Glossary
Overview
This article contain the various terms and variables described in the following instructions.
- AWS CloudFormation
- Terraform
Onboarding Cloudformation template parameters
| Org Wide Configuration | |
| Organizational Role Name | Ensure the parameter is set. The base name which shall be given to the Organization discover role in the management account. This defaults to UpwindOrganizationServiceRole. |
| External ID | Ensure the parameter is set for secure cross-account role assumption. The external ID, generated by Upwind, is unique to each AWS Organization to establish a secure trust relationship between Upwind and your AWS environment, providing distinct identification for cross-account access. |
| Account Service Role Name | Ensure the parameter is set. The base name which shall be given to the Account Service Role. This defaults to UpwindAccountServiceRole. |
| Install Account Service Role in Management account | A boolean flag which indicates whether the Account Service Role should be included in the management account. Ensure this option is set as expected. |
| Role Name Suffix | A short set of random characters, which shall be appended to the end of role names to help reduce collision against previous installs. |
| Deployment Configuration | |
| Stack Set Name | Ensure the parameter is set. This is the name that will be given to the Cloudformation StackSet. |
| Is Delegated Admin account | Indicates that the stack is being deployed in an AWS delegated admin account, rather than the management account. |
| Organizational Unit IDs | Ensure the parameter is set with either the unique identifier for the root (formatted as r- followed by 4 to 32 lowercase letters or digits), or a comma-separated list of organizational unit (OU) IDs to define deployment targets.Specifying the root identifier ensures the necessary IAM roles will be created on all member accounts, excluding the management account (see next step). Alternatively, switch to the self-managed permission model to target specific accounts by listing their identifiers. Please note that this model does not support automatic deployment and requires manual creation of the necessary IAM roles for AWS CloudFormation. For more information, please refer to the Grant self-managed permissions user guide. (Cloudformation StackSet configuration) |
| Target Accounts | A comma separated list of accounts which shall be used with the filter type. The list must consist of valid accounts. (Cloudformation StackSet configuration) |
| Target Account Filter Type | The filter type - either INTERSECTION or DIFFERENCE. (Cloudformation StackSet configuration) |
| Retain Stacks on Account Removal | Retain the stack when the account is removed from the Organization. (Cloudformation StackSet configuration) |
| Auto Deployment Enabled | Ensure the parameter is set to true to enable automatic deployment to accounts that will be added in the future.(Cloudformation StackSet configuration) |
| Rollback resources on failure | A boolean flag which indicates that upon failure the stack will attempt to rollback all resources including the StackSet. This is off by default, as allows for partial installs in the event of a failure in some accounts, and permits diagnosis of the cause. |
| StackSet Target Region | The region in which the StackSet will deploy the stacks. (Cloudformation StackSet configuration) |
| StackSet Permission Model | Ensure the parameter is set to SERVICE_MANAGED to allow AWS CloudFormation to automatically create the necessary IAM roles for StackSet execution on your behalf. (Cloudformation StackSet configuration) |
| AWS Cloudformation Execution Role Name | The name of the role which Cloudformation will use when deploying a SELF-MANAGED stack set. (Cloudformation StackSet configuration) |
| Cloud Scanner Configuration | |
| Orchestrator Account ID | The orchestrator account ID as defined in the Upwind Management Console. Ensure this is set as expected. |
| Cloud Scanner Administration Role Name | The base name which shall be given to the Cloud Scanner Administration role in the orchestrator account. This defaults to UpwindCloudScannerAdministrationRole and must be provided. |
| Cloud Scanner Execution Role Name | The base name which shall be given to the Account Service Role. This defaults to UpwindCloudScannerExecutionRole. |
| Upwind Client ID | Ensure the parameter is set with the client ID generated in the previous step. Omit if an administrator account was not selected. note Must be used in conjunction with Upwind Client Secret. |
| Upwind Client Secret | Ensure the parameter is set with the client secret generated in the previous step. Omit if an administrator account was not selected. note Must be used in conjunction with Upwind Client ID. |
| Upwind Auth Secret ARN | Provide the Upwind Auth credentials using an AWS secrets manager secret. Must be a valid ARN, and the secret must exist in, and be accessible from, the orchestrator account. |
| Credentials Secret Name Prefix | A prefix given to the name of the secret used to store the Upwind Client ID and Secret. Ensure this is set. |
| Custom Configuration Options | |
| Enable DSPM Permissions | Grant the permissions necessary to perform DSPM scans. Default enabled. |
| Enable CloudScanner Management Permissions | Grant the permissions necessary to perform Cloud Scanner automated installation and management. If this is disabled, the CloudScanners will need to be installed manually. Default enabled. |
| Include permissions necessary to create and manage EC2 network resources | Grant the permissions necessary to create and manage EC2 network resources. If disabled, custom EC2 network configurations must be provided to complete the CloudScanner installation. Default enabled. |
| Upwind Account Service CloudFormation Policy Name | The base name of the Cloudformation IAM policy. This policy grants the permissions necessary to manage the CloudScanner resources using Cloudformation. The role suffix will be automatically appended to this. |
| Account Service Cloud Scanner EC2 Access Policy Name | The base name of the Cloud Scanner EC2 Access IAM policy. This policy grants the permissions necessary to access/manage the EC2 specific resources used by the CloudScanner. The role suffix will be automatically appended to this. |
| Account Service Cloud Scanner EC2 Network Policy Name | The base name of the Cloud Scanner EC2 Network IAM policy. This policy grants the permissions necessary to access/manage the EC2 Network resources used by the CloudScanner, and may be omitted if the option above is selected. The role suffix will be automatically appended to this. |
| Account Service Cloud Scanner Access Policy Name | The base name of the Cloud Scanner Access IAM policy. This policy grants the permissions necessary to access/manage the non-EC2 resources used by the CloudScanner. The role suffix will be automatically appended to this. |
| Stack Template URL (Account Service roles) | The URL of the Cloudformation template which defines the roles. This shall be applied to each account using the StackSet configuration, and optionally to the management account. It should not need to be altered from that provided. |
Cloudformation onboarding resources
| Resource | |
|---|---|
| Organization Discovery IAM role | This role grants Upwind permissions to discover the accounts in the AWS Organization, and is created in the management account. Once this role is created, the Terraform module automatically registers the ARN for this role initiating the Organization and account discovery process within the Upwind SaaS. |
| Account Service IAM role | This role grants Upwind permissions to perform auditing in each account and is created in all accounts - except for the management account if the option not to install the roles has been set. If an Orchestrator account ID has been set, in that account the Account Service role will be created so that Upwind can auto-provision Cloud Scanners. |
| Cloud Scanner Administration IAM role | This role is created in the Orchestrator account if configured. It grants the permissions needed by the CloudScanner to perform its necessary tasks. |
| Cloud Scanner Execution IAM role | This role is created in the same accounts as the Account Service role, if an Orchestrator account is configured. It grants permissions to allow the CloudScanner to access scannable targets in the remaining accounts. It is not necessary in the Orchestrator account. |
| Cloud Scanner secret | Created in the Orchestrator account, if configured, this secret stores the CloudS canner authentication credentials. |
| CloudFormation Access IAM policy | A managed IAM policy which grants CloudFormation management permissions to the Account Service role in the orchestrator account. |
| Cloud Scanner EC2 Access IAM policy | A managed IAM policy which grants general EC2 permissions to the Account Service role in the orchestrator account. |
| Cloud Scanner EC2 Network Management IAM policy | A managed IAM policy which grants EC2 Network management permissions to the Account Service role in the orchestrator account. |
| Cloud Scanner Access IAM policy | A managed IAM policy which grants general non-EC2 permissions to the Account Service role in the orchestrator account. |
Terraform onboarding variables
| Default Module Parameters | |
|---|---|
| external_id | The external ID, generated by Upwind, is unique to each AWS Organization to establish a secure trust relationship between Upwind and your AWS environment, providing distinct identification for cross-account access. Ensure the parameter is set for secure cross-account role assumption. |
| upwind_org_register_auth_ client_id | Ensure the parameter is set with the AWSOrganizationConnectionCredentials client ID generated in the previous step. |
| upwind_org_register_auth_ secret_value | Ensure the parameter is set with the AWSOrganizationConnectionCredentials client secret generated in the previous step. |
| upwind_organization_id | Ensure the parameter is set to your Upwind Organization ID - begin "org_". |
| upwind_region | The Upwind data region which hosts the entity. Should be set by onboarding process and left unchanged. |
| orchestrator_account_id | Ensure the parameter is set to the account ID that you wish to use as the orchestrator account. |
| management_account_id | Ensure the parameter is set to your AWS Organization management account ID. |
| install_roles_in_management_ account | A boolean flag which indicates whether the Account Service Role should be included in the management account. Ensure this option is set as expected. |
| role_name_suffix | A short set of random characters, which shall be appended to the end of role names to help reduce collision against previous installs. |
| upwind_cloudscanner_auth_ client_id | Ensure the parameter is set with the AWSScannersReportingCredentials client ID generated in the previous step. Provide this if you are not providing the client credentials through an AWS Secrets Manager secret .Omit if an administrator account was not selected. note Must be used in conjunction with Upwind Client Secret. |
| upwind_cloudscanner_auth_ secret_value | Ensure the parameter is set with the AWSScannersReportingCredentials client secret generated in the previous step. Provide this if you are not providing the client credentials through an AWS Secrets Manager secret .Omit if an administrator account was not selected. note Must be used in conjunction with Upwind Client ID. |
| organization_role_name | The base name which shall be given to the Organization discover role in the management account. This defaults to UpwindOrganizationServiceRole |
| account_service_role_name | Ensure the parameter is set. The base name which shall be given to the Account Service Role. This defaults to UpwindAccountServiceRole. |
| cloudscanner_administration_ role_name | The base name which shall be given to the Cloud Scanner Administration role in the orchestrator account. This defaults to UpwindCloudScannerAdministrationRole and must be provided. |
| cloudscanner_execution_ role_name | The name of the role which Cloudformation will use when deploying a SELF-MANAGED stack set. (Cloudformation StackSet configuration) |
| upwind_feature_dspm_enabled | Grant the permissions necessary to perform DSPM scans. Default enabled. |
| upwind_cloudscanner_ management_enabled | Grant the permissions necessary to perform Cloud Scanner automated installation and management. If this is disabled, the Cloud Scanners will need to be installed manually. Default enabled. |
| upwind_include_ec2_network_ management_permissions | Grant the permissions necessary to create and manage EC2 network resources. If disabled, custom EC2 network configurations must be provided to complete the Cloud Scanner installation. Default enabled. |
| account_service_cloudformation_ policy_name | The base name of the Cloudformation IAM policy. This policy grants the permissions necessary to manage the Cloud Scanner resources using Cloudformation. The role suffix will be automatically appended to this. |
| account_service_cloudscanner_ ec2_policy_name | The base name of the Cloud Scanner EC2 Access IAM policy. This policy grants the permissions necessary to access/manage the EC2 specific resources used by the Cloud Scanner. The role suffix will be automatically appended to this. |
| account_service_cloudscanner_ policy_name | The base name of the Cloud Scanner EC2 Network IAM policy. This policy grants the permissions necessary to access/manage the EC2 Network resources used by the Cloud Scanner, and may be omitted if the option above is selected. The role suffix will be automatically appended to this. |
| account_service_cloudscanner_ ec2_network_policy_name | The base name of the Cloud Scanner Access IAM policy. This policy grants the permissions necessary to access/manage the non-EC2 resources used by the Cloud Scanner. The role suffix will be automatically appended to this. |
| custom_tags | Custom tags which will be applied to all resources created during the onboarding process. |
Terraform onboarding resources
| Resource | |
|---|---|
| Organization Discovery IAM role | This role grants Upwind permissions to discover the accounts in the AWS Organization, and is created in the management account. Once this role is created, the Terraform module automatically registers the ARN for this role initiating the Organization and account discovery process within the Upwind SaaS. |
| Account Service IAM role | This role grants Upwind permissions to perform auditing in each account and is created in all accounts - except for the management account if the option not to install the roles has been set. If an Orchestrator account ID has been set, in that account the Account Service role will be created so that Upwind can auto-provision Cloud Scanners. |
| Cloud Scanner Administration IAM role | This role is created in the Orchestrator account if configured. It grants the permissions needed by the Cloud Scanner to perform its necessary tasks. |
| Cloud Scanner Execution IAM role | This role is created in the same accounts as the Account Service role, if an Orchestrator account is configured. It grants permissions to allow the CloudScanner to access scannable targets in the remaining accounts. It is not necessary in the Orchestrator account. |
| Cloud Scanner secret | Created in the Orchestrator account, if configured, this secret stores the Cloud Scanner authentication credentials. |
| CloudFormation Access IAM policy | A managed IAM policy which grants CloudFormation management permissions to the Account Service role in the orchestrator account. |
| Cloud Scanner EC2 Access IAM policy | A managed IAM policy which grants general EC2 permissions to the Account Service role in the orchestrator account. |
| Cloud Scanner EC2 Network Management IAM policy | A managed IAM policy which grants EC2 Network management permissions to the Account Service role in the orchestrator account. |
| Cloud Scanner Access IAM policy | A managed IAM policy which grants general non-EC2 permissions to the Account Service role in the orchestrator account. |
Need Help?
For additional help with settings, please contact us through one of the following methods:
- Access 24/7 live chat support directly in the Upwind Management Console .
- Reach out to us anytime via email at support@upwind.io.
- Collaborate with us by starting a shared Slack channel.