Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Add All AWS Accounts to Cloud Conformity

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that all your Amazon Web Services (AWS) accounts are added to Cloud Conformity subscription in order to identify all the infrastructure and resource misconfigurations within your AWS cloud.

Security

The visibility into your AWS cloud accounts activity is a key aspect of security, compliance and operational best practices. Having all your AWS accounts added to Cloud Conformity subscription, ensures that all the potential security risks are identified immediately and prioritized according to the impact that they may have on your business.


Audit

To determine if all AWS member accounts have been added to Cloud Conformity, perform the following actions:

Using AWS Console

01 Sign in to your AWS Organizations master account using the account root credentials.

02 Navigate to AWS Organizations dashboard at https://console.aws.amazon.com/organizations/.

03 Select the Accounts tab to access the list of AWS accounts, members of your AWS Organizations.

04 On the Accounts panel, identify the ID of the member account that you want to examine, listed in the Account ID column. A member account is the account entry without the star. The star next to the account email indicates the master account.

05 Sign in to your Cloud Conformity account.

06 In the left navigation panel, under All Cloud Accounts, select the subscribed AWS account that you want to examine.

07 Click on the Settings… button from the main dashboard menu to access the configuration settings available for the selected AWS account.

08 In the General settings section, under Account information, identify the ID of the selected AWS account, available as value of the AWS Account ID attribute. Compare the ID of the selected AWS account with the ID of the AWS Organizations member account found at step no. 4.

09 Repeat step no. 6 – 8 to check the ID of the selected member account against each AWS account subscribed to Cloud Conformity. If the member account ID does not match any AWS account subscribed, the selected AWS Organizations member account is not added to your Cloud Conformity subscription.

10 Repeat steps no. 4 – 9 to verify the rest of the member accounts available within your AWS Organizations.

Using AWS CLI

01 Rundescribe-organization command (OSX/Linux/UNIX) using custom query filters to describe the ID of the master account for your AWS Organizations. This command can be called only from your organization's master account:

aws organizations describe-organization
  --query 'Organization.MasterAccountId'

02 The command output should return the master account identifier (ID):

"123456789012"

03 Run list-accounts command (OSX/Linux/UNIX) using custom query filters to list the IDs of all the accounts (master and member accounts) added to your AWS Organizations:

aws organizations list-accounts
  --query 'Accounts[*].Id'

04 The command output should return an array with the requested AWS account IDs. Identify the ID of the master account and the ID(s) of the member account(s):

[
	"123456789012",
	"123412341234",
	"111222333444"
]

05 List the IDs of all AWS accounts subscribed to Cloud Conformity using the Cloud Conformity API (OSX/Linux/UNIX) and the jq tool – a lightweight command-line JSON processor. All requests to Cloud Conformity's API must be authenticated with an API key. An API key is a secure 64-bit strong key randomly generated on your behalf. If you need to create a new API Key, navigate to Cloud Conformity console, select User settings > API Keys and click on New API Key to generate your API key. Replace <cc-api-key> with your own API key:

curl -H "Content-Type: application/vnd.api+json" -H "Authorization: ApiKey <cc-api-key>" https://us-west-2-api.cloudconformity.com/v1/accounts | jq '.data[].attributes."awsaccount-id"'

06 The command output should return the IDs of the subscribed AWS accounts:

"123456789012"
"123412341234"

Compare the IDs of the AWS accounts subscribed to Cloud Conformity with the IDs of the AWS Organizations member accounts returned at step no. 4. If the list of subscribed AWS accounts does not match the list of AWS Organizations accounts, not all the cloud accounts members of your AWS Organizations were added to your Cloud Conformity subscription.

Remediation / Resolution

To ensure that all your AWS accounts are added to your Cloud Conformity subscription, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity account.

02 In the left navigation panel, click on the Add an account button to initiate the AWS account registration process.

03 On the Add New Account page, select AWS Account, then click Next to continue the process.

04 In the Account details section, provide a unique name for your cloud account in the Account name box, then type the name of your cloud environment (e.g. Production, Staging, Development) in the Environment box. Click Next to continue.

05 For Choose the authentication type, select Automated setup (recommended) to use Amazon CloudFormation service to enable Cross-Account Access, delegating access to your resources from the Cloud Conformity account using a predefined policy. Click Next to continue.
Note: We recommend using Automated setup as it is easier from a user experience perspective. We also recommend that the CloudFormation stack be launched in North Virginia, us-east 1. Although, you can launch the stack in any region but since the resources inside the template are AWS IAM resources, they will be created in North Virginia so there is no advantage in launching the stack in another region. Furthermore, if the stack is in another region, the Cloud Conformity account access settings will not show the account as managed by CloudFormation.

06 Open a new browser tab and sign in to the AWS account that you want to add to your Cloud Conformity subscription.

07 Download and review the Amazon CloudFormation template from https://s3-us-west-2.amazonaws.com/cloudconformity/CloudConformity.template. This template creates the necessary resources to grant access to Cloud Conformity.

08 Go back to the Cloud Conformity registration page and click on the Launch Stack button.

09 On the AWS CloudFormation Quick create stack page, select I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox, and click Create stack to launch the stack.

10 Once the CloudFormation stack creation is finished and the stack status is set to CREATE_COMPLETE, select the Outputs tab, copy the CloudConformityRoleArn key value and paste it on the Cloud Conformity registration page, in the ARN box. Click Next to register your AWS account.

11 Choose whether to add conformity add-on packages and click Next to finish the setup process. As soon as the setup process is completed, your newly added AWS account should be scanned by the Cloud Conformity engine.

12 Repeat steps no. 2 – 11 to add all your AWS accounts to the Cloud Conformity subscription.

Using AWS CLI

01 Get your Cloud Conformity organization external ID using the Cloud Conformity API (OSX/Linux/UNIX) and the jq tool – a lightweight command-line JSON processor. The primary function of the organization external ID is to address and prevent the 'confused deputy' problem. All requests to Cloud Conformity's API must be authenticated with an API key. An API key is a secure 64-bit strong key randomly generated on your behalf. To create an API Key, navigate to Cloud Conformity console, select User settings > API Keys and click on New API Key to generate your new API key. Replace <cc-api-key> with your own API key:

curl -X GET -H "Content-Type: application/vnd.api+json" -H "Authorization: ApiKey &tl;cc-api-key>" https://us-west-2-api.cloudconformity.com/v1/organisation/external-id | jq '.data.id'

02 The command output should return the requested identifier (external ID):

"abcdabcd-abcd-abcd-abcd-abcdabcdabcd"

03 Runcreate-stack command (OSX/Linux/UNIX) to create the Amazon CloudFormation stack that deploys the AWS resources required to grant access to Cloud Conformity. Replace <cc-external-id> with your Cloud Conformity external ID returned at the previous step:

aws cloudformation create-stack
  --stack-name CloudConformity
  --region us-east-1
  --template-url https://s3-us-west-2.amazonaws.com/cloudconformity/CloudConformity.template
  --parameters ParameterKey=AccountId,ParameterValue=717210094962 ParameterKey=ExternalId,ParameterValue=<cc-external-id>
  --capabilities CAPABILITY_NAMED_IAM

04 The command output should return the full ARN of the new CloudFormation stack:

{
	"StackId": "arn:aws:cloudformation:us-east-1:<aws-account-id>:stack/CloudConformity/<stack-id>"
}

05 Add your AWS account to Cloud Conformity (see Audit section part II to identify the right account) using the Cloud Conformity API (OSX/Linux/UNIX) and the following parameters:

  • <cc-api-key> - your Cloud Conformity subscription API key. All requests to Cloud Conformity's API must be authenticated with an API key.
  • <cc-aws-cloud-account> - the name of the AWS cloud account added to Cloud Conformity.
  • <cc-aws-cloud-environment> - the name of the AWS cloud environment.
  • arn:aws:iam::<aws-account-id>:role/CloudConformity - the ARN of the IAM role that you have already created to grant access to Cloud Conformity. Replace <aws-account-id> with the ID of the AWS account that you want to add to Cloud Conformity (e.g. 123456789012).
  • <cc-external-id> - the external ID returned at step no. 2.
  • (Optional) Set "costPackage" and "hasRealTimeMonitoring" to true to enable cost package and Real-Time Threat Monitoring add-ons:
curl -X POST \
-H "Content-Type: application/vnd.api+json" \
-H "Authorization: ApiKey <cc-api-key>" \
-d '
{
	"data": {
	"type": "account",
	"attributes": {
		"name": "<cc-aws-cloud-account>",
		"environment": "<cc-aws-cloud-environment>",
		"access": {
			"keys": {
				"roleArn": "arn:aws:iam::<aws-account-id>:role/CloudConformity",
				"externalId": "<cc-external-id>"
			}
		},
		"costPackage": true,
		"hasRealTimeMonitoring": true
	}
	}
}' \
https://us-west-2-api.cloudconformity.com/v1/accounts

06 The command output should return the CURL command response:

{
	"data": {
		"type": "accounts",
		"id": "ABCDABCD",
		"attributes": {
			"name": "<cc-aws-cloud-account>",
			"environment": "<cc-aws-cloud-environment>",
			"awsaccount-id": "<aws-account-id>",
			"status": "ACTIVE",
			"has-real-time-monitoring": true,
			"cost-package": true,
			"created-date": 1595953690,
			"settings": {
				"communication": {
					"channels": [
					{
						"name": "email",
						"users": [
						"ABCDABCD"
						],
						"enabled": true,
						"levels": [
						"EXTREME",
						"VERY_HIGH",
						"HIGH"
						]
					}
					]
				},
				"rules": {},
				"access": {
					"type": "CROSS_ACCOUNT",
					"stackId": "arn:aws:cloudformation:us-east-1:<aws-account-id>:stack/CloudConformity/<stack-id>"
				}
			}
		},
		"relationships": {
			"organisation": {
				"data": {
					"type": "organisations",
					"id": "ABCDABCDABCD"
				}
			}
		}
	}
}

07 Repeat steps no. 3 – 6 to add all your AWS accounts to the Cloud Conformity subscription.

References

Publication date Dec 14, 2023