The Aqua CSPM Security Hub integration is completely automated from end to end and can be deployed in a few simple steps as described in this document.


The CloudFormation template retrieved from Aqua's GitHub repository is triggered by AWS organizations and can be used for any AWS multi-account setup in addition to AWS Control Tower.



TABLE OF CONTENTS


Prerequisites

AWS management account

To deploy this integration, you will need access to the AWS management account. If you are using Control Tower, you will need admin access to the Control Tower management account. The solution leverages AWS organizations to trigger the automation and does not require any additional resources to be enabled.


Aqua CSPM account

You will need an active subscription with Aqua CSPM for Developer or any higher pricing tier plan. Don’t have an account yet? See Signing Up for Aqua.


Aqua API key and secret Keys

Once registered, you can sign into the Aqua Platform portal and generate the API Key. Make a note of the API Key and the Secret Key. For more information, see Generating a CSPM API Key and Secret.



Create the StackSet for this integration

1. Retrieve the CloudFormation template titled aqua-cspm-security-hub-integration for the solution from our GitHub 
    repository as per the user's Aqua CSPM account region.

2. Log into your AWS Management account and navigate to AWS Control Tower home region.

3. Navigate to the AWS CloudFormation console.

4. On the left navigation bar, select StackSets and click Create StackSet

5. In the Choose a template step:

  1. Select Service-managed permissions in the Permissions section. 
  2. Upload either the YAML template or paste in the S3 URL for the template in the Specify Template section.
  3. Click Next.


6. In the Specify StackSet details step:

  1. Enter the StackSet name
  2. Add AquaCSPMAPIKey and AquaCSPMSecretKey that you captured in prerequisite requirement.
  3. Select the type of notifications you want to receive. The default value for notifications is Send All Scan Results but you can also change it to New Risks Only
  4. Click Next.

7. On the Configure StackSetoptions step, click Next

8. On the Set deployment options step:

       a. Select Deploy to organizational units (OUs) and input the appropriate AWS organization unit ID in the Deployment 
           targets section.

Selecting an Organizational Unit (OU) allows you to create a mapping to a corresponding Group in Aqua CSPM for better management. You can choose deploying to Organization as well, but that will lead to all the accounts being onboarded to the same Aqua CSPM Group. We have chosen the OU ID for the AWS OU named R&D in our example, to maintain Group parity between the Aqua CSPM Group and AWS Organizations.

      b. Select Enabled if you want the security hub integration stack to run automatically for accounts that are added in the
future, else select Disabled in the Automatic deployment section.

      c. Select Delete stacks in the Account removal behavior section.

      d. Select the home region in the Specify regions section.

      e. Leave the deployment options as default.

      f. Click Next.

9. Review the StackSet details and acknowledge the creation of IAM resources by clicking the checkbox.

10. Click Submit.

You will be navigated to the StackSet details page. On the Operations tab, you can monitor the progress of the stack set that you just attempted to create. Wait until you are sure that the Status is SUCCEEDED.

You can also verify the Stack instances that are kicked off for onboarding the AWS accounts under the R&D Organizational Unit (OU).