Connect an AWS account with CloudFormation
Overview
This guide provides an overview of the process for integrating an Amazon Web Services(AWS) account with Upwind using Upwind's CloudFormation template. Upwind onboarding wizard integrates with AWS using CloudFormation - a predefined template that can be deployed using a simple, built-in AWS wizard.
At a high level, this involves creating an IAM role and associated policy which is based on the permission level you have defined to enable Upwind’s AWS account to make API calls into your AWS account for collecting data. The template also deploys a Lambda function for sending logs. This process can be repeated for as many AWS accounts as necessary, or you can also use the API, AWS CLI, or Terraform to set up multiple accounts at once.
This page guides you through deploying the Upwind CloudFormation Stack and connecting your AWS account to Upwind.
Prerequisites
- Your AWS user should have administrative privileges to create and manage resources, such as IAM roles and policies.
Setup
Cloud account credentials
Click on the "Generate" button to generate a new Upwind client id and secret. The client id and secret will be used to create an AWS secret in the AWS account.
If you have already created an AWS Secret with Upwind's client ID and secret, you can click the "Upwind Client Credentials ARN" button and enter the ARN of the secret. If you haven't, you can generate a new secret by clicking the "generate a new one" button.
Login to your desired AWS Account
Log into the AWS console for the desired account.
Run CloudFormation Stack Template
Open the Cloudformation Template from the Upwind Console. The Template Link will open the CloudFormation console and will pre-fill the template URL with the Upwind CloudFormation template URL.
An example of the CloudFormation console with the parameters pre-filled:
Parameters
Before deploying the CloudFormation Stack, the following are the parameters you need to fill in:
- ClientId: Upwind Client ID (ignored if CredentialsSecretArn is set)
- ClientSecret: Upwind Client Secret (ignored if CredentialsSecretArn is set)
- ClientSecretArn: Upwind Credentials Secret ARN, the secret value must be a JSON key-value:
{"clientId": ..., "clientSecret": ...} - KmsKeyId: Kms Key ARN of the Upwind Credentials Secret
- OrganizationId: The ID of the Upwind Organization to integrate with
Deploy the CloudFormation Stack
In the AWS console CloudFormation creation stack, at the bottom of the screen, Select the checkbox next to I acknowledge that AWS CloudFormation might create... to permit the creation of IAM resource, then click Create Stack.
Now, you need to wait for the stack creation to complete, the Upwind stack status should be CREATE_COMPLETE (It might take up to a minute)
Verify connectivity
Once the stack execution completed, the connection should be established. To confirm the connection, navigate to the My organization page and access the Cloud accounts tab. From there, simply search for the AWS account(s) by typing its ID(s). Once you locate the project, verify that the connection status is Connected.
Next Steps
After establishing a connection to your AWS account(s), Upwind will populate an inventory of all compute resources and show which resources are Unprotected.
To connect a Kubernetes cluster with Upwind, follow the instructions provided in the console: Connect a Kubernetes cluster or review.
To connect a Linux host with Upwind, follow the instructions provided in the console: Connect a host.