TABLE OF CONTENTS


AWS Account Connection Overview

Before Aqua CSPM can produce any security scan results, you must connect a cloud account. For AWS, this is done through the use of a secure, third-party cross-account IAM role. To fully connect the account, you must complete steps in both your AWS account, as well as in your Aqua CSPM account.


CloudFormation (Recommended)

Step 1: Navigate to the "Cloud Accounts" page

  • Click on Connect Account on the top right


Step 2: Choose AWS under "Account Type" and CloudFormation under "Method"


Step 3: Click the Launch Stack button on the left side

Do not close the page/tab or refresh
  • Wait for the stack to finish creating in your AWS account

Step 4: Copy the role ARN from the outputs tab and paste it back in the wizard page


Step 5: Click Connect to finish


Manual Setup


Step 1: Navigate to the "Cloud Accounts" page

  • Click on Connect Account on the top right


Step 2: Choose AWS under "Account Type" and Manual Setup under "Method"


Step 3: Follow the steps provided to manually connect your AWS account

  1. Log into your AWS account and navigate to the IAM console.
  2. Create a new IAM role.
  3. When prompted for a trusted entity select Another AWS account.
  4. Enter "057012691312" for the account to trust (Account ID).
  5. Check the box to Require external ID and enter the external ID displayed in the Aqua connection wizard.
  6. Ensure that MFA token is not selected.
  7. Select the SecurityAudit managed policy.
  8. Enter a memorable role name and create the role.
  9. Then click on the role name and copy the role ARN to paste in Aqua connection wizard.


Step 4: Click Connect to finish


Terraform

Step 1: Navigate to the "Cloud Accounts" page

  • Click on Connect Account on the top right

Step 2: Choose AWS under "Account Type" and Terraform under "Method"

Step 3: Select your Terraform Module version and follow the steps in the GitHub repo to incorporate the Aqua Terraform Module

Step 4: Paste the outputted Role ARN in the Aqua connection wizard

Step 5: Click Connect to finish


Bulk Upload

Step 1: Navigate to the "Cloud Accounts" page

  • Click on Connect Account on the top right

Step 2: Choose AWS under "Account Type" and Bulk Upload under "Method"

Step 3: Download thr CSV template file

Step 4: Use the CloudFormation or Manual Setup steps to create an IAM role in all of your AWS accounts

Step 5: For each role you create, add the role ARN to the CSV, along with the external Id

For the "external ID" use the UUIDv4 value included in the CSV. You must use a unique ID for each account.
  • Add a maximum of 50 AWS accounts


Step 6: Drop the completed CSV file onto the Aqua connection wizard and select Connect Accounts