AWS account

This topic describes how to connect an Amazon Web Service account to CEM.

Before you begin

Make sure you have the following:

An AWS account.
Admin user that has the roles and permissions described in AWS organization: Required permissions.

Additionally, do the following

Read about how CEM discovers your organization in AWS organization: A look behind the scenes.
If your account uses AWS Control Tower, read AWS Control Tower to understand how CEM interacts with this feature so you can make any necessary adjustments.

If you want to learn more about the specifics of the CEM connnection with your AWS environment, download a sample CloudFormation template:

Download
Add an AWS organization
Add an AWS account
Add an AWS account via API

Connect to AWS

The following flow chart describes the different options for connecting to an AWS cloud workspace. Click an option to learn more.

Discover a new AWS organization

Discover resource hierarchies for a new AWS organization. After the discovery is complete, you can connect your AWS accounts from the CEM account list.

Step 1: Provide the AWS organization details

In CEM, provide the following information about your AWS organization:

Detail

Description

Management account ID

The account ID is a unique 12-digit identifier assigned to each AWS account.

The Management account was previously named the “master account”.

Root ID

The unique identifier (ID) of the root. The root ID description that starts with "r-".

The root ID is in the AWS console under Management console > AWS organization.

Organizational name (optional)

An organization is a collection of accounts that are centrally managed.

Organization description (optional)

Meaningful description of the organization.

Specify where your logs are stored

Logs can be stored in the root of your cloud trail bucket (management account) or in a dedicated AWS account.

AWS account ID

If you select Dedicated AWS account as your log location, you are prompted to provide this AWS account ID.

Trail log location

Enter the shared cloud trail location for the management account to enable CEM to access the usage logs.

To find your trail log location, do the following:

In your AWS console, go to CloudTrail > Trails.
Select the trail that contains your logs.
Copy the path found under Trail log location.

Home region

Specify the home region of the trail log.

To view the Home region of your trail log, in the AWS console go to CloudTrail > Trails.

Select This organization uses IAM Identity Center (formerly AWS SSO) if relevant.

Step 2: Configure permissions

Next, use the CloudFormation template you downloaded from the link on the CEM page to create resources for your management account.

The CEM CloudFormation stack does the following:

Creates a role for CEM to read your AWS organization’s structure and discover all workspaces.
Creates a cloud watch rule to notify CEM of any changes in the AWS organization’s structure.
Creates a stack instance for each member account in your AWS organization, including a role with a policy that grants CEM scanning permissions.
Creates a bucket to contain CEM’s scan results in your management account.

Step 3: Start discovery

When you click Start discovery in CEM, it scans your AWS organization to discover the cloud workspaces.

Discovery may take some time. CEM notifies you when it finishes the process.

You can continue to work in CEM . If you sign out, check the notification center when you sign into your next session.

Step 4: Connect AWS accounts

In CEM, select the AWS accounts you want to connect.

For details, see View and manage workspace connections.

Connect a new AWS account to an existing organization

From CEM Platform management, you can add new or existing accounts to a discovered organization at any time after discovery.

Go to Setup > Platform management > AWS.
Select the accounts to connect.

For details, see View and manage workspace connections.

Connect AWS standalone account(s)

You can connect AWS accounts manually through the web interface, or you can add them programmatically using the CEM API.

Add accounts using the API
Add accounts in the web interface

To onboard an AWS workspace to CEM using the API, you need to specify specific AWS resources and then call the CEM API. Refer to Create AWS account to see a sample implementation.

Step 1: Specify AWS resources

Before you can call the API, specify the following:

Resource	Description
Role(s)	A role or roles to enable CEM to scan your account. Create one role to access IAM and one to access Athena or you can combine them into one role.
S3 Bucket	This bucket stores the results of the Athena queries. You grant permissions to the bucket to the roles(s) you created for Athena and IAM. Refer to Create AWS account to see a sample implementation.

Resource

Description

Role(s)

A role or roles to enable CEM to scan your account.

Create one role to access IAM and one to access Athena or you can combine them into one role.

S3 Bucket

This bucket stores the results of the Athena queries. You grant permissions to the bucket to the roles(s) you created for Athena and IAM.

Refer to Create AWS account to see a sample implementation.

Step 2: Configure permissions

Grant the following permissions to the role(s) you created to access IAM and Athena:

Permission	Description	API
GetLoginProfile	Retrieves the user’s name and password-creation date for the specified IAM user.	IAM
ListMFADevices	Lists the MFA devices for an IAM user.	IAM
GenerateServiceLastAccessedDetails	Generates a report that includes details about when an IAM resource (user, group, role, or policy) was last used in an attempt to access an AWS service.	IAM
GetAccountAuthorizationDetails	Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another.	IAM
GetServiceLastAccessedDetails	Retrieves a service last accessed report.	IAM
ListAccessKeys	Returns information about the access key IDs associated with the specified IAM user. If there are no associated access keys, the operation returns an empty list.	IAM
GetAccessKeyLastUsed	Retrieves information about when the specified access key was last used, including the date and time, and the AWS service and region that were specified in the last request made with the key.	IAM
GenerateCredentialReport	Generates a credential report for the AWS account.	IAM
GetCredentialReport	Retrieves a credential report for the AWS account.	IAM
GetQueryExecution	Returns information about a single execution of a query. (Limited to Athena workgroup: CEMWorkGroup)	Athena
GetQueryResults	Streams the results of a single query execution . (Limited to athena workgroup: CEMWorkGroup)	Athena
CreateWorkGroup	Creates a workgroup. (Limited to Athena workgroup: CEMWorkGroup	Athena
StartQueryExecution	Runs an SQL query statement. (Limited to Athena workgroup: CEMWorkGroup)	Athena
GetDatabase	Retrieves the definition of a specified database. (Limited to the cloudtraildb database and its resources)	Glue
GetPartition	Retrieves information about a specified partition. (limited to the cloudtraildb database and its resources)	Glue
GetPartitions	Retrieves information about the partitions in a table. (Limited to the cloudtraildb database and its resources)	Glue
GetTable	Retrieves information about a specified table. (Limited to the cloudtraildb database and its resources)	Glue
GetTables	Retrieves the definitions of some or all of the tables in a given database. (Limited to the cloudtraildb database and its resources)	Glue
BatchCreatePartition	Creates one or more partitions in a batch operation. (Limited to the cloudtraildb database and its resources)	Glue
CreateDatabase	Creates a new database in a data catalog. (Limited to the cloudtraildb database and its resources)	Glue
CreateTable	Creates a new table definition in the data catalog. (Limited to the cloudtraildb database and its resources)	Glue

CEM-POLICY.json.zip

Set up the IAM and Athena access role with a trust policy for the CEM AWS account.

Policy parameter

Value

AWS account

023673983569

External ID

{organization}-{customer account ID}

Note

Organization is the name you use to sign in to CEM

Example

{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::023673983569:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "[tenantname]-622382967619"
}
}
}
]
}

Step 1: Provide the AWS account details

In CEM, provide the following information about your AWS account:

Detail	Description
Account ID	The assigned account ID.
Account name (optional)	Optional name that describes the account.
Trail log location	The shared cloud trail location for the management account to enable CEM to access the usage logs. To find your trail log location, do the following: In your AWS console, go to CloudTrail > Trails. Select the trail that contains your logs. Copy the path found under Trail log location.
Home region	Specify the home region of the trail log. To view the Home region of your trail log, in the AWS console go to CloudTrail > Trails.

Step 2: Create CEM resources

Next, use the CloudFormation template you downloaded from the link on the CEM page to create resources for your account.

The stack does the following:

Creates a role for CEM to read your account's IAM data.
Creates a role for CEMto query your cloud trail logs.
Creates a bucket to contain CEM’s query results.
Creates a log trail to record your usage data (optional).

Manually onboard an AWS account for SCA

This section describes how to connect an Amazon Web Service account to SCA if the parent organization was onboarded to the Shared Services platform before SCA was added to the customer tenant.

Step 1: Download the SCA CloudFormation template

Click to download the SCA CloudFormation template.

Step 2: Create a new AWS stack for SCA

Next, use the CloudFormation template you downloaded to deploy an updated stack that includes the resources for the account.

The stack does the following:

Creates a role for CEM to read your account's IAM data.
Creates a role for SCA to manage AWS role policies.