The Aqua CSPM integration is completely automated, end-to-end, and can be deployed in a few simple steps as described in further sections.


The CloudFormation template retrieved from Aqua's GitHub repository is triggered by AWS Organizations and can be used for any AWS multi-account setup in addition to AWS Control Tower.



TABLE OF CONTENTS


Prerequisites

1. AWS Management Account

In order to deploy this integration, you will need access to the AWS Management account. If you are using Control Tower, you will need admin access to the Control Tower Management account. The solution leverages AWS Organizations to trigger the automation and doesn’t require any additional resources to be enabled. 


To get started with AWS Control Tower, check out the Getting Started documentation. Click here to learn more about AWS Organizations.


2. Aqua CSPM Account

You will need an active subscription with Aqua CSPM for Developer or any higher pricing tier plan. Don’t have an account yet? See Signing Up for Aqua Wave.


3. Aqua API and Secret Keys

Once registered, you can sign into the Aqua Wave portal and generate the API key. Make a note of the API Key and the Secret key. For more information, see Creating Aqua Wave CSPM API Keys.


4. Aqua Group

Aqua CSPM comes with a Default group and can be used to add the newly provisioned accounts. Additionally, you can create a new Group and provide it as a parameter to the CloudFormation StackSet to which the newly created cloud accounts will be automatically onboarded. For more information, see Aqua Wave Groups Overview.  


Ideally, you will want to maintain group parity between the AWS Organization Units and the Aqua CSPM groups. It is recommended to name the Groups based on Business Unit or Organization Unit names. (E.g.: R&D, Sales etc.)



Step 1: Create the StackSet for this Integration

  1. Retrieve the CloudFormation template for the solution from our GitHub repository
  2. Log into your Management account and navigate to AWS Control Tower home region.
  3. Navigate to the AWS CloudFormation console.
  4. On the left navigation bar, select StackSets and click Create StackSet.
  5. In the Choose a template step, either upload the YAML template or paste in the S3 URL for the template.
  6. In the Specify StackSet details section, enter the StackSet name and input the AquaCSPMAPIKey and AquaCSPMSecretKey that you captured in Step 1.2 along with the AquaGroupName from Step 1.3. For AquaGroupName, we are providing the input as R&D to align with the Aqua CSPM Group created in the previous section. Click Next.
  7. On the Configure StackSetoptions page under the Permissions section, select Service-managed permissions. Click Next
  8. On the Set deployment options page:
    •  Under Deployment targets, select Deploy to organizational units (OUs) and input the appropriate AWS Organization Unit ID.
Selecting an Organizational Unit (OU) allows you to create a mapping to a corresponding Group in Aqua CSPM for better management. You can choose deploying to Organization as well but that will lead to all the accounts being onboarded to the same Aqua CSPM Group. We have chosen the OU ID for the AWS OU named R&D in our example, to maintain Group parity between the Aqua CSPM Group and AWS Organizations.
  • For Automatic deployment, select Enabled.
  • For Account removal behavior, select Delete stacks.
  • For Specify regions, select the home region.
  • Leave the deployment options as default.
  • Click Next.

9. Review the StackSet details and acknowledge the creation of IAM resources by clicking the checkbox.

10. Click Submit.

11. You will be taken to the StackSet details page, under the Operations tab, where you can monitor the progress of the stack set that you just attempted to create. Wait until you make sure, the Status reads SUCCEEDED.

12. You can also verify the Stack instances that are kicked off for onboarding the AWS accounts under the R&D Organizational Unit (OU).

Step 2: Verify the Automated Onboarding of Newly Enrolled Accounts into Aqua CSPM

  1. Once a new account is enrolled from AWS Control Tower, it is automatically set up to allow your Aqua CSPM to scan, monitor, and audit the account for compliance standards. 
  2. You can log into your Aqua Wave account and verify that the new account has been registered. Filter the cloud accounts by R&D. All newly created cloud accounts using AWS Control Tower would be listed under the R&D group.
  3. Click Scan to scan the desired cloud account.
  4. To view the scan report of a particular cloud account, select Scan Reports under Scans drop-down and select View Report. The scan report summary would be displayed as below:
  5. You can then go ahead and enable the Real-time events and Remediations for the accounts as per your need.



The CloudFormation template retrieved from Aqua's GitHub repository can also be used with a single AWS account and not necessarily only with AWS Control Tower.