RoleName=<role-name> ExternalId=<zcspm-license-id> CloudneetiAWSAccountId=<zcspm-aws-account-id> --capabilities CAPABILITY_NAMED_IAM
      
      Close
    Close
  • If you have an AWS account with a lot of resources, enabling AWS Config-based data collection equips ZCSPM to better assess, audit, and evaluate configurations of the following AWS resources:

    • AWS::EC2::Instance
    • AWS::EC2::Volume
    • AWS::EC2::SecurityGroup
    • AWS::S3::Bucket
    • AWS::CloudFormation::Stack
    • AWS::SNS::Topic
    • AWS::SQS::Queue

    To learn more, see Enabling AWS Config Based Data Collection.

    Close
    1. Log in into ZCSPM as a License Admin.
    2. Click Activate License.
    3. Select AWS and click Continue.
    4. Enter the Cloud Account Name, the AWS Account Id, and the AWS Role Name.

    You must enter the same role name which you chose when you created the role. See Creating an AWS role above.

    1. Click Add Account.
    2. Once the AWS account is added to the ZCSPM license:
      • ZCSPM requires about five minutes to collect your account's data. It will then be processed and displayed. We recommend starting with viewing your Asset Inventory.
      • You can verify your cloud account health status to get insights into how ZCSPM can be further leveraged to moniter your AWS account's security posture.
    Close

In addition to onboarding your AWS cloud account on to ZCSPM, you can configure certain agents on your AWS cloud account to collect additional metadata:

If you'd like to offboard your AWS account, see Offboarding an AWS Account.

Related Articles
Onboarding an AWS AccountEnabling AWS Config Based Data CollectionGranting Access to KMS Keys on AWSGranting Access to AWS BackupEnabling AWS Inspector Agent for OS Baseline and Vulnerability ConfigurationsConfiguring the ZCSPM Agent for the Amazon Elastic Kubernetes ServiceVerifying the Cloud Account Health Status for AWSOffboarding an AWS Account