TABLE OF CONTENTS
AWS Account Connection Overview
Before Aqua CSPM can produce any security scan results, you must connect a cloud account. For AWS, this is done through the use of a secure, third-party cross-account IAM role. To fully connect the account, you must complete steps in both your AWS account, as well as in your Aqua CSPM account.
CloudFormation (Recommended)
Step 1: Navigate to the "Cloud Accounts" page
- Click on Connect Account on the top right
Step 2: Choose AWS under "Account Type" and CloudFormation under "Method"
Step 3: Click the Launch Stack button on the left side
Do not close the page/tab or refresh
- Wait for the stack to finish creating in your AWS account
Step 4: Copy the role ARN from the outputs tab and paste it back in the wizard page
Step 5: Click Connect to finish
Manual Setup
Step 1: Navigate to the "Cloud Accounts" page
- Click on Connect Account on the top right
Step 2: Choose AWS under "Account Type" and Manual Setup under "Method"
Step 3: Follow the steps provided to manually connect your AWS account
- Log into your AWS account and navigate to the IAM console.
- Create a new IAM role.
- When prompted for a trusted entity select Another AWS account.
- Enter "057012691312" for the account to trust (Account ID).
- Check the box to Require external ID and enter the external ID displayed in the Aqua connection wizard.
- Ensure that MFA token is not selected.
- Select the SecurityAudit managed policy.
- Enter a memorable role name and create the role.
- Then click on the role name and copy the role ARN to paste in Aqua connection wizard.
Step 4: Click Connect to finish
Terraform
Step 1: Navigate to the "Cloud Accounts" page
- Click on Connect Account on the top right
Step 2: Choose AWS under "Account Type" and Terraform under "Method"
Step 3: Select your Terraform Module version and follow the steps in the GitHub repo to incorporate the Aqua Terraform Module
Step 4: Paste the outputted Role ARN in the Aqua connection wizard
Step 5: Click Connect to finish
Bulk Upload
Step 1: Navigate to the "Cloud Accounts" page
- Click on Connect Account on the top right
Step 2: Choose AWS under "Account Type" and Bulk Upload under "Method"
Step 3: Download thr CSV template file
Step 4: Use the CloudFormation or Manual Setup steps to create an IAM role in all of your AWS accounts
Step 5: For each role you create, add the role ARN to the CSV, along with the external Id
For the "external ID" use the UUIDv4 value included in the CSV. You must use a unique ID for each account.
- Add a maximum of 50 AWS accounts