Skip to main content

Updating Existing SaaS Configurations

One-Click Least Privilege. Zero Disruption.



© 2026 Sonrai Security. All rights reserved.

Overview

This guide provides Stack/StackSet update instructions for existing customers with either:

  1. AWS Accounts already onboarded (i.e. existing Stacks/StackSets)

Rather than deleting artifacts in AWS/the Sonrai UI and repeating the entire onboarding process, your SaaS Collector configuration can be more conveniently updated using the steps provided below.

  1. A Delegated Admin Account in use

Remove the firewall entirely, deleting all artifacts in AWS, and repeat the onboarding process with the updated CloudFormation template using the steps provided below.

Updates for Existing Stacks/StackSets

  1. In the left-hand navigation menu, click Manage > Accounts
[AI GENERATED] The Cloud Permissions Firewall Manage > Accounts page listing onboarded AWS organizations and accounts.[AI GENERATED] The Cloud Permissions Firewall Manage > Accounts page listing onboarded AWS organizations and accounts.

  1. Click to add a new account.

  2. [AWS UI] - Click on the CloudFormation template link to generate an up-to-date version of the template

  1. [AWS UI] - Copy the CloudFormation template's S3 URL

  1. [AWS UI] - Navigate to Stacks and select your existing "Sonrai-SaaS-Collector-roles"-related stack

  2. [AWS UI] - In the "Stack actions" dropdown menu, click on "Create change set for current stack"

  1. [AWS UI] - Select "Replace current template" and paste in the S3 URL from step 3 above, then click

  1. [AWS UI] - On "Specify stack details" (page 2), set the "Permissions on Demand" option to "Yes", then click

  2. [AWS UI] - Validate your changes, check the "Acknowledge" box and click

  3. [AWS UI] - On "Configure stack options" (page 3), make no changes and click

  4. [AWS UI] - Validate your changes, check the "Acknowledge" box and click

[AI GENERATED] The AWS CloudFormation 'Review' step showing the change set details with the Acknowledge checkbox and Submit button.[AI GENERATED] The AWS CloudFormation 'Review' step showing the change set details with the Acknowledge checkbox and Submit button.
  1. [AWS UI] - Click (and confirm)

  1. [AWS UI] - Once complete, confirm each expected artifact is present:
  • Policy
  • Role
  • StackSet

Updates for Delegated Admin Accounts

Remove the Firewall

  1. Within the Cloud Permissions Firewall, click the settings cog icon menu then the menu option to stage the removal of your current service-related protections in the Pending Changes page.
[AI GENERATED] The Cloud Permissions Firewall settings menu showing the 'Remove Permissions Firewall from Org' button option.[AI GENERATED] The Cloud Permissions Firewall settings menu showing the 'Remove Permissions Firewall from Org' button option. [AI GENERATED] The Cloud Permissions Firewall Pending Changes page showing staged changes for removing the firewall from the AWS Organization.[AI GENERATED] The Cloud Permissions Firewall Pending Changes page showing staged changes for removing the firewall from the AWS Organization.
  1. Deploy the CloudFormation template changes to your AWS Organization.

Reonboard the Firewall

  1. [Sonrai Cloud Permissions Firewall UI] - Navigate to Manage > Accounts

Reference: See here for more information on onboarding AWS Organizations to the firewall.


  1. [Sonrai Cloud Permissions Firewall UI] - Click on the CloudFormation template link to generate an up-to-date version of the template

[AI GENERATED] The Cloud Permissions Firewall onboarding wizard showing the CloudFormation template link to generate an updated version of the template.[AI GENERATED] The Cloud Permissions Firewall onboarding wizard showing the CloudFormation template link to generate an updated version of the template.
  1. [AWS UI] - On "Specify stack details" (page 2), input your Delegated Admin account number within the "Enter Delegated Admin account" field:
[AI GENERATED] The AWS CloudFormation 'Specify stack details' step showing the 'Enter Delegated Admin account' field where the Delegated Admin account number should be entered.[AI GENERATED] The AWS CloudFormation 'Specify stack details' step showing the 'Enter Delegated Admin account' field where the Delegated Admin account number should be entered.
  1. [AWS UI] - On "Configure stack options" (page 3), make no changes, check the "Acknowledge" box and click

  1. [AWS UI] - Validate your changes and click :
[AI GENERATED] The AWS CloudFormation review step showing the updated stack configuration details before clicking the Submit button.[AI GENERATED] The AWS CloudFormation review step showing the updated stack configuration details before clicking the Submit button. [AI GENERATED] The AWS CloudFormation stack events view showing the successful completion of deploying the updated Sonrai SaaS Collector stack with a Delegated Admin account.[AI GENERATED] The AWS CloudFormation stack events view showing the successful completion of deploying the updated Sonrai SaaS Collector stack with a Delegated Admin account.
  1. [AWS UI] - Once complete, confirm each expected artifact is present:
  • Policies
  • Roles
  • StackSet
Last updated on