ZCSPM
Onboarding an AWS Account
You can onboard your AWS cloud account onto ZCSPM. Once onboarded, ZCSPM will be able to provide you with your account's security posture. ZCSPM will run your AWS cloud account deployment against all the security policies we offer. To view the security policies, see AWS Security Policies. To onboard an AWS account with ZCSPM:
- 1. Ensure that all prerequisites are met.
- You need to be a ZCSPM License Admin and an AWS Admin to onboard an AWS account onto ZCSPM.
- You need to know ZCSPM's AWS account ID and your ZCSPM License ID. You can find these both in the email you have received from ZCSPM.
- 2. Create an AWS IAM role for ZCSPM.
You must create an AWS IAM role on your AWS cloud account to mark ZCSPM's account as a trusted entity using the SecurityAudit access policy.
- Creating an AWS IAM role manually.
- Log in to your AWS console.
- Click Services, then click IAM.
- Click Roles, then Create Role.
- Click Another AWS account and enter the ZCSPM's AWS account ID.
- Select the Require external ID check box.
- Enter the ZCSPM License ID in the External ID field.
- Click Next: Permissions
- Select the SecurityAudit policy.
- Click Next: Tags.
- Enter the Role name. You must submit this role name at ZCSPM when you are onboarding your AWS account.
- Click Create role
- Creating an AWS IAM role using a ZCSPM script.
- Make sure AWS CLI is installed. To learn how to install the AWS CLI, see Install AWS CLI.
- Download the
provision-datacollection-role.yml
available here. - Log in to your AWS console.
- Click your account name in the top-right corner.
- Click My Security Credentials.
- Copy the Access key ID or create a new one by clicking Create access key.
- Open the AWS CLI and navigate to the folder where you have downloaded the
provision-datacollection-role.yml
file. - Enter
aws configure
- Add ZCSPM data provisioning resource by running the following command:
Closeaws cloudformation deploy --template-file provision-datacollection-role.yml --stack-name <stack-name> --parameter-overrides RoleName=<role-name> ExternalId=<zcspm-license-id> CloudneetiAWSAccountId=<zcspm-aws-account-id> --capabilities CAPABILITY_NAMED_IAM
- Creating an AWS IAM role manually.
- 3. (Optional) Enable AWS Config based data collection.
If you have an AWS account with a lot of resources, enabling AWS Config-based data collection equips ZCSPM to better assess, audit, and evaluate configurations of the following AWS resources:
- AWS::EC2::Instance
- AWS::EC2::Volume
- AWS::EC2::SecurityGroup
- AWS::S3::Bucket
- AWS::CloudFormation::Stack
- AWS::SNS::Topic
- AWS::SQS::Queue
To learn more, see Enabling AWS Config Based Data Collection.
Close - 4. Add your AWS account on ZCSPM.
- Log in into ZCSPM as a License Admin.
- Click Activate License.
- Select AWS and click Continue.
- Enter the Cloud Account Name, the AWS Account Id, and the AWS Role Name.
You must enter the same role name which you chose when you created the role. See Creating an AWS role above.
- Click Add Account.
- Once the AWS account is added to the ZCSPM license:
- ZCSPM requires about five minutes to collect your account's data. It will then be processed and displayed. We recommend starting with viewing your Asset Inventory.
- You can verify your cloud account health status to get insights into how ZCSPM can be further leveraged to moniter your AWS account's security posture.
In addition to onboarding your AWS cloud account on to ZCSPM, you can configure certain agents on your AWS cloud account to collect additional metadata:
- Enable AWS Inspector agent for OS Baseline and Vulnerability configurations: ZCSPM offers 170 security policies for Red Hat Enterprise Linux and 351 security policies for Windows 2016. ZCSPM offers security policies for certain vulnerabilities in your AWS cloud workloads.
- Configure ZCSPM agent in Amazon Elastic Kubernetes Service (EKS): ZCSPM offers 80 security policies for Kubernetes.
If you'd like to offboard your AWS account, see Offboarding an AWS Account.