Glossary
Overview
This article lists the terms, parameters, and resources you encounter while onboarding an AWS Organization to the SaaS deployment model. The terms follow the onboarding flow as it appears in the Upwind Management Console.
The SaaS deployment model can be onboarded with either CloudFormation or Terraform. Select the tab that matches the deployment method you chose during onboarding.
- AWS CloudFormation
- Terraform
Step 1: Connect your environment
| Term | Definition |
|---|---|
| Organization ID | The unique identifier AWS assigns to your AWS Organization, used by Upwind to associate connected accounts during onboarding and data correlation. Typically begins with o-. Found in the AWS Management Console under Organizations → Settings. |
| Root ID | The unique identifier of your organization's root organizational unit (OU). Typically begins with r-. Found in the AWS Management Console under Organization → AWS accounts. |
| Orchestrator Account | The AWS account that serves as the central control point for managing and scanning your organization's member accounts. The Upwind SaaS account chains into this account first, then into individual member accounts. The Orchestrator must belong to the same AWS Organization, but does not have to be the management account. |
| Connection Scope | The Connection scope determines how broadly to apply the connection: All organization (every account), Organizational Unit (one or more OUs), or Account (specific accounts only). |
Step 2: Readiness check
| Term | Definition |
|---|---|
upwindctl | The Upwind command-line tool used to run the readiness check (and other Upwind operations) from your local machine. The preflight check is invoked through it. |
| Preflight script | The upwindctl aws onboarding preflight command run during the readiness check. For SaaS it is run with the --is-saas flag. Validates required permissions and configuration before onboarding proceeds. |
Step 3: Grant permissions
| Term | Definition |
|---|---|
OrganizationServiceRoleArn | The name of the ARN output that holds the IAM role Upwind assumes to identify and list every member account for monitoring and protection. Found in the output of the CloudFormation stack and pasted into the Enter role ARN field. |
UpwindCombinedOrg | The name of the CloudFormation stack that provisions the customer-side IAM resources, including the role exposed as OrganizationServiceRoleArn. |
CloudFormation template parameters and resources
The CloudFormation Quick Create Stack opened in Step 3 pre-populates these parameters from the values you entered earlier. You do not normally need to edit them. The stack also provisions the onboarding resources listed below.
| Parameter or resource | Definition |
|---|---|
ExternalId | A value, generated by Upwind and unique to each AWS Organization, added to the trust policy of the IAM roles Upwind assumes. Establishes a secure trust relationship for cross-account access. |
RoleNameSuffix | A short set of random characters appended to created role names to reduce collision against previous installs. |
OrganizationalUnitIds | The root identifier (for example, r-pcb6) or a comma-separated list of OU IDs that define the deployment targets for the IAM roles. |
OrchestratorAccountId | The AWS account ID of the account you designated as the orchestrator in Step 1. |
InstallRolesInManagementAccount | Whether the IAM roles should also be created in the management account. Corresponds to the Include AWS Management Account toggle. |
CloudScannerSaaSDeploymentMode | Set to Enabled to configure the IAM resources for the SaaS deployment model. |
CloudScannerSaaSTrustedAccountId | The Upwind SaaS account ID that the customer-side roles trust for cross-account assume-role. Provided by Upwind during onboarding. |
| Organization Service Role | The Org discovery role created in the management account. Upwind assumes it to discover and list the accounts in your AWS Organization. Its ARN is exposed as the OrganizationServiceRoleArn output. Base name defaults to UpwindOrganizationServiceRole. |
| Account Service Role | The role created in member accounts (and in the orchestrator account) that grants Upwind the cross-account access needed to discover resources and create, share, and clean up snapshots. Base name defaults to UpwindAccountServiceRole. |
IAM configuration tags
The validation step confirms that the IAM resources carry the expected configuration tags.
| Tag | Definition |
|---|---|
upwind:aws:AccountServiceRoleName | Records the base name of the Account Service Role created during onboarding. |
upwind:aws:OrchestratorAccountId | Identifies the orchestrator account. If unset, Cloud Scanners are not installed. |
upwind:aws:CloudScannerSaaSMode | Indicates that the IAM resources are configured for the SaaS deployment model. |
Role ARN Validation
After you paste the OrganizationServiceRoleArn and click Validate, Upwind runs the following checks and reports each one. All must pass before onboarding can continue.
| Check | What it confirms |
|---|---|
| Role ARN is valid | The provided role ARN has the correct format. |
| Role access validated | Upwind can assume the provided role, confirming the trust policy and external ID are configured correctly. |
| IAM configuration validated | The required Upwind IAM tags and deployment configuration were found on the role. |
| Orchestrator account validated | The orchestrator account belongs to the AWS Organization being connected. |
| AWS Organization validated | The provided AWS Organization ID matches the connected organization. |
| Discovery permissions validated | Upwind has permissions to list accounts and organizational units. |
Step 1: Connect your environment
| Term | Definition |
|---|---|
| Organization ID | The unique identifier AWS assigns to your AWS Organization, used by Upwind to associate connected accounts during onboarding and data correlation. Typically begins with o-. Found in the AWS Management Console under Organizations → Settings. |
| Root ID | The unique identifier of your organization's root organizational unit (OU). Typically begins with r-. Found in the AWS Management Console under Organization → AWS accounts. |
| Orchestrator Account | The AWS account that serves as the central control point for managing and scanning your organization's member accounts. The Upwind SaaS account chains into this account first, then into individual member accounts. The Orchestrator must belong to the same AWS Organization, but does not have to be the management account. |
| Connection Scope | The Connection scope determines how broadly to apply the connection: All organization (every account), Organizational Unit (one or more OUs), or Account (specific accounts only). |
Step 2: Readiness check
| Term | Definition |
|---|---|
upwindctl | The Upwind command-line tool used to run the readiness check (and other Upwind operations) from your local machine. The preflight check is invoked through it. |
| Preflight script | The upwindctl aws onboarding preflight command run during the readiness check. For SaaS it is run with the --is-saas flag. Validates required permissions and configuration before onboarding proceeds. |
Step 3: Grant permissions
| Term | Definition |
|---|---|
| Management account | The AWS Management Account ID you enter in Step 3. Upwind uses the role provisioned in this account to discover and list the member accounts in your AWS Organization. When connecting an organization, the Terraform module is applied here first to enable discovery. |
main.tf | The Terraform configuration file you create and into which you paste the generated module. Running it provisions the customer-side IAM resources, including the role exposed as the organization_discovery_role_arn output. |
organization_discovery_role_arn | The Terraform output that holds the ARN of the IAM role Upwind assumes to identify and list every member account for monitoring and protection. Pasted into the Enter role ARN field. |
Terraform module variables and outputs
The Terraform snippet generated in Step 3 pre-populates these variables from the values you entered earlier. You do not normally need to edit them. The module also exposes the output listed below.
| Variable or output | Definition |
|---|---|
source | The location and version of the Upwind AWS organization onboarding Terraform module, for example https://get.upwind.io/terraform/modules/aws-org-onboarding/aws-org-onboarding-1.2.1.tar.gz. |
external_id | A value, generated by Upwind and unique to each AWS Organization, added to the trust policy of the IAM roles Upwind assumes. Establishes a secure trust relationship for cross-account access. |
upwind_region | The Upwind region that hosts your tenant, for example eu. Determines which Upwind endpoints the onboarding registers against. |
upwind_org_register_auth_client_id | The client ID used to authenticate the org registration request with the Upwind Authorization Service. Injected by Upwind during onboarding. |
upwind_org_register_auth_secret_value | The client secret paired with upwind_org_register_auth_client_id. Injected by Upwind during onboarding. |
upwind_organization_id | The identifier of your Upwind organization, used to associate the connected AWS accounts with your Upwind tenant. Typically begins with org_. |
upwind_trusted_account_id | The Upwind SaaS account ID that the customer-side roles trust for cross-account assume-role. Provided by Upwind during onboarding. |
organization_discovery_role_arn | The module output that exposes the ARN of the Org discovery role. Upwind assumes it to discover and list the accounts in your AWS Organization. Pasted into the Enter role ARN field in Step 3. |
Role ARN Validation
After you paste the organization_discovery_role_arn and click Validate, Upwind runs the following checks and reports each one. All must pass before onboarding can continue.
| Check | What it confirms |
|---|---|
| Role ARN is valid | The provided role ARN has the correct format. |
| Role access validated | Upwind can assume the provided role, confirming the trust policy and external ID are configured correctly. |
| IAM configuration validated | The required Upwind IAM tags and deployment configuration were found on the role. |
| Orchestrator account validated | The orchestrator account belongs to the AWS Organization being connected. |
| AWS Organization validated | The provided AWS Organization ID matches the connected organization. |
| Discovery permissions validated | Upwind has permissions to list accounts and organizational units. |