AWS Organization Onboarding

This article outlines the steps to onboard your AWS Organization to Panoptica using the CloudFormation StackSets service.

The process includes two steps:
Step 1: Onboarding your organization’s management (master) account and creating the StackSet.
Step 2: Configuring the StackSet and onboarding your member accounts.

📘

Prerequisites

  • Enable StackSet trusted access with AWS Organizations. An AWS guide on how to do this can be found here. Note that this requires an Admin on the management account.
  • The user performing the onboarding must have the relevant permissions to create and deploy CloudFormation Stacks and StackSets.
  • If you have already onboarded accounts of the Organization to Panoptica via the regular onboarding flow, they must be deleted from Panoptica (via the account page) before the AWS organization onboarding begins.

Onboarding Process

Step 1:

  1. Log into your organization management (master) account.
  2. Input the management (master) account ID and select a display name for this account on Panoptica.
  3. In Panoptica, click Launch Stack under the Add Organization Management Account. This will take you to the AWS console.
  4. Select the I acknowledge that AWS CloudFormation might create IAM resources checkbox, and then click Create Stack.
    • You can change the Stack name field if you want.
  1. CloudFormation will deploy the resources in the management account so that you can see the creation status in AWS and make sure you see three resources with “CREATE_COMPLETE” status.
    The deployed resources are:
  • A role on the management account so Panoptica can scan it.
  • A StackSet to onboard the member accounts.
  • An SNS alerting Panoptica to the new account, so we can onboard and automatically scan it.

Once all three resources have the "CREATE_COMPLETE", the first step is done.
Your management account should be onboarded to Panoptica shortly thereafter, and the scan will automatically start after that. In addition, we've created the StackSet required for step 2 - onboarding the member accounts.

Step 2:

  1. Once all resources are created successfully, click StackSets from the menu to the left, and then click the PanopticaSecurityAudit StackSet that was created.
  1. Click the Actions drop-down menu and select the Add stacks to StackSet option.
  1. Set deployment targets:
    We recommend onboarding the entire Organization, but you can choose to onboard accounts from specific OUs (Organizational Units) as well.

  1. Specify regions:
    Select the US East (Ohio) region from the drop-down list. Once done, click Next.

  1. Click Next again in the next step, and after the final review click Submit to start the deployment.

Congratulations! You can now view the “Stack instances” tab to see the status of each account's deployment.

Note: Each account that was successfully deployed should be onboarded and scanned in a matter of minutes. You can see the accounts and their statuses in Panoptica’s account page.

Note: For larger Organizations, the initial scan of all accounts may take some time to complete.