This module allows you to integrate AWS master account with Uptycs so required AWS telemetry is accessible to CSPM and CIEM applications.
After AWS Master Account is integrated with Uptycs, any AWS Child accounts under Organization are automatically integrated (More on this later).
- IAM Role in master account. The role has following policies attached
policy/job-function/ViewOnlyAccess
policy/SecurityAudit
Read-Only (Customer Inline)
policy for required resources- SQS Permissions - Access limited to the SQS Queues created by this module
- (Optional) S3 Object Read permissions to allow access to CloudTrail events
- SQS Queues - 2
- Request Queue (with Dead letter queue)
- Response Queue (with Dead letter queue)
- Lambda Function - 1
- On trigger, from SQS request queue, it will create an IAM Role in requested child account by attaching the following policies:
policy/job-function/ViewOnlyAccess
policy/SecurityAudit
Read-Only (Customer Inline)
- (Optional) S3 Object Read permissions to allow access to CloudTrail events if s3 bucket is in child account
- This triggered once for all child accounts
- On trigger, from SQS request queue, it will create an IAM Role in requested child account by attaching the following policies:
This module also takes care of on-boarding AWS Accounts under the organizations. There is no need to re-apply terrafrom configuration to on-board any newly created child AWS accounts.
- Requires Terraform version >= 1.2.0
- The user should have Admin access on the master account
- Every child account in the organization should have
OrganizationAccountAccessRole
role. - When applicable, S3 Bucket for CloudTrail should be owned by the Master account
export AWS_PROFILE="< profile name >"
export AWS_DEFAULT_REGION="< pass region >"
Copy and paste the following configuration into a .tf file (ex: main.tf) and modify the values as required
module "org-config" {
source = "uptycslabs/org-integration/aws"
# Modify as you need, this will be used to name the resources
integration_name = "UptycsIntegration"
# Copy Uptycs' AWS Account ID into 'upt_account_id'
# Browse to the following page in Uptycs's UI and Look for "Uptycs Account ID" at the top right corner
# Uptycs' UI: "Cloud"->"AWS"->"Integrations"->"ORG INTEGRATION"
upt_account_id = "<upt_account_id>"
# Organization's master account ID
aws_account_id = "<aws_account_id>"
# Copy the suggested UUID from Uptycs UI
external_id = "<uuid4>"
# Following bucket and stream configurations are optional
# Inorder to ingest organization CloudTrail logs you need to set either `cloudtrail_s3_bucket_name` or `kinesis_stream_name`
# Specify whether the given cloudtrail S3 bucket is in master account or not (true/false)
cloudtrail_s3_bucket_in_master = true
# Provide the S3 bucket name which contains the CloudTrail data
cloudtrail_s3_bucket_name = ""
# Provide the accountId where the cloudrail bucket exists
# Provide the S3 bucket's region
# Ignore If cloudtrail bucket is in master account
cloudtrail_s3_bucket_account = ""
cloudtrail_s3_bucket_region = ""
# Name of the Kinesis stream configured to stream CloudTrail data
kinesis_stream_name = ""
# Name of the S3 bucket in the master account that contains the VPC flow logs
vpc_flowlogs_bucket_name = ""
}
output "aws_parameters" {
value = module.org-config.aws_parameters
}
Name | Description | Type | Default | Required |
---|---|---|---|---|
integration_name | Prefix to be used for naming new resources | string |
UptycsIntegration |
|
upt_account_id | Uptycs AWS account ID | string |
"" |
Yes |
aws_account_id | AWS organization's master account ID | string |
"" |
Yes |
external_id | External ID | uuid4 |
"" |
Yes |
vpc_flowlogs_bucket_name | Name of the S3 bucket in master for VPC flow logs | string |
"" |
Optional |
cloudtrail_s3_bucket_name | Name of the organization's cloud trail S3 bucket | string |
"" |
Optional |
cloudtrail_s3_bucket_in_master | Specifies whether the cloudtrail s3 bucket is in master account or not | bool |
true |
|
cloudtrail_s3_bucket_account | Child Account id in which the cloudtrail S3 bucket exists | string |
"" |
Optional |
cloudtrail_s3_bucket_region | Region where CloudTrail bucket exists | string |
"" |
Optional |
kinesis_stream_name | Name of the organization's Kinesis stream | string |
"" |
Optional |
$ terraform init -upgrade
$ terraform plan
$ terraform apply
Notes:-
- If you see this error you need to add the missing role
OrganizationAccountAccessRole
on the child account. For more information visit: [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html]
Unable to create uptycscspm role. err=operation error IAM: CreateRole, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 262297b8-c6e5-4dec-b1ec-3fcaa7e8e6da, api error AccessDenied: User: arn:aws:iam::<masterAccountId>:user/<user> is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<childAccountId>:role/OrganizationAccountAccessRole
Name | Description |
---|---|
aws_parameters | AWS parameters (ExternalId and IntegrationName) |
Navigate back to Uptycs Organizations Integration page to complete the integration process.