TABLE OF CONTENTS


AWS Account Connection Overview

Before Aqua CSPM can produce any security scan results, you must connect a cloud account. For AWS, this is done through the use of a secure, third-party cross-account IAM role. To fully connect the account, you must complete steps in both your AWS account, as well as in your Aqua CSPM account.


CloudFormation (Recommended)

Step 1: Navigate to the Cloud Accounts page. Click Connect Account on the top right.


Step 2: Choose AWS under Account Type and CloudFormation under Method.


Step 3: Click the Launch Stack button on the left side. Wait for the stack to finish creating in your AWS account

Do not close the page/tab or refresh


Step 4: Copy the role ARN from the outputs tab and paste it back in the wizard page


Step 5: Click Connect to finish.


Manual Setup


Step 1: Navigate to the Cloud Accounts page. Click on Connect Account on the top right.


Step 2: Choose AWS under Account Type and Manual Setup under Method.


Step 3: Follow the steps below to manually connect your AWS account:

  1. Log into your AWS account and navigate to the IAM console.
  2. Create a new IAM role.
  3. When prompted for a trusted entity select Another AWS account.
  4. Enter "057012691312" for the account to trust (Account ID).
  5. Check the box to Require external ID and enter the external ID displayed in the Aqua connection wizard.
  6. Ensure that MFA token is not selected.
  7. Select the SecurityAudit managed policy.
  8. Enter a memorable role name and create the role.
  9. Then click on the role name and copy the role ARN to paste in the Aqua connection wizard.


Step 4: Click Connect to finish.


Terraform

Step 1: Navigate to the Cloud Accounts page. Click on Connect Account on the top right.

Step 2: Choose AWS under Account Type and Terraform under Method.

Step 3: Select your Terraform Module version and follow the steps in the GitHub repo to incorporate the Aqua Terraform Module.

Step 4: Paste the outputted Role ARN in the Aqua connection wizard.

Step 5: Click Connect to finish.


Bulk Upload

Step 1: Navigate to the Cloud Accounts page. Click on Connect Account on the top right.

Step 2: Choose AWS under Account Type and Bulk Upload under Method.

Step 3: Download the CSV template file.

Step 4: Use the CloudFormation or Manual Setup steps to create an IAM role in all of your AWS accounts.

Step 5: For each role you create, add the role ARN to the CSV, along with the external Id. Add a maximum of 50 AWS accounts

For the "external ID" use the UUIDv4 value included in the CSV. You must use a unique ID for each account.


Step 6: Drop the completed CSV file onto the Aqua connection wizard and select Connect Accounts.



AWS Control Tower

AWS Control Tower offers the easiest way to onboard multiple AWS accounts into Aqua CSPM. You get visibility into all the provisioned AWS accounts through the Control Tower dashboard and Aqua Cloud Accounts page for continuous oversight of your multi-account environment. To know more about how to deploy AWS Control Tower solution and integrate it with Aqua CSPM, please visit Deployment of AWS Control Tower Solution.