Updating Existing SaaS Configurations

One-Click Least Privilege. Zero Disruption.

Overview

This guide provides Stack/StackSet update instructions for existing customers with either:

AWS Accounts already onboarded (i.e. existing Stacks/StackSets)

Rather than deleting artifacts in AWS/the Sonrai UI and repeating the entire onboarding process, your SaaS Collector configuration can be more conveniently updated using the steps provided below.

A Delegated Admin Account in use

Remove the firewall entirely, deleting all artifacts in AWS, and repeat the onboarding process with the updated CloudFormation template using the steps provided below.

Updates for Existing Stacks/StackSets

In the left-hand navigation menu, click Manage > Accounts

Click to add a new account.
[AWS UI] - Click on the CloudFormation template link to generate an up-to-date version of the template

[AWS UI] - Copy the CloudFormation template's S3 URL

[AWS UI] - Navigate to Stacks and select your existing "Sonrai-SaaS-Collector-roles"-related stack
[AWS UI] - In the "Stack actions" dropdown menu, click on "Create change set for current stack"

[AWS UI] - Select "Replace current template" and paste in the S3 URL from step 3 above, then click

[AWS UI] - On "Specify stack details" (page 2), set the "Permissions on Demand" option to "Yes", then click
[AWS UI] - Validate your changes, check the "Acknowledge" box and click
[AWS UI] - On "Configure stack options" (page 3), make no changes and click
[AWS UI] - Validate your changes, check the "Acknowledge" box and click

[AWS UI] - Click (and confirm)

[AWS UI] - Once complete, confirm each expected artifact is present:

Policy
Role
StackSet

Updates for Delegated Admin Accounts

Remove the Firewall

Within the Cloud Permissions Firewall, click the settings cog icon menu then the menu option to stage the removal of your current service-related protections in the Pending Changes page.