Professional Documents
Culture Documents
Contents:
Introduction
Subscription info
About your AWS environment
Before you begin
Register individual AWS accounts
Option 1: Register your AWS account through the Falcon console
Option 2: Use APIs to enable Cloud Workloads Discovery on your AWS account
Batch register multiple AWS accounts
Before you begin
Procedure
Register an AWS Organization
Before you begin
Procedure
Introduction
Just as Falcon Discover keeps you informed about the status of your hosts, Cloud Workloads Discovery - AWS improves your IT hygiene by helping you stay informed
about Elastic Compute Cloud (EC2) instances in your Amazon Web Services (AWS) environment. You can use Cloud Workloads Discovery to:
Learn about EC2 instances even if they don't have a Falcon sensor
The instructions for adding a new account or finishing the registration for an existing account depend on two factors. Answer these two questions and then use the
table to find the appropriate instructions:
1. Does your subscription include Cloud Security Posture Management (CSPM), in addition to Cloud Workloads Discovery?
2. Was your CrowdStrike account created after August 10, 2022, or have you received an email from CrowdStrike Support saying that your account is being
migrated?
Follow the instructions provided for CSPM. Registering an Follow the instructions in Finish setup or
Yes Yes AWS account for CSPM also registers it for Cloud upgrade AWS accounts registered for Cloud
Workloads Discovery. Workloads Discovery.
Register individual AWS accounts Follow the instructions provided on this page:
No Yes
Batch register multiple AWS accounts Finishing or updating AWS registration using
a Bash script.
Register an AWS Organization
Follow the instructions in Cloud Workloads Discovery: AWS Follow the instructions in Cloud Workloads
No No
Setup for older accounts. Discovery: AWS Setup for older accounts.
For information on the differences between individual AWS accounts and AWS Organizations, see the AWS Organizations and AWS Account Management
Documentation.
You can also automate onboarding and management of AWS accounts using our Cloud Workloads Discovery API endpoints.
Tip: When you're done, read our Cloud Workloads Discovery Feature Guide for reference information on using the Cloud Workloads Discovery dashboards
in the Falcon console.
Subscription info
Subscription Requirements:
Falcon Discover for Cloud & Containers OR the Falcon Cloud Workload Protection Bundle
ec2:DescribeInstances
ec2:DescribeImages
ec2:DescribeNetworkInterfaces
ec2:DescribeVolumes
ec2:DescribeVpcs
ec2:DescribeRegions
ec2:DescribeSubnets
ec2:DescribeNetworkAcls
ec2:DescribeSecurityGroups
iam:ListAccountAliases
organizations:ListAccounts
Have a user account with admin access to the AWS account (CrowdStrike never has access to these credentials)
Register individual AWS accounts
There are two ways to register an individual AWS account:
Option 2: Use APIs to enable Cloud Workloads Discovery on your AWS account and then run a CloudFormation template
1. In the Falcon console, go to Cloud security > Cloud security > Account registration.
4. Enter your 12-digit AWS account ID, select the appropriate region, then click Generate CloudFormation links. This registers the new account with Cloud
Workloads Discovery.
6. At the AWS sign-in prompt, sign in using your AWS account with admin privileges.
7. On the Quick create stack page, review the parameters of the CrowdStrike-CSPM-Integration template and make any necessary changes. For required AWS
IAM policy permissions for Cloud Workloads Discovery, see the CloudFormation template details. Accept the terms in the Capabilities section and click
Create stack.
8. Check the accounts list in the Falcon console to verify that the status is operational. This can take up to 15 minutes.
When setup is complete, Cloud Workloads Discovery begins an initial scan of the current state of your AWS environment. Now you're ready to read our Cloud
Workloads Discovery Feature Guide to get more info about the Cloud Workloads Discovery dashboards in the Falcon console.
Option 2: Use APIs to enable Cloud Workloads Discovery on your AWS account
Configure Cloud Workloads Discovery to communicate with your AWS instances. Use APIs to provision AWS accounts either using CloudFormation or manually.
Afterwards, run the CloudFormation template to complete the setup.
1. Click the URL from the API response to review our CloudFormation template.
2. At the AWS sign-in screen, sign in using your AWS account with admin privileges. Each CloudFormation template is tied to a specific account, so be sure to
sign in with the correct account.
3. (Optional) Change regions in AWS, depending on where you want to create the CloudFormation stack and review the template parameters.
5. Check the accounts list in the Falcon console to verify that the status is operational. This can take up to 15 minutes.
If you have more than one AWS account to set up, run the CloudFormation template again using the URL for that account.
AWS displays a progress report of the objects being created by CloudFormation. When setup is complete, AWS displays a status of CREATE_COMPLETE.
Finally, Cloud Workloads Discovery begins an initial scan of the current state of your AWS environment. Now you're ready to read our Cloud Workloads Discovery
Feature Guide to get more info about the Cloud Workloads Discovery dashboards in the Falcon console.
In the Falcon console, register for an API client ID and client secret with the D4C registration API scope with read & write permission enabled. For more info,
see API clients.
In AWS, set up your AWS CLI. For more info, see the AWS article Configuring the AWS CLI.
Procedure
1. In the Falcon console, go to Cloud security > Cloud security > Account registration.
4. Click Download CSV Template. A horizon_aws_registration_accounts.csv file is downloaded to your local downloads folder with a comma-
separated list of accounts associated AWS CLI profiles in this format:
<aws_account_id>,<aws_cli_profile>
<aws_account_id>,<aws_cli_profile>
Note: (US-GOV-1 customers only) AWS GovCloud accounts and AWS commercial accounts must be created as separate CSV files and the scripts must be run
separately.
6. In a text editor, replace these script variables with your default region, client ID, client secret, and file path:
AWS_REGION: Update to your preferred region. The script uses the region for the accounts where the default region isn’t set.
IS_COMMERCIAL (US-GOV-1 customers only): If you are registering AWS commercial accounts, change the value to true . By default, the script
registers AWS GovCloud account in US-GOV-1.
Note: When registering an AWS commercial account to Falcon US-GOV-1, CrowdStrike creates a lambda function (cs-lambda-eventbridge) and (cs-
lambda-s3) along with an S3 bucket (crowdstrike-s3-{uuid}) in your AWS account to ingest logs from your existing CloudTrail for behavioral
assessment.
CLIENT_ID and CLIENT_SECRET: Replace <client id> and <client secret> with your API client ID and secret. Replace path to the
horizon_aws_registration_accounts.csv file with the actual file path.
7. In your terminal, run the copied script. The script uses your downloaded CSV file and registers your AWS accounts.
8. Check the accounts list in the Falcon console to verify that the status is operational. This can take up to 15 minutes.
Register an AWS Organization
When you register an AWS Organization using a bash script, all child accounts in that organization are registered automatically for Cloud Workloads Discovery.
1. In the Falcon console, register for an API client ID and client secret with the D4C registration API scope with read & write permission enabled. For more info,
see API clients.
2. In AWS, set up your AWS CLI. For more info, see the AWS article Configuring the AWS CLI.
Note: If your organization account was previously registered with Cloud Workloads Discovery and was migrated, you will need to add the
organizations:ListAccounts permission to the IAM role in the root account so that new accounts can be automatically discovered as they are
added. While existing accounts will continue to work, failure to add this permission will prevent new accounts from getting added. Alternatively, you can
delete the existing stack and register with Cloud Workloads Discovery using the new registration option for onboarding Organization accounts, which
creates an IAM role with the right permissions to automatically discover new accounts.
Procedure
1. In the Falcon console, go to Cloud security > Cloud security > Account registration.
4. On the page that appears, follow the instructions to generate a script to register the AWS Organization:
1. (US-GOV-1 customers only) If you are registering an AWS commercial account, use the dropdown to select AWS Commercial. By default, the script
registers an AWS GovCloud account in Falcon US-GOV-1.
Note: When registering an AWS commercial account to Falcon US-GOV-1, CrowdStrike creates lambda functions (cs-lambda-eventbridge) and (cs-
lambda-s3) along with an S3 bucket (crowdstrike-s3-{uuid}) in your AWS account to ingest logs from your existing CloudTrail for behavioral
assessment.
2. In the CloudFormation region dropdown list, select the region where the CrowdStrike resources will be created. If left blank, the script uses the same
region as your account.
3. Enter your AWS Organization ID and the AWS Profile name for the organization.
4. Enter your CrowdStrike API Client ID and CrowdStrike API Client Secret.
5. The script is updated with the options you specified, Click Copy to clipboard to copy the script.
6. Check the accounts list in the Falcon console to verify that the status is operational. This can take up to 15 minutes.
You need to update an AWS organization account to make sure new child accounts are registered correctly in Cloud Workloads Discovery.
Procedure
1. In the Falcon console, go to Cloud security > Cloud security > Account registration.
2. On the AWS tab, look under Inactive Accounts or Active Accounts to view account status and follow the appropriate instructions to finish registration:
Scenario Steps
1. In the Status column of the account you want to finish registration for, click Finish setup.
2. Verify or select the default region for the AWS account, then click Finish registering in AWS.
Finish setting up an individual account 3. Log in to your AWS account with admin privileges and click Create Stack.
4. Check the accounts list in the Falcon console to verify that the status is operational. This can take up to 15
minutes.
2. Follow the on-screen instructions to download a pre-populated CSV file and run an automated script in
Finish setting up all accounts in bulk (batch
your terminal.
registration)
3. When finished, check the accounts list in the Falcon console to verify that the status is operational. This
can take up to 15 minutes.
1. In the Status column of the organization you want to update, click Finish setup.
2. Follow the on-screen instructions to download a pre-populated CSV file and run an automated script in
Updating an organization account your terminal.
3. When finished, check the accounts list in the Falcon console to verify that the status is operational. This
can take up to 15 minutes.
On the Cloud Accounts Registration page, you might see an account registration status of Active, with an Upgrade to Horizon link beside it. The link appears when
all of these conditions are met:
Your CrowdStrike account was created before August 10, 2022 and it has been migrated to the new API that supports batch and organization account
registration.
The AWS account in question was added to Cloud Workloads Discovery before migration happened.
When you upgrade an account to Horizon, the registration process deprovisions the account from Cloud Workloads Discovery so that it can then provision the
account for both Falcon Horizon and Cloud Workloads Discovery.
1. In the Falcon console, go to Cloud security > Cloud security > Account registration.
2. On the AWS tab, click Upgrade to Horizon for the account that you want to upgrade.
3. On the Register an individual account page, the AWS account ID is prefilled with the account that you’re upgrading. Select the CloudTrail option (existing or
new), select the appropriate region, and click Generate CloudFormation links. If you have admin access to the AWS console, click Navigate to AWS console.
Otherwise, click Copy CloudFormation URL and ask someone who has AWS access to complete the next two steps.
4. At the AWS sign-in prompt, sign in using your AWS account with admin privileges.
5. On the Quick create stack page, review the parameters of the CrowdStrike-CSPM-Integration template and make any necessary changes. For required AWS
IAM policy permissions for Horizon, see the CloudFormation template details. Click Create Stack.
6. Check the Cloud Security Posture accounts list in the Falcon console to verify that the status is operational. This can take up to 15 minutes.
Note: The account is listed under Cloud Security Posture accounts, but it is enabled for both Cloud Security Posture and Cloud Workloads Discovery.
Deprovisioning accounts
Deprovision an account to remove it from Cloud Workloads Discovery. Deprovisioned accounts won’t be actively assessed, but historical data is retained according to
your Falcon data retention policy.
1. In the Falcon console, go to Cloud security > Cloud security > Account registration.
2. On the AWS tab, select the checkbox next to the accounts that you want to deprovision, then click Deprovision.
Note: If the account that you selected is associated with an AWS Organization account, you can deprovision either just the selected accounts or all accounts
associated with that AWS Organization.
4. Follow the onscreen instructions to run the script that removes Cloud Workloads Discovery resources from your cloud environments.