Glossary
Overview
This article contain the various terms and variables described in the following instructions.
- AWS CloudFormation
- Terraform
Cloudformation onboarding resources
| Organizational Role Name | Ensure the parameter is set. The base name which shall be given to the Organization discover role in the management account. This defaults to UpwindOrganizationServiceRole. |
| External ID | Ensure the parameter is set for secure cross-account role assumption. The external ID, generated by Upwind, is unique to each AWS Organization to establish a secure trust relationship between Upwind and your AWS environment, providing distinct identification for cross-account access. |
| Account Service Role Name | Ensure the parameter is set. The base name which shall be given to the Account Service Role. This defaults to UpwindAccountServiceRole. |
| Install Account Service Role in Management account | A boolean flag which indicates whether the Account Service Role should be included in the management account. Ensure this option is set as expected. |
| Role Name Suffix | A short set of random characters, which shall be appended to the end of role names to help reduce collision against previous installs. |
| CloudScanner Configuration | |
| Orchestrator Account ID | The orchestrator account ID as defined in the Upwind Management Console. Ensure this is set as expected. |
| Cloud Scanner Administration Role Name | The base name which shall be given to the CloudScanner Administration role in the orchestrator account. This defaults to UpwindCloudScannerAdministrationRole and must be provided. |
| Cloud Scanner Execution Role Name | The base name which shall be given to the Account Service Role. This defaults to UpwindCloudScannerExecutionRole. |
| Upwind Client ID | Ensure the parameter is set with the client ID generated in the previous step. Omit if an administrator account was not selected. note Must be used in conjunction with Upwind Client Secret. |
| Upwind Client Secret | Ensure the parameter is set with the client secret generated in the previous step. Omit if an administrator account was not selected. note Must be used in conjunction with Upwind Client ID. |
| Credentials Secret Name Prefix | A prefix given to the name of the secret used to store the Upwind Client ID and Secret. Ensure this is set. |
| Organizational Unit IDs | Ensure the parameter is set with either the unique identifier for the root (formatted as r- followed by 4 to 32 lowercase letters or digits), or a comma-separated list of organizational unit (OU) IDs to define deployment targets.Specifying the root identifier ensures the necessary IAM roles will be created on all member accounts, excluding the management account (see next step). Alternatively, switch to the self-managed permission model to target specific accounts by listing their identifiers. Please note that this model does not support automatic deployment and requires manual creation of the necessary IAM roles for AWS CloudFormation. For more information, please refer to the Grant self-managed permissions user guide. |
| Auto Deployment Enabled | Ensure the parameter is set to true to enable automatic deployment to accounts that will be added in the future. |
| Permission Model | Ensure the parameter is set to SERVICE_MANAGED to allow AWS CloudFormation to automatically create the necessary IAM roles for StackSet execution on your behalf. |
| Stack Set Name | Ensure the parameter is set. This is the name that will be given to the Cloudformation StackSet. |
| Template URL | Ensure the parameter is set. This is URL of the Cloudformation stack which shall be applied to each account. It should not need to be altered from that provided. |
| Rollback resources on failure | A boolean flag which indicates that upon failure the stack will attempt to rollback all resources including the StackSet. This is off by default, as allows for partial installs in the event of a failure in some accounts, and permits diagnosis of the cause. |
Terraform onboarding variables
| Default Module Parameters | |
|---|---|
external_id | The external ID, generated by Upwind, is unique to each AWS Organization to establish a secure trust relationship between Upwind and your AWS environment, providing distinct identification for cross-account access. Ensure the parameter is set for secure cross-account role assumption. |
upwind_org_register_auth_client_id | Ensure the parameter is set with the AWSOrganizationConnectionCredentials client ID generated in the previous step. |
upwind_org_register_auth_secret_value | Ensure the parameter is set with the AWSOrganizationConnectionCredentials client secret generated in the previous step. |
upwind_organization_id | Ensure the parameter is set to your Upwind Organization ID - begin "org_". |
orchestrator_account_id | Ensure the parameter is set to the account ID that you wish to use as the orchestrator account. |
management_account_id | Ensure the parameter is set to your AWS Organization management account ID. |
install_roles_in_management_account | A boolean flag which indicates whether the Account Service Role should be included in the management account. Ensure this option is set as expected. |
role_name_suffix | A short set of random characters, which shall be appended to the end of role names to help reduce collision against previous installs. |
upwind_cloudscanner_auth_client_id | Ensure the parameter is set with the AWSScannersReportingCredentials client ID generated in the previous step. Provide this if you are not providing the client credentials through an AWS Secrets Manager secret .Omit if an administrator account was not selected. note Must be used in conjunction with Upwind Client Secret. |
upwind_cloudscanner_auth_secret_value | Ensure the parameter is set with the AWSScannersReportingCredentials client secret generated in the previous step. Provide this if you are not providing the client credentials through an AWS Secrets Manager secret .Omit if an administrator account was not selected. note Must be used in conjunction with Upwind Client ID. |
Terraform onboarding resources
| Resource | |
|---|---|
| Organization Discovery role | This role grants Upwind permissions to discover the accounts in the AWS Organization, and is created in the management account. Once this role is created, the Terraform module automatically registers the ARN for this role initiating the Organization and account discovery process within the Upwind SaaS. |
| Account Service role | This role grants Upwind permissions to perform auditing in each account and is created in all accounts - except for the management account if the option not to install the roles has been set. If an Orchestrator account ID has been set, in that account the Account Service role will be created so that Upwind can auto-provision Cloud Scanners. |
| CloudScanner Administration role | This role is created in the Orchestrator account if configured. It grants the permissions needed by the CloudScanner to perform its necessary tasks. |
| CloudScanner Execution role | This role is created in the same accounts as the Account Service role, if an Orchestrator account is configured. It grants permissions to allow the CloudScanner to access scannable targets in the remaining accounts. It is not necessary in the Orchestrator account. |
| CloudScanner secret | Created in the Orchestrator account, if configured, this secret stores the CloudScanner authentication credentials. |
Need Help?
For additional help with settings, please contact us through one of the following methods:
- Access 24/7 live chat support directly in the Upwind Management Console .
- Reach out to us anytime via email at support@upwind.io.
- Collaborate with us by starting a shared Slack channel.