AWS Standalone Account Onboarding via Cross Account

The process of onboarding a cross or federated account access involves the following steps:

Step 1: Creating an S3 bucket using the Cloudformation template

  1. Login to the AWS account and go to the CloudFormation service section.
  2. From the navigation pane on the left, select Stacks.
  3. From the top-right corner of the CloudFormation > Stacks screen, click Create stack > With new resources (standard).

    The Create stack page is updated to display the fields for Step 1 Specify template of the stack creation process.

  4. In the Prerequisite - Prepare Template section, select the Template is ready option.
  5. In the Specify template section:
    1. For Template source, select Upload a template file.
    2. To Upload a template file, click Choose file.
    3. Navigate to the CloudFormationTemplates/WithoutCondition folder.
    4. Select the S3Bucket.yaml file and click Open.
  6. Click Next.

    The Specify Stack Details page (step 2 of the stack creation process) is displayed.

  7. Enter a Stack name. For the purpose of this guide, Stack name = avxdemo-S3.
  8. In the Parameters section, enter the following details:
    1. AccountId: From the top-right corner of the screen, click your username and copy the account ID displayed.
    2. BucketName: Enter a name for the S3 bucket that will be created in the backend. Recommended format to name the S3 bucket: avxdemo-<account ID>.
    3. OrganizationID:
      1. From the top-right corner of the screen, click your username.
      2. From the menu displayed, right click Organization to open it in a new tab.

        The Dashboard is displayed.

      3. From the Dashboard, copy the organization ID and paste it into the OrganizationID field.
        Note: The organization ID is a mandatory entry for the CloudFormation template.
    4. RoleName: Enter a name for the S3 bucket role. For the purpose of this guide, the S3 bucket role will be called avxdemos3bucketrole.

    The details entered on the Specify stack details page will be used to create a bucket policy for the S3 bucket created for the AWS account. This bucket policy can be customized later based on customer preferences for how they want to secure their infrastructure.

  9. Click Next.
    The Configure stack options page (step 3 of the stack creation process) is displayed.
  10. Scroll down to the Stack failure options section and select Preserve successfully provisioned resources.
  11. Click Next.
    The Review <stack name> page (step 4 of the stack creation process) is displayed
  12. On the Review <stack name> page, scroll down to Capabilities and select the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox.
  13. Click Create stack.

    The <stack name> page is displayed. This page lists the existing stacks on the left and the following details for each stack on the right:

    • Stack info
    • Events
    • Resources
    • Outputs
    • Parameters
    • Templates
    • Change sets

    When the stack creation process is complete, Status (under the Events tab) will be updated to CREATE_COMPLETE. This means that, in the backend, an S3 bucket as well as the roles required to provision the bucket have been created. The bucket policy for the S3 bucket has also been updated accordingly.

  14. Go to the Parameters tab and note the bucket name to use it in the CloudFormation template for the master account.
What to do next: Create a child account using the CloudFormation template.

Step 2: Creating a child account using the CloudFormation template

  1. From the top-right corner of the CloudFormation > Stacks screen, click Create stack > With new resources (standard).

    The Create stack page is updated to display the fields for Step 1 Specify template of the stack creation process.

  2. From the navigation pane on the left, click Step 2 Specify stack details.
    The Specify Stack Details page (step 2 of the stack creation process) is displayed.
  3. Enter a Stack name. For the purpose of this guide, Stack name = avxdemoc1.
  4. In the Parameters section, enter the following details:
    1. MasterAccountNumber: From the top-right corner of the screen, click your username and copy the account ID displayed. Paste it in the MasterAccountNumber field.
    2. S3BucketName: Enter the S3 bucket name copied from the Parameters tab of the avxdemo-S3 stack.
  5. Click Next.

    The Configure stack options page (step 3 of the stack creation process) is displayed.

  6. Scroll down to the Stack failure options section and select Preserve successfully provisioned resources.
  7. Click Next.

    The Review <stack name> page (step 4 of the stack creation process) is displayed.

  8. Scroll down to Capabilities and select the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox.
  9. Click Create stack.

    The <stack name> page is displayed. This page lists the existing stacks on the left and the following details for each stack on the right:

    • Stack info
    • Events
    • Resources
    • Outputs
    • Parameters
    • Templates
    • Change sets

    When the stack creation process is complete, Status (under the Events tab) will be updated to CREATE_COMPLETE.

  10. Navigate to the Resources tab for the avxdemoc1 stack.
    You will see that a policy called AppViewXCLM has been created. This policy will have all the permissions and prerequisites required for AppViewX to discover all the ACM, ELB, and EC2 instances.
  11. Navigate to the Outputs tab for the avxdemoc1 stack.
    Note down the ChildRoleARN to use it in the CloudFormation template for the master account.
What to do next: Create a master account using the CloudFormation template.

Step 3: Creating a master account using the CloudFormation template

  1. Go to the CloudFormation service section.
  2. From the navigation pane on the left, select Stacks.
  3. From the top-right corner of the CloudFormation > Stacks screen, click Create stack > With new resources (standard).

    The Create stack page is updated to display the fields for Step 1 Specify template of the stack creation process.

  4. In the Prerequisite - Prepare Template section, select the Template is ready option.
  5. In the Specify template section:
    1. For Template source, select Upload a template file.
    2. To Upload a template file, click Choose file.
    3. Navigate to the CloudFormationTemplates/WithoutCondition folder.
    4. Select the master_account.yaml file and click Open.
  6. Click Next.

    The Specify Stack Details page (step 2 of the stack creation process) is displayed.

  7. Enter a Stack name. For the purpose of this guide, Stack name = avxdemom1.
  8. In the Parameters section, enter the following details:
    1. For ApplyAssumeRoleForAll, from the dropdown list, select False.
    2. From the Outputs tab of the avxdemoc1 CloudFormation template for the child account, copy the ChildRoleARN and paste it in the following fields:
      • ChildRoleARN
      • OrganizationRoleARN
    3. From the Outputs tab of the avxdemo-S3 CloudFormation template, copy the S3BucketAssumeRole and paste it in the following fields:
      • S3BucketRoleARN
      • SQSRoleARN
    4. In the UserName field, enter a username for the IAM account. For the purpose of this guide, the username will be set to avxdemo-user.
  9. Click Next.
    The Configure stack options page (step 3 of the stack creation process) is displayed.
  10. Scroll down to the Stack failure options section and select Preserve successfully provisioned resources.
  11. Click Next.
    The Review <stack name> page (step 4 of the stack creation process) is displayed
  12. Scroll down to Capabilities and select the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox.
  13. Click Create stack.

    The <stack name> page is displayed. This page lists the existing stacks on the left and the following details for each stack on the right:

    • Stack info
    • Events
    • Resources
    • Outputs
    • Parameters
    • Templates
    • Change sets
  14. From the Outputs tab of the stack, note the access key and the secret key information to use in AppViewX.
What to do next: Map the EC2 roles to the customer's EC2 instances.

Step 4: Mapping EC2 roles to a customer’s EC2 instances

The EC2 role created using the CloudFormation template with the naming convention <Stack_Name>-Ec2RoleForSSM must be mapped to the EC2 instances. This mapping is required for enabling SSM communication between the instances and AppViewX and for enabling access to the S3 buckets to store the SSM run command response.

What to do next: Test device onboarding the AppViewX environment.

Step 5: Testing Onboarding in the AppViewX Environment

  1. Login to AppViewX.
  2. Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
    The Device :: ADC page is displayed.
  3. From the Device :: ADC page, select Cloud.
  4. On the Device :: Cloud > Add page, from the list of Vendors, select AWS.
  5. Enter/select the Basic information.
    Table 1. Field description for the Basic information section
    Field Description
    Account type* From the dropdown list, select Cross or Federated.
    Account name* Enter the account name, avxdemo.
    Account number* Enter the AWS account number.
    Account Description Enter a description of the device to be added.
    Proxy required To use a proxy server for the communication, select this checkbox.
    Default Region* From the dropdown list, select a default region for the API communication.
    Data center* From the dropdown list, select the data center through which communication with the Certificate Authority will be established.
    *: Mandatory fields
  6. Enter the Credentials-related details:
    Table 2. Field descriptions for the Credentials section
    Field Description
    Credential type*

    From the dropdown list, from the following options, select the credential type:

    • Manual Entry: To manually enter the access and secret key for the customer’s AWS account)
    • Credential List - CyberArk: To automatically retrieve the customer’s AWS key details from CyberArk)
    Access key* Copy the AccessKey from the Outputs tab of the avxdemom1 template.
    Secret key* Copy the Secret Access Key from the Outputs tab of the avxdemom1 template.
    *: Mandatory fields
  7. Enter the details required to Discover resources.
    Table 3. Field descriptions for the Discover resources section
    Field Description
    Auto Discover Resources*

    By default, the Auto Discover Resources toggle key is set to ON and is non-editable.

    Enabling this feature allows discovering all the cross or federated/child accounts for the provided master account details.

    Advanced Settings*

    By default, the Advanced Settings toggle key is set to ON and is non-editable.

    This feature allows customizing the auto discovery process.
    AutoSync To enable automatic synchronization, enable this toggle.
    Auto Discovery Mode* Select the IAM Policy.
    Services* Select the ACM, ELB, and EC2 services (and their subservices, as required).
    Service region* For the purpose of this solution guide, click Fetch Region and select the regions US East (N. Virginia) and US West (N. California).
    Route53 Zone Auto Approval* To support DNS validation as an automatic process, turn on the Route53 Zone Auto Approval toggle.
    Cert sync

    Select one of the following options:

    • Managed: AppViewX will connect with the customer’s AWS account and discover certificates. These certificates will be added to the inventory. Users with the relevant permissions can then perform the required certificate-related actions.
    • Monitored: AppViewX will connect with the customer’s AWS account and discover certificates. These certificates will be added to the inventory where the users will be allowed to only view the certificates
    • Ignored: AppViewX will connect with the customer’s AWS account but certificate discovery will be disabled.
    Duration Seconds

    Enter the duration, in seconds, for which the credentials should remain valid.

    Acceptable durations for IAM user sessions:

    • Minimum: 900 seconds (15 minutes)
    • Maximum: 129,600 seconds (36 hours)
    • Default: 3600 seconds (1 hour)
    Role Session name*

    Role Session name is an identifier for the assumed role session. Use the Role Session name to uniquely identify a session when the same rule is assumed by different principals or for different reasons.

    By default, the Role Session name is set to appviewx.

    External Id External Id is a unique identifier that might be required when you assume a role in another account. For the purpose of this guide, external ID is undefined.
    Source Identity The source identity is specified by the principle that is calling the AssumeRole operation. For the purpose of this guide, source identity is undefined.
    Session Tags Enter the key-value attribute pairs required when assuming an IAM role or federating a user in the AWS STS.
    *: Mandatory fields
  8. In the EC2 Services section, copy the S3Bucket Name from the Resources tab of the avxdemo-S3 template.
  9. In the S3 Bucket Name field, click .
    The ARN Advanced Settings pop-up window is displayed.
  10. Copy the Role ARN from the Outputs tab of the avxdemo-S3 template and paste it in the Role ARN field.
  11. Click Apply.
  12. Click Save.

    The discovered account will be displayed in the grid on the Device :: Cloud page.

    Note: The discovered account will be added one more time as a child account since the use case uses federated access. This behaviour will be altered in the future releases to avoid dual listing of discovered AWS accounts.