Amazon Web Services (AWS) Integration

Introduction

The following guide will help you to integrate Amazon Web Services (AWS) Organization Unit (OU) or account with Sprinto.

How does this integration help

Integrating AWS services with Sprinto can help in multiple ways, depending on your usage of AWS and the security compliance purpose with Sprinto. For example, with AWS integration with Sprinto you can monitor Infrastructure security configuration, ensure timely closure of vulnerabilities and incidents, and control staff access on AWS.

Available Sprinto checks

Following are some of the available Sprinto checks for AWS integration. Refer to monitor help articles to find specific help: Note: Currently, Sprinto has 70+ automated checks for compliance monitoring for AWS.

Before you begin

• Log in to the Sprinto admin portal using your credentials.

• Ensure that you have Administrator privilege on the AWS OU/ account when integrating with Sprinto.

• Ensure you have the AdministratorAccess AWS policy attached to the user, role, or group before proceeding with the integration procedure below.

Procedures

1. From the Sprinto admin portal, navigate to Security Hub > Settings > Integrations > Available, and click Connect next to AWS.

2. Integrate AWS using one of the following ways:

   • Integrate AWS organization: Integrate an AWS Organization Unit (OU) with Sprinto, including all the nested OUs and AWS accounts under the parent OU. During configuration, you can select the accounts to integrate for compliance monitoring within an OU.

   • Integrate AWS account: Integrate the individual AWS accounts for compliance monitoring. Note: For monitoring multiple accounts from a same AWS organization unit after integrating individual accounts, you’ll need to first disable the existing AWS integrations.

     

Connect AWS OU

1. Read the on-screen instructions and click Next.

   
2. Use one of the following Integration methods:Integration Method 1: CloudFormation Template

   • Log in to the AWS Organization’s root account that you wish to integrate, and open the AWS CloudShell.

   • Copy and execute the below bash code. The script creates an IAM role with the name “sprinto-auditor-role.” The created role gets permission to audit all resources in the AWS account.

     Copy

     aws cloudformation create-stack   --template-url "https://sprintos3-customerbucketef939f4a-10uzvtgngl9e7.s3.us-west-1.amazonaws.com/AwsCloudformationTemplate/CreateSprintoAuditorRole.yaml?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAQAUI5HT6RU2LZWZZ%2F20241127%2Fus-west-1%2Fs3%2Faws4_request&X-Amz-Date=20241127T160635Z&X-Amz-Expires=1800&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEJ%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMSJHMEUCIEsqRcoWpa4BVmuI6A%2B5uT1UYBpaGq%2B7IpEFtXW5K1qfAiEAxXBQTUUQcOJ8jBIsoqGXMo5X5OLZrOj2bJnHO%2BOULUUqhgQISBADGgwwMDEzNjA4NzA2NTMiDBVdRF1aKbNrRhEHeCrjA7M2amJ4Ua57Dt2E%2Fp93Kqr6%2BIr%2B1b6LbufoWtgcEguymM%2BVT1W%2F6IxsaPFAqGv%2FzrAAeZwuwP6ipMSgBmBr5sCFDqR5Gttw9BO7zVeP4byqG3wN9%2BelXBqGSzteUcxI%2B6vOHL3I8qChgeT0ixUQeIXhx8uFw5XcQfhnoGNosmTgQIUFPjWj4BZZQod%2BJvHFJFUx0iBgHuzGgxkqXp9LuJncevEjR%2BXMOMjJmz8qS83E2vTQ%2FWcdVJ5cmdq4CTHWZ82KvNUIFQXq9Bppfd0Ph179FEHcDHbOHqmfGxjCVkntDZnJ8rvz30idzLR%2B9zK8UhVFq2Z5BCwchu3aZvSrSL2sPSWIbCy9S1l9XGuyjf66Jo7YVjbIEakMdREiVQbkdVjec8bW5CIseyhDfFJSSxwBS3yuLEtQDfAiO%2BjZbMdLi0ougGDwjiXvbROTb%2BpDNDOkS1231hsMMlRTeVch7LKOGz2R1CNtrxTIVSpspZRx51AYC86ooa7tpHPxZTygSlm91U0Q27iLVDpjfuAtM6cJvBKC1HokevEjLgbRio1e%2FoabC9ZRYZ3q28N8LQLyqGA17Ku2l5FMMxUfIWhJpVBxlPUi2tl9HxdJNw%2BGWQI5d2Ch1kwJ9oTEYyAoFH%2BhMA%2BWHzCk2py6BjqmATO%2FAy2w%2BE074QVLG3vu9zCqog2zfVvnw7Ov%2F6YVrtJ5VVBrCuFXDtW91Ec1gW9Zxik9c3EYDb3SoDkMmsPzZmeaZRBehA0NY5meQkn6tlJRFlJkZaxKNo4vBOQNPYh3h2ixg4kN6%2BkmB%2Bj49SyIv2SSq%2FBUj2ZYIm56bTVrQs6ciwdos2ljUkVrdNypKfTDH2dN9ezmrGoeP14jRA%2BgBEujwOMykMo%3D&X-Amz-Signature=6f72e8ed51eb23c70db529bc80ff8afa44e81c96d0be75363a3657e04195ca60&X-Amz-SignedHeaders=host&x-id=GetObject"   --stack-name create-sprinto-auditor-role   --capabilities CAPABILITY_IAM   --parameters ParameterKey=ExternalIdValue,ParameterValue=ImY4MDRiZmUxLTc2YjItNGZmOS1hODMwLTU1YTdmOTMyZWNhMi0wIg== ParameterKey=IncludeCloudWatchFullAccess,ParameterValue=true ParameterKey=IncludeAWSSSODirectoryReadOnly,ParameterValue=true ParameterKey=IncludeAWSSSOReadOnly,ParameterValue=true

     
   • Repeat the above step to run the bash code on all the child accounts in the same AWS organization that you wish to integrate with Sprinto. Note: Please note that in the future, if you wish to integrate any individual AWS account, you’ll need to first disable the existing integrated AWS OU.

   • To get the AWS root account ARN, copy and execute the below bash code on the AWS OU root account CloudShell. Note: If the template creation is pending, you may see a “CREATE_IN_PROGRESS” error during script execution. Repeat the step after some time to get the ARN.

     Copy

     aws cloudformation describe-stacks --stack-name create-sprinto-auditor-role --query 'Stacks[0].[Outputs[1].{RoleArn: OutputValue}, StackStatus] | not_null([*]) | [0]'

     
   • Enter the Role ARN copied from the previous step, region, and root account ID in the respective fields.

     
   • Click Connect.

3. Integration Method 2: IAM role Note: Repeat the below procedure on all the child AWS accounts in that AWS OU that you are integrating with Sprinto.

   • Log in to your AWS account and navigate to the IAM service.

   • Select Roles under Access Management, and click Create role.

   • Select the AWS account, then select the Another AWS account option.

     
   • Enter the following account details:

     • Account ID: 001360870653

     • Select the checkbox next to Require external ID…. option, then enter the external ID as: ImY4MDRiZmUxLTc2YjItNGZmOS1hODMwLTU1YTdmOTMyZWNhMi0wIg==

   • Ensure the Require MFA option remains unchecked. Click Next.

     
   • Search and select the SecurityAudit permission policy.

     • If you wish to retrieve SSO users, add the AWSSSODirectoryReadOnly and AWSSSOReadOnly permission policies.

     • If you wish to create CloudWatch alarms from Sprinto, add the CloudWatchFullAccess policy.

       
   • Click Next.

   • Enter the Role name as sprinto-auditor-role and describe the role, then click Create role.

   • (Optional) Add appropriate tags to the role if required.

   • Select the newly created sprinto-auditor-role role under the Roles, and copy its ARN.

     
   • On Sprinthe to the integration page, enter the following details, then click Connect:

     • Role ARN: Enter the ARN you’ve copied in the previous step.

     • Region: Select your AWS account region.

     • Root Account ID: Enter the account ID for the AWS OU’s root account.

       

Connect Individual AWS account

1. Select the compliance purposes with the integration. You can select multiple options based on your use of AWS and compliance activity with Sprinto.

2. Read the on-screen details to learn more about the available checks, controls, and permissions required. Then click Next.

3. Select one of the following integration methods:

   1. CloudFormation Template (Recommended): To integrate your AWS account via CloudFormation Template, follow the steps mentioned in the Connecting AWS OU section.

   2. IAM role: To integrate your AWS account, follow the steps mentioned in the Connecting AWS OU section for the IAM role. Note: You don’t need the AWS root account ID mentioned in Connecting AWS OU as this is an individual account integration.

Support

Get in touch with our support team if you have any queries related to the integration or need any assistance.