User Guide
Release Notes

Add Existing AWS Accounts

Integrate multiple existing accounts in an Organization using AWS CloudFormation

AWS CloudFormation allows organizations to easily deploy AWS resources into existing accounts within the AWS Organization. Veza integrates with AWS CloudFormation to enable one-touch registration of AWS accounts with the Veza platform.

To control which AWS accounts will register with the Veza platform, the provided CloudFormation template can apply to the AWS Organization as a whole, specific Organizational Units within the AWS Organization, or specific AWS accounts.

The template will create the required IAM resources and a Lambda function responsible for registering and updating the managed account where it is deployed, and create a Veza AWS Integration for the account.​

Integration Details

Veza's AWS Organizations integration is delivered as an AWS CloudFormation template that can be installed in the Organization's root account. The integration consists of three main infrastructure components that will be deployed to target accounts:

  1. An AWS Lambda function:

    • This Lambda function executes when the AWS CloudFormation StackSet is first deployed and on any subsequent update or delete requests

    • This function interacts with Veza APIs to ensure that the target account is registered as a Cloud Provider in the organization's Veza platform and that its registration details are up-to-date

  2. An IAM Role and Policy for the target account to allow Veza to assume an IAM Role with read-only access and discover the resources inside the account

  3. An AWS Secrets Manager secret:

    • The Veza API key required for interacting with Veza APIs is encrypted and stored in the target account.

    • A strict IAM policy gives the AWS Lambda function access to this key for interactions with the Veza API ​ The AWS Lambda function executes upon initial deployment of the AWS CloudFormation StackSet, as well as upon updates or deletes to the StackSet, allowing for centralized configuration control of the organization's AWS integrations.

Installation

Before deploying the Veza AWS Organizations integration, three pieces of data are required.

  1. Make note of the URL used to connect to Veza (ex: https://example.vezacloud.com)

  2. Generate an API key on the Veza platform for use by the CloudFormation template

  3. Generate a UUID value for use as the ExternalId when Veza assumes the read-only IAM role

AWS Configuration

The following steps should be completed in the AWS Organizations root account by a user with permission to deploy CloudFormation StackSets.

  1. Log into the AWS console, click Services, then search for and select CloudFormation.

  2. In the left navigation bar, click StackSets.

  3. In the right corner of the main pane, click Create StackSet.

  4. In Step 1: Choose a Template, leave the default values selected and provide https://veza-controltower.s3.amazonaws.com/veza-aws-org-member-account.yaml in the Amazon S3 URL field.

  5. In Step 2: Specify StackSet Details, provide the following:

    1. StackSet Name: enter a display name for the CloudFormation StackSet

    2. StackSet Description: enter an optional description of the CloudFormation StackSet

    3. RemoveVezaIntegrationOnDelete: set to true to remove AWS accounts from the Veza platform if this StackSet is deleted (default: true)

    4. VezaApiToken: paste in the API key generated on the Veza platform

    5. VezaApplicationUrl: paste in the URL of the Veza instance copied above

    6. VezaDiscoveryAccountId: this is the AWS account used by Veza to assume the read-only IAM role and discover resources in the target account. Leave the default value unless otherwise instructed.

    7. VezaExternalId: this is the externalId that Veza will provide when attempting to assume the IAM Role in the target accounts. Set it to any UUID value.

    8. VezaRDSUser: this is an existing local user account with read privileges that will be used to discover RDS resources.

  6. In Step 3: Configure StackSet options, add any desired tags, ensure Managed execution is set to Inactive, and click Next

  7. In Step 4: Set Deployment Options, provide the following, leaving the remaining options with their default values:

    1. Deployment Targets: select either Deploy to organization or Deploy to organizational units (OUs).

      1. If Deploy to organizational units is selected, provide up to 10 AWS OU IDs and an optional Account Filter Type

    2. Specify Regions: select a single region into which the AWS Lambda function will be deployed for the target accounts. Warning: Ensure only one region is specifed for the deployment; selecting multiple regions will lead to conflicts and require manual intervention to remove.

  8. In Step 5: Review, review the entered parameters, scroll to the bottom of the form, and accept the IAM Role disclaimer, then click Submit ​ After the CloudFormation StackSet is provisioned, the integration is enabled. The Stack resources will be deployed into the target accounts and will register with the Veza platform as they complete.

S3 Information

Veza CloudFormation scripts are hosted on AWS S3. You can either use the defaults provided below or host your own modified versions. ​ If using a customized template, you should update the Amazon S3 URL when creating the CloudFormation StackSet with the URL of your customized version. ​

  • CloudFormation Template Link: https://veza-controltower.s3.amazonaws.com/veza-aws-org-member-account.yaml

PreviousAmazon Web ServicesNextAutomatically Add New AWS Accounts

Last updated