AWS Configuration Guide

One-Click Least Privilege. Zero Disruption.

Overview

Learn how to add accounts to fully enable Sonrai's cloud monitoring capabilities for your AWS Organization(s).

Pre-Deployment Prerequisites

Required

Review/implement the required prerequisites before progressing onto Account configuration:

Adding Accounts - Onboarding Your AWS Organization

The Cloud Permissions Firewall requires a main Collector role that it can assume to monitor your cloud. This role (and associated trust policy) is created in the AWS Organization management account.

The firewall also leverages a StackSet to manage a Collector role in each of the accounts within your AWS Organization.

How do I onboard an AWS Organization to the Accounts section of the Cloud Permissions Firewall?

In the left-hand navigation menu, click Manage > Accounts

Click to add a new account.

AWS Organizations

Adding an Organization-level Account conveniently allows for deployment of roles in all Accounts at once.

warning

If you are using a Delegated Admin account, please review this documentation first!

Role name(s) used with the Sonrai Collector(s) are not required to be prefixed with "sonrai-, they can follow any naming convention in use within your organization

Sonrai Role Creation [Recommended Method]

Log in to your AWS Organization Account

Using Sonrai's provided CloudFormation template, create the Collector role (which includes ReadOnlyAccess OR SecurityAudit (your choice!), AmazonElasticContainerRegistryPublicReadOnly, and AWSSSODirectoryReadOnly permissions)

The lesser privileged Security Audit role in the Sonrai platform uses the SecurityAudit AWS policy. These additional S3 permissions must be added to the Sonrai Collector role (where the S3 bucket exists) to enable access to CloudTrail trails and S3 server access logs:

s3:GetBucket*
s3:ListBucket*
s3:GetObject

Reference: AWS documentation - Security Audit Permissions

info

If you have an encrypted Organizational S3 bucket, see below for relevant additional instructions on providing Sonrai the capability to read those bucket contents for proper data ingestion!

a) ReadOnlyAccess + Server-side encryption (SSE) in use (no further action required)

b) ReadOnlyAccess policy + Customer Managed Key (CMK) in use (additional steps are required)

c) SecurityAuditor policy in use (additional steps are required)

The CloudFormation template configures:

Sonrai's provided trust policy
SonraiSecurityStackSet creation to deploy to all the nested child Accounts
(*The StackSet is not deployed in this step, simply created)

Add the Sonrai Collector role ARN in the Sonrai platform & click to validate the ARN
*You may be required to click "Enable trusted access" to continue

In AWS, deploy the SonraiSecurityStackset as directed in the Sonrai UI onboarding wizard (see photos within the expansion pane for configuration details)

In the Sonrai UI, once all above actions are completed, click "Done" to finish the onboarding wizard

Supplementary visuals

From the Sonrai platform, clicking the CloudFormation link will transport you to the AWS console:

The CloudFormation Template link within Sonrai's quick start onboarding wizard, within the second step entitled 'Create an IAM role and policy'

No changes are required in the template:

The CloudFormation template step 1, 'Create stack', with the 'Template is ready' and 'Amazon S3 URL' toggles pre-checked and the S3 URL field prefilled for you.

The CloudFormation template step 2, 'Specify stack details', with the default settings enabled (image 1, no changes are required to the default values before clicking the next button).

info

External ID - When Sonrai's collector connects to the assumed role, it provides an external ID during authentication. When creating your roles, including this external ID allows for further control of access to the role.

The CloudFormation template step 3, 'Configure stack options', where no changes to the default values are required before clicking the next button.

The CloudFormation template step 4, 'Review', where no changes are required.

Once the stack has been created, navigate to the stack "Output" tab to find the Collector ARN to copy and paste back in the Sonrai wizard. Once the ARN is input, click :

The Sonrai onboarding wizard, 'Connect Your Account to Sonrai Security' step > 'Sonrai Collector Role ARN' field where you can paste in your previously copied value then click the 'Validate ARN' button.

Next, locate the newly created StackSet within the AWS Console and click the "Add Stacks to StackSet" menu option.

In AWS Console, the 'Action' menu is clicked to reveal its menu options, including 'Add Stacks to StackSet'.

Configure as follows, adding any region of your choice:

Maximum concurrent accounts: Percentage, 100
Failure tolerance: Percentage, 100
Region concurrency: Parallel
Concurrency mode: Strict failure tolerance

In AWS Console Step 1, 'Set deployment options', a region of your choice is selected and the 'Deployment options' are set.

Click , then again (no overrides necessary for Step 3):

In AWS Console step 2, 'Specify overrides', no fields contain any override.

Review and click at the bottom of the page on the right-hand side:

In AWS Console step 3, 'Review', the summary of deployment settings are shown prior to a user clicking the submission button to initialize the stack addition to the StackSet.

Once the StackSet has been properly configured, click back within the Sonrai platform:

In the Sonrai onboarding wizard, the 'Done' button is indicated as the final step.

Post-Deployment

The Discovery process can take anywhere from 10 minutes to ~24 hours to complete, depending on the size of the cloud accounts and the number of accounts added. As information is collected and processed by Sonrai, the Services page will begin to populate entries.

tip

While you wait for cloud ingestion to complete, take a look at how the Cloud Permissions Firewall works:

How does the firewall work?

Roles & Permissions

Service Control Policies

Customer Managed Policies