Skip to main content

Amazon Web Services (AWS)

Overview

AWS organizational onboarding enables customers to seamlessly connect their AWS organizations to Upwind, offering centralized visibility, control, and protection for all member accounts. By leveraging the hierarchical structure of AWS organizations, this integration streamlines account management while safeguarding the entire cloud infrastructure against potential threats. It simplifies the setup and management of multiple AWS accounts by automating essential tasks such as role creation and permissions assignment.

Architecture

AWS organizational onboarding allows the integration of AWS organizations with Upwind by leveraging IAM role for automated account discovery. The process also includes creating read-only access roles for security auditing, and designating an administrator account for cloud scanner integration. This architecture supports centralized management and secure access across all member accounts within the organization.

Connecting an AWS organization involves three integration steps:

StepDescriptionPurpose
1Enable account discovery across your organization.

This step involves creating an IAM role to enable the discovery of all member accounts within your AWS Organization.
  • Permissions: The role includes the AWS-managed policy AWSOrganizationsReadOnlyAccess, granting permissions necessary for the Upwind platform to discover member accounts. For more details, refer to the AWS documentation .
  • Role assumption: This role is assumed exclusively by Upwind backend services using a unique external ID, ensuring secure and authorized access.
Account discovery
2Designate an administrator account for Upwind.

This step involves selecting an existing AWS account to serve as the Upwind administrator account. Within this account, an additional IAM administration role will be created. This role is essential for managing cloud scanning operations, as it grants Upwind the necessary permissions to execute tasks across all member accounts efficiently.
  • Permissions: The role includes elevated permissions to allow the Upwind platform to create and set up the necessary infrastructure for the Cloud Scanner and its components.
  • Role assumption: This role assumes IAM execution roles in all member accounts for cloud scanning operations.
Cloud scanning
3Enable secure read only access to all accounts.

This step involves creating IAM roles in all member accounts to ensure secure management, monitoring, and protection. If a designated administrator account is selected, necessary IAM roles will also be created to support cloud scanning operations, ensuring comprehensive management and monitoring capabilities.
  • Permissions: The role includes the AWS-managed policy SecurityAudit, granting permissions necessary for the Upwind platform to facilitate security auditing and monitoring across the organization. Additionally, it includes a custom inline policy with complementary read-only permissions. For more details, refer to the AWS documentation .
  • Role assumption: These roles are assumed by the Upwind platform to facilitate security auditing and monitoring across the organization.
Security auditing

architecture.png

The diagram illustrates how to connect a new AWS organization to the Upwind platform.

Integration

The integration methods available for creating the necessary IAM roles for Upwind are as follows: