Ingest Cloud Assets from AWS

Extend Cortex® XDR™ visibility into cloud assets from AWS.
Ingesting Cloud Assets from AWS requires a Cortex® XDR™ Pro per TB license.
Cortex XDR provides a unified, normalized asset inventory for cloud assets in AWS. This capability provides deeper visibility to all the assets and superior context for incident investigation.
To receive cloud assets from AWS, you must configure the Collection Integrations settings in Cortex XDR using the Cloud Inventory data collector to configure the AWS wizard. The AWS wizard includes instructions to be completed both in AWS and the AWS wizard screens. After you set up data collection, Cortex XDR begins receiving new data from the source.
As soon as Cortex XDR begins receiving cloud assets, you can view the data in
Assets
Cloud Inventory
, where
All Assets
and
Specific Cloud Assets
pages display the data in a table format.
To configure the AWS cloud assets collection in Cortex XDR.
  1. Open the AWS wizard in Cortex XDR.
    1. Select
      Settings ( )
      Configurations
      Data Collection
      Collection Integrations
      .
    2. In the
      Cloud Inventory
      configuration, click the
      here
      link to begin a new configuration.
    3. Click
      AWS
      .
  2. Define the
    Account Details
    screen of the wizard.
    Setting the connection parameters on the right-side of the screen are dependent on certain configurations in AWS as explained below.
    1. Select the
      Organization Level
      as either
      Account
      (default),
      Organization
      , or
      Organization Unit
      . The
      Organization Level
      that you select changes the instructions and fields displayed on the screen.
    2. Sign in
      to your AWS master account.
    3. Create a stack called XDRCloudApp using the preset Cortex XDR template in AWS.
      The following details are automatically filled in for you in the AWS CloudFormation stack template.
      • Stack Name
        —The default name for the stack is
        XDRCloudApp
        .
      • CortexXDRRoleName
        —The name of the role that will be used by Cortex XDR to authenticate and access the resources in your AWS account.
      • External ID
        —The Cortex XDR Cloud ID, a randomly generated UUID that is used to enable the trust relationship in the role's trust policy.
      To create the stack, accept the IAM acknowledgment for resource creation by selecting the
      I acknowledge that AWS CloudFormation might create IAM resources with custom names
      checkbox, and click
      Create Stack
      .
    4. Wait for the
      Status
      to update to
      CREATE_COMPLETE
      in the
      Stacks
      page that is displayed, and select the
      XDRCloudAPP
      stack under the
      Stack name
      column in the table.
    5. Select the
      Outputs
      tab and copy the
      Value
      of the Role ARN.
    6. Paste the Role ARN value in one of the following fields in the
      Account Details
      screen in Cortex XDR. The field name is dependent on the Organization Level that you selected.
      • Account
        —Paste the value in the
        Account Role ARN
        field.
      • Organization
        —Paste the value in the
        Master Role ARN
        field.
      • Organization Unit
        —Paste the value in the
        Master Role ARN
        field.
    7. Set the
      Root ID
      in Cortex XDR.
      This step is only relevant if you’ve configured the Organization Level as
      Organization
      in the
      Account Details
      screen in Cortex XDR. Otherwise, you can skip this step if the
      Organization Level
      is set to
      Account
      or
      Organization Unit
      .
      1. On the main menu of the AWS Console, select
        <your username>
        My Organization
        .
      2. Copy the Root ID displayed under the
        Root
        directory and paste it in the
        Root ID
        field in the
        Account Details
        screen in Cortex XDR.
    8. Set the
      Organization Unit ID
      in Cortex XDR.
      This step is only relevant if you’ve configured the Organization Level as
      Organization Unit
      in the
      Account Details
      screen in Cortex XDR. Otherwise, you can skip this step if the
      Organization Level
      is set to
      Account
      or
      Organization
      .
      1. On the main menu of the AWS Console, select
        <your username>
        My Organization
        .
      2. Select the Organization Unit with an icon-ou ( ) beside it in the organizational structure that you want to configure.
      3. Copy the
        ID
        and paste it in the
        Organization Unit ID
        field in the
        Account Details
        screen in Cortex XDR.
    9. Define the following remaining connection parameters in the
      Account Details
      screen in Cortex XDR.
      • Account Role External ID
        /
        Master External ID
        —The name of this field is dependent on the Organization Level configured. This field is automatically populated with a value. You can either leave this value or replace it with another value.
      • Cortex XDR Collection Name
        —Specify a name for your Cortex XDR collection that is displayed underneath the
        Cloud Inventory
        configuration for this AWS collection.
    10. Click
      Next
      .
  3. Define the
    Configure Member Accounts
    screen of the wizard.
    This wizard screen is only displayed if you’ve configured the Organization Level as
    Organization
    or
    Organization Unit
    in the
    Account Details
    screen in Cortex XDR. Otherwise, you can skip this step when the
    Organization Level
    is set to
    Account
    .
    Configuring member accounts is dependent on creating a stack set and configuring stack instances in AWS, which can be performed using either the Amazon Command Line Interface (CLI) or Cloud Formation template via the AWS Console. Both of these methods are explained in the instructions below.
    • Define the account credentials using Amazon CLI.
      1. Select the
        Amazon CLI
        tab, which is displayed by default.
      2. Open the Amazon CLI.
        For more information on how to set up the AWS CLI tool, see the AWS Command Line Interface Documentation.
      3. Run the following command to create a stack set, which you can copy from the
        Configure Member Accounts
        screen by selecting the copy icon ( ), and paste in the Amazon CLI. This command includes the
        Role Name
        and
        External ID
        field values configured from the wizard screen.
        aws cloudformation create-stack-set --stack-set-name StackSetCortexXdr01 --template-url https://cortex-xdr-xcloud-onboarding-scripts-dev.s3.us-east-2.amazonaws.com/cortex-xdr-xcloud-master-dev-1.0.0.template --permission-model SERVICE_MANAGED --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=true --parameters ParameterKey=ExternalID,ParameterValue=c9a7024c-3f07-40ed-a4fb-c3a5eba778e2 --capabilities CAPABILITY_NAMED_IAM
      4. Run the following command to add stack instances to your stack set, which you can copy from the
        Configure Member Accounts
        screen by selecting the copy icon ( ), and paste in the Amazon CLI. For the
        --deployment-targets
        parameter, specify the organization root ID to deploy to all accounts in your organization, or specify Organization Unit IDs to deploy to all accounts in these Organization Units. In this parameter, you will need to replace
        <Org_OU_ID1>
        ,
        <Org_OU_ID2>
        , and
        <Region>
        according to your AWS settings.
        aws cloudformation create-stack-instances --stack-set-name StackSetCortexXdr01 --deployment-targets OrganizationalUnitIds='["<Org_OU_ID1>", "<Org_OU_ID2>"]' --regions '["<Region>"]'
        In this example, the Organization Units are populated with
        ou-rcuk-1x5j1lwo
        and
        ou-rcuk-slr5lh0a
        IDs.
        aws cloudformation create-stack-instances --stack-set-name StackSet_myApp --deployment-targets OrganizationalUnitIds='["ou-rcuk-1x5j1lwo", "ou-rcuk-slr5lh0a"]' --regions '["eu-west-1"]'
        Once completed, in the AWS Console, select
        Services
        CloudFormation
        StackSets
        , and you can see the StackSet is now listed in the table.
    • Define the account credentials using AWS CloudFormation.
      1. Select the
        Cloud Formation
        tab.
      2. Download the CloudFormation
        template
        . The name of the file downloaded is called
        cortex-xdr-aws-master-ro-1.0.0.template
        .
      3. Sign in
        to your AWS Master Account using the AWS console, select
        Services
        CloudFormation
        StackSets
        , and click
        Create StackSet
        .
      4. Define the following settings.
        -Select
        Template is ready
        .
        -Select
        Upload a template file
        ,
        Choose file
        , and select the CloudFormation template that you downloaded.
      5. Click
        Next
        .
      6. Define the following settings.
        -
        StackSet name
        —Specify a name for the StackSet.
        -
        ExternalID
        —The
        ExternalID
        value specified here must be copied from the one populated in the
        External ID
        field on the right-side of the
        Configure Member Accounts
        screen in Cortex XDR.
      7. Click
        Next
        .
      8. Select
        Service-managed permissions
        , and click
        Next
        .
      9. Define the following settings.
        Deployment targets
        -Select
        Deploy to the organization
        .
        -Select
        Enabled
        for
        Automatic deployments
        .
        -Select
        Delete stacks
        for
        Account removal behavior
        .
        Specify regions
        -Select a region.
        Deployment options
        -For the
        Maximum concurrent accounts
        , select
        Percentage
        , and in the field specify
        100
        .
        -For the
        Failure tolerance
        , select
        Percentage
        , and in the field specify
        100
        .
      10. Click
        Next
        .
      11. To create the StackSet, accept the IAM acknowledgment for resource creation by selecting the
        I acknowledge that AWS CloudFormation might create IAM resources with custom names
        checkbox, and click
        Submit
        .
        When the process completes, the
        Status
        of the StackSet is
        SUCCEEDED
        in the
        StackSet details
        page.
  4. Review the
    Summary
    screen of the wizard.
    If something needs to be corrected, you can go
    Back
    to correct it.
  5. Click
    Create
    .
    Once cloud assets from AWS start to come in, a green check mark appears underneath the
    Cloud Inventory
    configuration with the
    Last collection time
    displayed. It can take a few minutes for the
    Last Collection time
    to display as the processing completes.
    Whenever the Cloud Inventory data collector integrations are modified by using the
    Edit
    ,
    Disable
    , or
    Delete
    options, it can take up to 10 minutes for these changes to be reflected in Cortex XDR.
  6. After Cortex XDR begins receiving AWS cloud assets, you can view the data in
    Assets
    Cloud Inventory
    , where
    All Assets
    and
    Specific Cloud Assets
    pages display the data in a table format. For more information, see Cloud Inventory Assets.

Recommended For You