Cloud Workloads Discovery: AWS Setup

Last updated: Mar. 12, 2023

Contents:
Introduction
Subscription info
About your AWS environment
Before you begin
Register individual AWS accounts
Option 1: Register your AWS account through the Falcon console
Option 2: Use APIs to enable Cloud Workloads Discovery on your AWS account
Batch register multiple AWS accounts
Before you begin
Procedure
Register an AWS Organization
Before you begin
Procedure

Finishing or updating AWS registration using a Bash script

Procedure
Upgrade your account to use Falcon Horizon
Deprovisioning accounts

Introduction
Just as Falcon Discover keeps you informed about the status of your hosts, Cloud Workloads Discovery - AWS improves your IT hygiene by helping you stay informed
about Elastic Compute Cloud (EC2) instances in your Amazon Web Services (AWS) environment. You can use Cloud Workloads Discovery to:

View information about your EC2 instances

Catalog metadata on your EC2 instances

Learn about EC2 instances even if they don't have a Falcon sensor

The instructions for adding a new account or finishing the registration for an existing account depend on two factors. Answer these two questions and then use the
table to find the appropriate instructions:

1. Does your subscription include Cloud Security Posture Management (CSPM), in addition to Cloud Workloads Discovery?

2. Was your CrowdStrike account created after August 10, 2022, or have you received an email from CrowdStrike Support saying that your account is being
migrated?

1. Subscription 2. New or migrated

To add new accounts To finish account setup
includes CSPM CrowdStrike account

Follow the instructions provided for CSPM. Registering an Follow the instructions in Finish setup or
Yes Yes AWS account for CSPM also registers it for Cloud upgrade AWS accounts registered for Cloud
Workloads Discovery. Workloads Discovery.

Follow the instructions provided for CSPM. Registering an

Follow the instructions in Cloud Workloads
Yes No AWS account for CSPM also registers it for Cloud
Discovery: AWS Setup for older accounts.
Workloads Discovery.
 1. Subscription 2. New or migrated
To add new accounts To finish account setup
includes CSPM CrowdStrike account

Follow the instructions provided on this page:

Register individual AWS accounts
No Yes
Batch register multiple AWS accounts
Register an AWS Organization
Follow the instructions provided on this page:
Finishing or updating AWS registration using
a Bash script.

Follow the instructions in Cloud Workloads Discovery: AWS Follow the instructions in Cloud Workloads
No No
Setup for older accounts. Discovery: AWS Setup for older accounts.

For information on the differences between individual AWS accounts and AWS Organizations, see the AWS Organizations and AWS Account Management
Documentation.

You can also automate onboarding and management of AWS accounts using our Cloud Workloads Discovery API endpoints.

Tip: When you're done, read our Cloud Workloads Discovery Feature Guide for reference information on using the Cloud Workloads Discovery dashboards
in the Falcon console.

Subscription info
Subscription Requirements:

Falcon Discover for Cloud & Containers OR the Falcon Cloud Workload Protection Bundle

AND Falcon Insight XDR

For subscription information, contact Sales.

About your AWS environment

Cloud Workloads Discovery has read-only access to your EC2 metadata. This minimizes the security impact to your AWS infrastructure. It calls AWS APIs on your
behalf using a cross account IAM role with the following read-only permissions:

ec2:DescribeInstances

ec2:DescribeImages

ec2:DescribeNetworkInterfaces

ec2:DescribeVolumes

ec2:DescribeVpcs

ec2:DescribeRegions

ec2:DescribeSubnets

ec2:DescribeNetworkAcls

ec2:DescribeSecurityGroups

iam:ListAccountAliases

organizations:ListAccounts

Before you begin

For each AWS account you want to set up with Cloud Workloads Discovery:

Know the AWS account ID (a 12-digit number)

Have a user account with admin access to the AWS account (CrowdStrike never has access to these credentials)
Register individual AWS accounts
There are two ways to register an individual AWS account:

Option 1: Register your AWS account through the Falcon console

Option 2: Use APIs to enable Cloud Workloads Discovery on your AWS account and then run a CloudFormation template

Option 1: Register your AWS account through the Falcon console

Register AWS accounts one at a time using a CloudFormation link. You’ll enter information in the Falcon console, then finish registration on the AWS site.

This procedure requires these roles:

Falcon Administrator in Falcon console

Administrative access to AWS console

1. In the Falcon console, go to Cloud security > Cloud security > Account registration.

2. On the AWS tab, select Add new AWS account.

3. Click Register individual accounts.

4. Enter your 12-digit AWS account ID, select the appropriate region, then click Generate CloudFormation links. This registers the new account with Cloud
Workloads Discovery.

5. Click Navigate to AWS console.

6. At the AWS sign-in prompt, sign in using your AWS account with admin privileges.

7. On the Quick create stack page, review the parameters of the CrowdStrike-CSPM-Integration template and make any necessary changes. For required AWS
IAM policy permissions for Cloud Workloads Discovery, see the CloudFormation template details. Accept the terms in the Capabilities section and click
Create stack.

8. Check the accounts list in the Falcon console to verify that the status is operational. This can take up to 15 minutes.

When setup is complete, Cloud Workloads Discovery begins an initial scan of the current state of your AWS environment. Now you're ready to read our Cloud
Workloads Discovery Feature Guide to get more info about the Cloud Workloads Discovery dashboards in the Falcon console.

Option 2: Use APIs to enable Cloud Workloads Discovery on your AWS account
Configure Cloud Workloads Discovery to communicate with your AWS instances. Use APIs to provision AWS accounts either using CloudFormation or manually.
Afterwards, run the CloudFormation template to complete the setup.

Run the CloudFormation template

When you run the AWS CloudFormation template, Cloud Workloads Discovery is granted limited, read-only access to your AWS account.

1. Click the URL from the API response to review our CloudFormation template.

2. At the AWS sign-in screen, sign in using your AWS account with admin privileges. Each CloudFormation template is tied to a specific account, so be sure to
sign in with the correct account.

3. (Optional) Change regions in AWS, depending on where you want to create the CloudFormation stack and review the template parameters.

4. Run the CloudFormation template.

5. Check the accounts list in the Falcon console to verify that the status is operational. This can take up to 15 minutes.

If you have more than one AWS account to set up, run the CloudFormation template again using the URL for that account.

AWS displays a progress report of the objects being created by CloudFormation. When setup is complete, AWS displays a status of CREATE_COMPLETE.
Finally, Cloud Workloads Discovery begins an initial scan of the current state of your AWS environment. Now you're ready to read our Cloud Workloads Discovery
Feature Guide to get more info about the Cloud Workloads Discovery dashboards in the Falcon console.

Batch register multiple AWS accounts

Use a bash script to register multiple AWS accounts.

Before you begin

You need an API client ID and secret, and an AWS CLI profile. The registration script runs in your AWS CLI using your profile.

In the Falcon console, register for an API client ID and client secret with the D4C registration API scope with read & write permission enabled. For more info,
see API clients.

In AWS, set up your AWS CLI. For more info, see the AWS article Configuring the AWS CLI.

Procedure
1. In the Falcon console, go to Cloud security > Cloud security > Account registration.

2. On the AWS tab, click Add new account.

3. Click Batch register multiple accounts.

4. Click Download CSV Template. A horizon_aws_registration_accounts.csv file is downloaded to your local downloads folder with a comma-
separated list of accounts associated AWS CLI profiles in this format:

<aws_account_id>,<aws_cli_profile>

<aws_account_id>,<aws_cli_profile>

Note: (US-GOV-1 customers only) AWS GovCloud accounts and AWS commercial accounts must be created as separate CSV files and the scripts must be run
separately.

5. Click Copy to clipboard to copy the automated script.

6. In a text editor, replace these script variables with your default region, client ID, client secret, and file path:

AWS_REGION: Update to your preferred region. The script uses the region for the accounts where the default region isn’t set.

IS_COMMERCIAL (US-GOV-1 customers only): If you are registering AWS commercial accounts, change the value to true . By default, the script
registers AWS GovCloud account in US-GOV-1.

Note: When registering an AWS commercial account to Falcon US-GOV-1, CrowdStrike creates a lambda function (cs-lambda-eventbridge) and (cs-
lambda-s3) along with an S3 bucket (crowdstrike-s3-{uuid}) in your AWS account to ingest logs from your existing CloudTrail for behavioral
assessment.

CLIENT_ID and CLIENT_SECRET: Replace <client id> and <client secret> with your API client ID and secret. Replace path to the
horizon_aws_registration_accounts.csv file with the actual file path.

7. In your terminal, run the copied script. The script uses your downloaded CSV file and registers your AWS accounts.

8. Check the accounts list in the Falcon console to verify that the status is operational. This can take up to 15 minutes.
Register an AWS Organization
When you register an AWS Organization using a bash script, all child accounts in that organization are registered automatically for Cloud Workloads Discovery.

Before you begin

You need an API client ID and secret, and an AWS CLI profile. The registration script runs in your AWS CLI using your profile.

1. In the Falcon console, register for an API client ID and client secret with the D4C registration API scope with read & write permission enabled. For more info,
see API clients.

2. In AWS, set up your AWS CLI. For more info, see the AWS article Configuring the AWS CLI.

Note: If your organization account was previously registered with Cloud Workloads Discovery and was migrated, you will need to add the
organizations:ListAccounts permission to the IAM role in the root account so that new accounts can be automatically discovered as they are
added. While existing accounts will continue to work, failure to add this permission will prevent new accounts from getting added. Alternatively, you can
delete the existing stack and register with Cloud Workloads Discovery using the new registration option for onboarding Organization accounts, which
creates an IAM role with the right permissions to automatically discover new accounts.

Procedure
1. In the Falcon console, go to Cloud security > Cloud security > Account registration.

2. On the AWS tab, click Add new account.

3. Select Register AWS Organization and click Next.

4. On the page that appears, follow the instructions to generate a script to register the AWS Organization:

1. (US-GOV-1 customers only) If you are registering an AWS commercial account, use the dropdown to select AWS Commercial. By default, the script
registers an AWS GovCloud account in Falcon US-GOV-1.

Note: When registering an AWS commercial account to Falcon US-GOV-1, CrowdStrike creates lambda functions (cs-lambda-eventbridge) and (cs-
lambda-s3) along with an S3 bucket (crowdstrike-s3-{uuid}) in your AWS account to ingest logs from your existing CloudTrail for behavioral
assessment.

2. In the CloudFormation region dropdown list, select the region where the CrowdStrike resources will be created. If left blank, the script uses the same
region as your account.

3. Enter your AWS Organization ID and the AWS Profile name for the organization.

4. Enter your CrowdStrike API Client ID and CrowdStrike API Client Secret.

5. The script is updated with the options you specified, Click Copy to clipboard to copy the script.

5. In a terminal, run the copied script to register your AWS accounts.

6. Check the accounts list in the Falcon console to verify that the status is operational. This can take up to 15 minutes.

Finishing or updating AWS registration using a Bash script

If your AWS accounts list includes accounts with the status, Action required: Finish setup, you need to perform additional registration steps. This can happen if:

You didn’t complete a registration.

You need to update an AWS organization account to make sure new child accounts are registered correctly in Cloud Workloads Discovery.

Procedure
1. In the Falcon console, go to Cloud security > Cloud security > Account registration.

2. On the AWS tab, look under Inactive Accounts or Active Accounts to view account status and follow the appropriate instructions to finish registration:
 Scenario Steps

1. In the Status column of the account you want to finish registration for, click Finish setup.

2. Verify or select the default region for the AWS account, then click Finish registering in AWS.

Finish setting up an individual account 3. Log in to your AWS account with admin privileges and click Create Stack.

4. Check the accounts list in the Falcon console to verify that the status is operational. This can take up to 15
minutes.

1. Click Batch register all.

2. Follow the on-screen instructions to download a pre-populated CSV file and run an automated script in
Finish setting up all accounts in bulk (batch
your terminal.
registration)
3. When finished, check the accounts list in the Falcon console to verify that the status is operational. This
can take up to 15 minutes.

1. In the Status column of the organization you want to update, click Finish setup.

2. Follow the on-screen instructions to download a pre-populated CSV file and run an automated script in
Updating an organization account your terminal.

3. When finished, check the accounts list in the Falcon console to verify that the status is operational. This
can take up to 15 minutes.

Upgrade your account to use Falcon Horizon

Falcon Horizon continuously monitors your cloud services for critical security issues, common configuration errors, and patterns of suspicious behavior. Guided
remediation and policy and compliance enforcement help keep your cloud environment secure. For more info, see Falcon Horizon Overview.

On the Cloud Accounts Registration page, you might see an account registration status of Active, with an Upgrade to Horizon link beside it. The link appears when
all of these conditions are met:

Your CrowdStrike account was created before August 10, 2022 and it has been migrated to the new API that supports batch and organization account
registration.

The AWS account in question was added to Cloud Workloads Discovery before migration happened.

Your account has a Falcon Horizon subscription.

When you upgrade an account to Horizon, the registration process deprovisions the account from Cloud Workloads Discovery so that it can then provision the
account for both Falcon Horizon and Cloud Workloads Discovery.

1. In the Falcon console, go to Cloud security > Cloud security > Account registration.

2. On the AWS tab, click Upgrade to Horizon for the account that you want to upgrade.

3. On the Register an individual account page, the AWS account ID is prefilled with the account that you’re upgrading. Select the CloudTrail option (existing or
new), select the appropriate region, and click Generate CloudFormation links. If you have admin access to the AWS console, click Navigate to AWS console.
Otherwise, click Copy CloudFormation URL and ask someone who has AWS access to complete the next two steps.

4. At the AWS sign-in prompt, sign in using your AWS account with admin privileges.

5. On the Quick create stack page, review the parameters of the CrowdStrike-CSPM-Integration template and make any necessary changes. For required AWS
IAM policy permissions for Horizon, see the CloudFormation template details. Click Create Stack.

6. Check the Cloud Security Posture accounts list in the Falcon console to verify that the status is operational. This can take up to 15 minutes.

Note: The account is listed under Cloud Security Posture accounts, but it is enabled for both Cloud Security Posture and Cloud Workloads Discovery.

Deprovisioning accounts
Deprovision an account to remove it from Cloud Workloads Discovery. Deprovisioned accounts won’t be actively assessed, but historical data is retained according to
your Falcon data retention policy.

1. In the Falcon console, go to Cloud security > Cloud security > Account registration.

2. On the AWS tab, select the checkbox next to the accounts that you want to deprovision, then click Deprovision.

3. In the Deprovision Account dialog, click Deprovision.

Note: If the account that you selected is associated with an AWS Organization account, you can deprovision either just the selected accounts or all accounts
associated with that AWS Organization.

4. Follow the onscreen instructions to run the script that removes Cloud Workloads Discovery resources from your cloud environments.