Connecting Wiz to your AWS Organization
AWS is by a fair margin the most popular cloud hyperscale platform. It’s also been around the longest - so it’s not all that surprising to reveal that most of the deployments we see tend to carry their fair share of ahem “legacy engineering”. Like revisiting that MySpace page you put together as a teenager, some of the things we come across present as a little cringey to the now evolved DevOps practitioner. If not downright incriminating (I swear Blink 182 were cool once upon a time!).
Unfortunately, AWS has never been particularly good at providing visibility across the (once very much encouraged) account sprawl. Organizations have helped tremendously, but it’s still hard to get a single pane of glass view of what’s out there and why you should be concerned about it, particularly if you’ve corralled a bunch of legacy accounts. That’s where Wiz comes in. And to AWS’s credit, they have been very supportive of the Wiz partnership, to the point that setting up Wiz in AWS is an absolute snip – read on:
Pre-requisites:
If you’re looking to onboard Wiz at an OU level, you’ll need to ensure that trusted access for stack sets with AWS Organizations is enabled. Refer to this AWS article.
?
Process:
Step 1) Login to your Wiz tenancy as an Administrator and navigate to Settings > Deployments
Step 2) Select "Add a Deployment > Cloud"
Step 3) Select "Amazon Web Services (AWS)” from the list of providers:
Step 4) Check your connector scope – Organisation is recommended, though you may want to onboard certain accounts only if you are looking to constrain coverage. Note: you’ll have an opportunity later to exclude certain OUs or Accounts if you wish to apply an exclusive rather than inclusive scope constraint.
?
Step 5) Select “CloudFormation” as the Deployment Method and enter your AWS Organization OU ID. Follow Amazon’s steps to acquire this ID here. Provide either your root OU or child OU account depending on desired scope (ideally, you want to use your root OU so new OUs and accounts are automatically onboarded):
Step 6) Add the relevant services you’d like to include in your scanning. DSPM and EKS are highly recommended. If you’re using Lightsail (or planning to do so) you’ll probably want to select that too.
领英推荐
When ready, click “Launch CloudFormation”
?
Step 7) A new tab/window will launch pre-populated with the necessary information. Review, tick the “I acknowledge that AWS CloudFormation might create IAM resources with custom names” box and click “Create Stack”:
After about 5 minutes your Stack should Status should change from “CREATE_IN_PROGRESS” to “CREATE_COMPLETE”.
?
Step 8) Click on the “Outputs” tab of your Stack page and copy down the Role ARN ID:
Step 9) Head back to your Wiz Tab and paste your Wiz Role ARN into the appropriate field and click “Continue”
Step 10) On the next page, give your Connector an appropriate name. If you wish to exclude any specific OUs or Accounts, you may do so here. Click “Finish” when you’re done.
With your AWS Organization onboarded to Wiz, you have complete visibility across your environment within minutes, including most importantly, a curated and contextualised list of Issues (as Wiz dubs them – “Toxic combinations”):
Visibility issues: SOLVED!
Cloud Security @ Wiz
2 个月How good is this. Loving the articles Tom and Cordant team!
Great advice, Tom - never burn bridges. Also, Wiz rocks!