Deployment

Overview

The following sections provide step-by-step guidance for deploying and troubleshooting the Upwind Cloud Scanner across different deployment types.

Deploy

Step 1: Initiate the deployment process

Navigate to the Inventory page and access the Upwind components section. Once there, click on Cloud Scanners tab and select Deploy Cloud Scanner button located at the top-right corner of the page.

Step 2: Select a cloud provider

Select Amazon Web Services (AWS) as your cloud provider to proceed with the Cloud Scanner deployment.

Step 3: Select a deployment method

Select the appropriate deployment method for your environment from the available options to deploy the Upwind Cloud Scanner.

Step 4: Select a region

Select the desired region from the available options. Review the Accounts column to identify which accounts are available for future configuration as scanning target accounts. This information is provided in this step for visibility and planning purposes only; actual selection of target accounts will occur in subsequent steps. Note: For optimal coverage, it is recommended to deploy a Cloud Scanner in each region listed.

Step 5: Log in to your desired AWS Account

Choose the account where you want to deploy the Cloud Scanner and log in or authenticate to the selected account. This account will host the Cloud Scanner's compute resources, which will be deployed in the specified region upon execution of the CloudFormation template or Terraform module.

Step 6: Select Cloud Scanner credentials

Select existing client credentials for the Upwind Cloud Scanner deployment from the credentials dropdown. If you need new credentials, click on Generate a new one, provide a name and click Generate. Alternatively, you can generate credentials on the Credentials page in the console.

For more information, refer to the documentation on Credentials .

Step 7: Define the Cloud Scanner configuration

Customize your Cloud Scanner configuration according to your specific security and operational needs. Configuring advanced settings is optional and provides flexible configuration options.

Expand the Advanced settings section and enter your preferences.

1. Name the scanner: Choose a name for your Cloud Scanner.

2. Advanced settings:

   Resource types	Select the types of resources you want to scan (e.g., EC2 Instances, ECS Fargate, Lambda Functions).
   Capabilities	Specify the capabilities to be identified for each resource type (e.g., Vulnerabilities, Malware, Secrets).
   Scope	Define a scope for each resource type using predefined properties to refine your resource selection based on specific requirements.
   Scaling group max size	Override the maximum size of the auto scaling group to limit resource consumption.
   Scanning frequency	Set the scanning frequency to either every 12 or 24 hours, scheduled for 12 AM or 12 PM.

3. Click on Save to confirm and complete your configuration.

note

When scanning AWS Lambda functions, the Cloud Scanner only scans functions that have been invoked in the last 24 hours.

Step 8: Deploy the Cloud Scanner

AWS CloudFormation (Quick Create)

Run AWS CloudFormation Template

1. Click on AWS CloudFormation template quick-create link to open the Create Stack Wizard in the AWS CloudFormation console, with the supplied values automatically used for the parameters.
2. Fill in any required parameters that the template specifies.
3. Configure additional options, such as IAM role permissions.
4. Review all the settings and parameters. Check the Capabilities and transforms section and acknowledge that the template may create IAM resources, if applicable.
5. Click on Create stack.

AWS CloudFormation

Create a New Stack

1. Open the AWS CloudFormation console .
2. Click on Create stack.
3. Select With new resources (standard) for a completely new stack.

Specify Template

1. Choose Choose an existing template.
2. Select Amazon S3 URL for the template source.
3. Enter the following URL:

https://s3.amazonaws.com/cfn.upwind.io/templates/integrations/cloudscanner/cloudformation.yaml

4. Click on Next.

Specify Stack Details

1. Provide a Stack name. Use the pattern of upwind-cloud-scanner-<SCANNER_ID> as this must be unique within the region.
2. Fill in any required parameters that the template specifies, such as the scanner ID, client credentials, and the Auto Scaling group's configuration.
3. Click on Next.

Configure Stack Options

1. Configure additional options like tags, IAM role permissions, and advanced settings.
2. Click on Next.

Review and Create

1. Review all the settings and parameters. Check the Capabilities section and acknowledge that the template may create IAM resources, if applicable.
2. Click on Submit.

Terraform

Apply Terraform Template

Copy the Terraform module code snippet from the Upwind Management Console and save it to a file named main.tf. Replace the placeholders with the appropriate values, either directly or by setting Terraform variables.

To deploy the Upwind Cloud Scanner, run the following command:

terraform init && terraform apply

Step 9: Test connectivity

Once the deployment is complete, click on Test Cloud Scanner connectivity. Wait while the following stages are completed:

• Cloud Scanner configuration is created – This stage confirms that all initial configuration parameters for the Cloud Scanner are set according to your specified requirements.
• Auto Scaling Group is set up – This stage confirms the existence and proper configuration of the Auto Scaling Group for the Cloud Scanner.
• Cloud Scanner is operational – This stage confirms that the Cloud Scanner is fully deployed, operational, and ready to execute its scanning operations.

note

This process may take a few moments. Please avoid refreshing the page during this time.

Once all stages show as successfully completed, connectivity is confirmed, and the deployment process is concluded. The scanner will then automatically adjust its scale according to the predefined schedule.

Target account configuration

This section outlines the steps to configure target accounts for the Cloud Scanner after its deployment by creating IAM roles, which enable the scanner to access and monitor these accounts, ensuring comprehensive coverage across your environment.

Step 1: Target account selection

Select the target accounts you want the Cloud Scanner to monitor from the account list, which includes all accounts that are enabled in the same region where the Cloud Scanner has been deployed.

note

Only accounts connected to Upwind can be selected.

Step 2: Establish trust relationship with target accounts

This step creates a CloudFormation StackSet that initiates a deployment in each of the chosen target accounts. Each deployment creates an IAM role that the Cloud Scanner can assume, enabling it to access the target accounts, generate snapshots, and perform its scanning operations.

1. Click on AWS CloudFormation template quick-create link to open the Quick create stack wizard in the AWS CloudFormation console, with the parameters pre-filled based on the target accounts you selected in the previous step.
2. Click on Create Stack to start the deployment process.

info

Before you can create a CloudFormation StackSet with self-managed permissions, CloudFormation IAM service roles must already exist in each account. For detailed instructions, see Grant self-managed permissions.

AWS CloudFormation

Run AWS CloudFormation Template

1. Sign in to the AWS Management Console .
2. Click on AWS CloudFormation template quick-create link to open the Create Stack Wizard in the AWS CloudFormation console, with the supplied values automatically used for the parameters.
3. Fill in required parameters that the template specifies:
   1. For ExternalAccountId, enter the AWS account ID where your Cloud Scanner is deployed.
   2. For ScannerId, enter the ID of the Cloud Scanner that has been deployed in your environment.
4. Configure additional options, such as IAM role permissions.
5. Review all the settings and parameters. Check the Capabilities and transforms section and acknowledge that the template may create IAM resources, if applicable.
6. Click on Create stack.

Terraform

Apply Terraform Template

Copy the Terraform module code snippet and save it to a file named main.tf. Replace the placeholders with the appropriate values, either directly or by setting Terraform variables. Make sure the aws provider in your Terraform configuration is set up with valid credentials for the target account.

provider "aws" {
    # For detailed instructions on configuring the AWS provider, please refer to:
    # https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration
}

module "upwind_integration_aws_cloudscanner" {
    source = "https://get.upwind.io/terraform/modules/aws-cloudscanner/aws-cloudscanner-xaccount-latest.tar.gz"

    external_account_id = "EXTERNAL_ACCOUNT_ID"
    scanner_id          = "CLOUD_SCANNER_ID"
}

To deploy the Upwind Cloud Scanner, run the following command:

terraform init && terraform apply

Step 3: Test connectivity

Once the stack deployment is complete, click on Test connectivity. Wait as the test confirms that all the appropriate IAM roles have been created in the target accounts. You will then receive a notification indicating either Success, Partial Success, or Failure, based on the outcome in each account.