There are certain pre-requisites required in your cloud accounts before they can be onboarded into CoreStack. In a nutshell, it is regarding setting up the right access permissions to your cloud accounts for CoreStack.
For AWS Accounts, you will have to create an IAM Role for CoreStack with necessary access permissions based on your preference for Assessment-Only or Assessment + Governance to be performed for that account. CoreStack provides ready-made templates that can be used for this purpose which have appropriate access permissions built-in as part of the templates.
For Azure Subscriptions, you will have to create an App Registration for CoreStack and then provide appropriate role assignment for that App based on your preference for Assessment-Only or Assessment + Governance to be performed for that subscription.
There are certain pre-requisites that need to be set-up in your AWS accounts before they can be on-boarded into CoreStack. This is primarily around creating an IAM Role for CoreStack and providing it the necessary access.
You can use IAM roles to delegate access to your AWS resources. With IAM roles, you can establish trust relationships between your trusting account and other AWS trusted (CoreStack) accounts. The trusting account owns the resource to be accessed and the trusted account contains the users who need access to the resource.
Note: IAM User (Access Key and Secret Key) based authentication is no longer supported. This is in compliance with the security standards and recommendations prescribed by AWS.
CoreStack would use the AWS Security Token Service (AWS STS) “AssumeRole” API operation. This operation provides temporary security credentials that enable access to AWS resources in your account.
Refer this link for more information: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html
CoreStack simplifies this process by providing a CloudFormation Template that will take care of creating an IAM Role and assign the necessary permissions automatically. You can use the S3 URLs provided based on the type of access you wish to provide for CoreStack.
S3 URL with Template for Assessment Only (Read-Only Access): Click here
Given below are the step-by-step instructions to set-up the IAM Role
Setting up Cost Reports
Cost and Usage Report (CUR) must be enabled in your AWS account which enables CoreStack to fetch the Billing data from your account. This is required to be able to provide Cost Visibility and Cost Analytics for your accounts. If you already have this enabled, you can skip the below step and just be ready with the S3 Bucket name where the CUR files are being placed by AWS.
Note: AWS used to provide billing data only at the Mgmt (Payer) Account level. From Dec-2020, AWS provides billing data for Linked Accounts as well. If you have onboarded both your Master and Linked Accounts, CoreStack can directly fetch the billing data from the Mgmt Account for all the linked accounts.
To set-up the Cost Usage Report you should login as “Root User” into your Master (Payer) AWS account and complete the below steps.
Select Cost Allocation Tags
Stay in the Billing Dashboard and select “Cost Allocation Tags” from the Left Navigation Menu
The recommended tags to be activated are: Application, Environment, Cost Center, Owner. You can also choose to add additional tags as per your requirement.
Impact on your AWS Account
Since the access is read-only, there are no resources of configurations done by CoreStack in your AWS account. There is absolutely no resource or billing impact in this case.
Note: If you had enabled Cost & Usage Report specifically for CoreStack, the S3 Bucket will incur some minimal cost based on the size of the usage reports placed by AWS.
Read-Write Permissions (Assessment + Governance)
Following resources will be created based on your selection during on-boarding:
Billing Impact due to CoreStack onboarding:
There could be additional charges based on the configuration done for your accounts after on-boarding:
CoreStack uses Daemon Application scenario with Client Credentials flow for OAut2.0 flow and grant type as depicted here. Client Credential flow requires a valid Application registration to be created for a specific Azure subscription to successfully allow access to the required Azure resources.
To onboard your subscription into CoreStack, you will require the following values. The instructions to get these 4 values from your Azure subscription in provided below.
As you retrieve each of these values, keep them ready in a notepad to be able to copy paste into CoreStack while onboarding.
Step-1: Fetch Tenant ID
Login to Azure Portal (https://portal.azure.com).
Once the Azure Active Directory service is opened, you will find the Tenant ID in the overview page as shown below:
You can click on the copy icon to copy the Tenant ID to clipboard and paste it into your notepad. Stay right on the same page to continue with Step-2
Step-2: Fetch Application ID
Now within the Azure Active Directory look for “App Registrations” in the Left Navigation Menu. Alternatively, you can also directly search for “App Registrations” in the search bar.
You need to create a new app registration, unless you already have an app that you intend to use for onboarding into CoreStack. Click on “New registration” at the top to start.
Provide a Name for the App, such as “CoreStack.App”. You can leave the other options in default (Supported account types can be Single Tenant and Redirect URI can be blank)
Click on “Register” button below to complete the process.
Copy the Application (Client) ID and paste it into your notepad. The Directory (Tenant) ID is same as what you copied already in Step-1.
Step-3: Fetch Application Secret
Application Secret is the password or key that you need to provide for the specific app that was just created. You can create one from the same App page.
Look for “Certificates & Secrets” on the left menu while staying in the CoreStack.App page. Click on it to go to that blade.
Look for the section “Client secrets” in the right panel and click on the button “New client secret”
You can see that the secret is now added and there is an expiry date and a key value for the same. You must copy the key value and keep it in your notepad.
Step-4: Fetch Subscription
Navigate to Subscriptions page by searching from the search bar at the top. You can also use the “Cost Management and Billing” option from the Left Navigation menu.
Once at the Subscriptions page, you will see the list of Subscriptions under the selected AD Tenant
Copy the Subscription ID and the Subscription Name from here and keep them in your notepad. Stay right on the same page to continue with Step-5.
Step-5: IAM Access for App
The app that we created above in Step-2 must have the required access within the subscription that you plan to onboard into CoreStack. To provide the access, please follow the below steps.
Within the Subscription page look for “Access Control (IAM)” on the left menu. Click on that
Once you are in the IAM page, click on “+ Add” option at the top and select “Add Role Assignment” option
Note: Contributor access is required for subscriptions which will be onboarded with Assessment + Governance option. If you plan to use only Assessment, you can choose to select “Reader” role.
You are now all set to begin the on-boarding process into CoreStack. Happy On-boarding!
CoreStack requires Contributor access to the following Service Providers, however the account owner can restrict access to specific services that will only be managed through CoreStack.
Following table explains the need for access to the service with the rationale:
Preferable: Access is not mandatory however some of the automation features will be not functional without the required access. You can exclude them for “Assessment-Only”.
Optional: Not mandatory, similar to that of Preferable, core features will continue to work. Some low-level actions will have an Impact. You can exclude them for “Assessment-Only”.
Mandatory: Non-negotiable, even to on-board account with read-only permissions (“Assessment-Only”) these access details would be needed.
Impact on the Azure Subscription
If you intend to use CoreStack for remediation and automation as well, as part of such configurations, CoreStack creates resources and applies some configurations in Azure.
Alert Rules and Alert Action:
Alert rules will be created when monitoring thresholds are configured during as part of the Operations – Alerts module.
A new alert action will be added to the created rules to invoke CoreStack notification webhook when threshold alert is triggered.
CoreStack will create the Policy Definitions and Assignments based on the GuardRails you prefer to set-up for your Azure Subscription.
CoreStack will enable the Free-tier or Standard Tier for the resources based on the security configurations. (Enabling Standard Tier has cost implications, please exercise caution during configuration)
Billing Impact due to CoreStack onboarding
There is no billing impact as such in configuring your account with CoreStack until certain services are consumed through CoreStack. Following are the few areas where there might be cost implications.