Pre-Onboarding

Pre-Onboarding (Prepare your Cloud Accounts)

There are certain pre-requisites required in your cloud accounts before they can be onboarded into CoreStack. In a nutshell, it is regarding setting up the right access permissions to your cloud accounts for CoreStack.  

For AWS Accounts, you will have to create an IAM Role for CoreStack with necessary access permissions based on your preference for Assessment-Only or Assessment + Governance to be performed for that account. CoreStack provides ready-made templates that can be used for this purpose which have appropriate access permissions built-in as part of the templates. 

For Azure Subscriptions, you will have to create an App Registration for CoreStack and then provide appropriate role assignment for that App based on your preference for Assessment-Only or Assessment + Governance to be performed for that subscription. 

AWS Accounts 

There are certain pre-requisites that need to be set-up in your AWS accounts before they can be on-boarded into CoreStack. This is primarily around creating an IAM Role for CoreStack and providing it the necessary access. 

Authorize CoreStack to access your AWS Account 

You can use IAM roles to delegate access to your AWS resources. With IAM roles, you can establish trust relationships between your trusting account and other AWS trusted (CoreStackaccounts. The trusting account owns the resource to be accessed and the trusted account contains the users who need access to the resource.

Note: IAM User (Access Key and Secret Key) based authentication is no longer supported. This is in compliance with the security standards and recommendations prescribed by AWS. 

CoreStack would use the AWS Security Token Service (AWS STS) AssumeRole API operation. This operation provides temporary security credentials that enable access to AWS resources in your account.  

Refer this link for more information: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html  

Required Credentials: 

  • Role ARN: The Amazon Resource Name (ARN) of IAM Role. 
  • External ID: The external ID can be any word or number that is agreed upon between you and the third-party account. (Note: This is a unique ID created for each CoreStack customer. Hence to get the ID for your account, please reach out to [email protected]. The support channel is available 24×7 and you can expect a response within 2 hours.) 
  • Require MFA: Flag to identify the role is restricted with multi-factor authentication (MFA) or not. 

CoreStack simplifies this process by providing a CloudFormation Template that will take care of creating an IAM Role and assign the necessary permissions automaticallyYou can use the S3 URLs provided based on the type of access you wish to provide for CoreStack. 

S3 URL with Template for Assessment Only (Read-Only Access)Click here 

  • S3 URL with Template for Assessment + Automation (Read-Write Access): Click here 

Given below are the step-by-step instructions to set-up the IAM Role 

  1. Login to your AWS account and navigate to “CloudFormation”
  2. Click on “Create Stack” with new resources.  
    • Step-1: Choose “Template is ready” and Amazon S3 URL. In the URL field, copy paste the URL above.

User Guide Step 1 Create Stack

    • In Step-2: Provide a “Name” for the Stack, the “Role Name” to be created. The other fields can be left with default values. However, if you do NOT want to configure CFN or GuardDuty or Inspector for your AWS account, you can set them to “false”. Click on Next 

User Guide Step 2 Provide a Name for the Stack

    • All fields in Step-3 are optional. You can leave them as default or make changes as necessary including assigning Tags, providing notification options etc. Click on Next to proceed.
    • In the Step-4, you can review all the info provided, scroll down to the end to click on the acknowledge checkbox and then click on “Create stack” 

User Guide Step 4 Review Info

    • You will see that the Stack creation process has started and the status is “CREATE_IN_PROGRESS”
       
      User Guide Step 5 Stack Creation Process
    • Move to “Stack Info” tab to see the overview of the stack and the final status. Click on the “Refresh” icon at the right end to get the updated status. When it is successfully completed you will see the status as “CREATE_COMPLETE”.

      User Guide Step 6 Stack Info

    • Click on the “Outputs” tab to see the access credentials created. You need to copy this info and keep it handy. This is the info required to onboard the account into CoreStack.

      User Guide Step 7 Output

Setting up Cost Reports 

Cost and Usage Report (CUR) must be enabled in your AWS account which enables CoreStack to fetch the Billing data from your account. This is required to be able to provide Cost Visibility and Cost Analytics for your accounts. If you already have this enabled, you can skip the below step and just be ready with the S3 Bucket name where the CUR files are being placed by AWS. 

Note: AWS used to provide billing data only at the Mgmt (Payer) Account level. From Dec-2020, AWS provides billing data for Linked Accounts as well. If you have onboarded both your Master and Linked Accounts, CoreStack can directly fetch the billing data from the Mgmt Account for all the linked accounts. 

To set-up the Cost Usage Report you should login as “Root User” into your Master (Payer) AWS account and complete the below steps.

  1. Login as Root User 
  2. Navigate to Billing Dashboard 
  3. Select “Cost & Usage Reports” from the Left Navigation Menu. User Guide Cost usage report
  4. Click on “Create reportUser Guide Create reportNote: If you already have a report configured, you can still review the below steps to ensure you have all the settings right. Use the “Edit” option to make any changes. 
  5. Enter details about the Report content in the first step and click on Next. Ensure to have the 2 checkboxes for “Include Resource IDs” and “Automatically refresh..” User Guide Report Content
  6. In the next screen for Delivery Options, select the following values: 
    1. Report Path Prefix: Optional Field. Can leave it blank. No impact even if some prefix is provided. 
    2. Time Granularity: Hourly 
    3. Report Versioning: Create new report version 
    4. Compression Type: GZIP
    5. User Guide GZIPThe S3 Bucket Configuration has to be done before finishing this step: 
      1. Click on Configure 
      2. If you already have bucket with the appropriate permissions, you can select that. Or you can Create a bucket (this is recommended) 
      3. AWS will take care of creating this new bucket and also attaching the necessary policies. 
      4. User Guide S3 BucketClick on Next to see the policy to be applied. Click on the checkbox below and then Save to complete the process.User Guide Verify Policy
      5. You will see that S3 Bucket is now successfully configured  User Guide S3 Bucket Successful Configuration
    6. Click on Next to proceed to the next step 
  7. The last step is to review the values provided and complete CUR configuration. Please ensure the following are configured correctly. You can then click on Review and Complete. 
    1. Time Granularity: Hourly 
    2. Report Versioning: Create new report version 
    3. Compression Type: GZIP 
  8. You will now see that the report is created successfully. You can now continue with onboarding the account to CoreStack. It will take up to 24 hours before AWS places the first report (csv file in Gzip format) in the S3 bucket. Hence cost data will not be available for CoreStack till then. 
  9. Stay at the same page for the next step. 


Select Cost Allocation Tags

Stay in the Billing Dashboard and select “Cost Allocation Tags” from the Left Navigation Menu 

  1. Choose Activate button 

User Guide Cost Allocation Tags

The recommended tags to be activated are: Application, Environment, Cost Center, Owner. You can also choose to add additional tags as per your requirement. 

Impact on your AWS Account 

Read-Only Access (Assessment Only) 

Since the access is read-only, there are no resources of configurations done by CoreStack in your AWS account. There is absolutely no resource or billing impact in this case. 

Note: If you had enabled Cost & Usage Report specifically for CoreStack, the S3 Bucket will incur some minimal cost based on the size of the usage reports placed by AWS. 

Read-Write Permissions (Assessment + Governance) 

Following resources will be created based on your selection during on-boarding: 

  1. Cloud Trail: CoreStack requires a cloud trail to be available in each of your preferred AWS regions. You may select an existing trail to be used or choose the option to create a new trail. Such new trails created may attract additional charges 
    1. (Note: If the one created is the first trail, it is free of costIf it is an additional trail, it may involve charges) 
  2. S3 Buckets: As part of the Cloud Trail configurations, S3 buckets are also created in the respective AWS regions to collect the logs.  
    1. If you had chosen to use existing trail, there are no new buckets created.  
    2. If you had chosen to create a new trail, the corresponding S3 Bucket will be created and there will be a charge associated. 
  3. CloudWatch Alarms will be created for selected metrics for various resource types supported by CoreStack. As part of post on-boarding, you will see the list of metrics for each resource type for which you can define monitoring thresholds and alerts.

Billing Impact due to CoreStack onboarding:

There could be additional charges based on the configuration done for your accounts after on-boarding:

ConfigurationDescriptionBilling Impact
CloudTrail Case-1: An existing trail is configured for CoreStack.



Case-2: There are other Trails that were created before / after on-boarding your account to CoreStack.
Case-1: Charges for the S3-Bucket where the Cloud Trails logs are stored. This is usually very minimal.

Case-2: Charges for the S3-Bucket where the Cloud Trails logs are stored. Management event charges for the second trail at the rate of $2.00 per 100,000 events
CloudWatch AlarmStandard Resolution (60 sec)$0.10 per alarm metric
CloudWatch Metric DataGetMetricData – CoreStack fetches the metric data from AWS$0.01 per 1,000 metrics requested

Azure Subscriptions

CoreStack uses Daemon Application scenario with Client Credentials flow for OAut2.0 flow and grant type as depicted here. Client Credential flow requires a valid Application registration to be created for a specific Azure subscription to successfully allow access to the required Azure resources.

To onboard your subscription into CoreStack, you will require the following values. The instructions to get these 4 values from your Azure subscription in provided below.

  1. Tenant ID
  2. Application ID
  3. Application Secret
  4. Subscription Info

As you retrieve each of these values, keep them ready in a notepad to be able to copy paste into CoreStack while onboarding.

Step-1: Fetch Tenant ID

Login to Azure Portal (https://portal.azure.com).

  1. Go to Azure Active Directory. You can either select it from the Left Navigation Menu or simply use the search bar at the top to search for it.

 

User Guide Azure Left Navigation Menu

Once the Azure Active Directory service is opened, you will find the Tenant ID in the overview page as shown below:

User Guide Azure Active Directory Tenant ID

You can click on the copy icon to copy the Tenant ID to clipboard and paste it into your notepad. Stay right on the same page to continue with Step-2

Step-2: Fetch Application ID

Now within the Azure Active Directory look for “App Registrations” in the Left Navigation Menu. Alternatively, you can also directly search for “App Registrations” in the search bar.

User Guide Azure Active Directory App Registrations

User Guide Azure Active Directory App Registrations Search

You need to create a new app registration, unless you already have an app that you intend to use for onboarding into CoreStack. Click on “New registration” at the top to start.

User Guide Azure Active Directory New App Registration

Provide a Name for the App, such as “CoreStack.App”. You can leave the other options in default (Supported account types can be Single Tenant and Redirect URI can be blank)

User Guide Azure Active Directory Register Application

Click on “Register” button below to complete the process.

  1. Once the App is created, select the app from the applications list to view the details as below

User Guide Azure Active Directory CoreStack App

Copy the Application (Client) ID and paste it into your notepad. The Directory (Tenant) ID is same as what you copied already in Step-1.

Step-3: Fetch Application Secret

Application Secret is the password or key that you need to provide for the specific app that was just created. You can create one from the same App page.

Look for “Certificates & Secrets” on the left menu while staying in the CoreStack.App page. Click on it to go to that blade.

User Guide CoreStack App Certificates & Secrets

Look for the section “Client secrets” in the right panel and click on the button “New client secret”

User Guide CoreStack App New Client Secret

  1. Provide a Name or Description and click on Add. You can leave the duration at the default value of 1 year. You can revoke this anytime later if required.

User Guide CoreStack App Client Name

You can see that the secret is now added and there is an expiry date and a key value for the same. You must copy the key value and keep it in your notepad.

User Guide CoreStack App Client Details

Step-4: Fetch Subscription

Navigate to Subscriptions page by searching from the search bar at the top. You can also use the “Cost Management and Billing” option from the Left Navigation menu.

User Guide CoreStack App Subscriptions

Once at the Subscriptions page, you will see the list of Subscriptions under the selected AD Tenant

User Guide CoreStack App Subscriptions AD Tenant

  1. Select the subscription that you plan to onboard into CoreStack to load details about that Subscription. You will find the details of the subscription in the “Overview” page

User Guide CoreStack App Microsoft Partner Network

 

Copy the Subscription ID and the Subscription Name from here and keep them in your notepad. Stay right on the same page to continue with Step-5.

Step-5: IAM Access for App

The app that we created above in Step-2 must have the required access within the subscription that you plan to onboard into CoreStack. To provide the access, please follow the below steps.

Within the Subscription page look for “Access Control (IAM)” on the left menu. Click on that

User Guide CoreStack App Microsoft Partner Network Access Control (IAM)

Once you are in the IAM page, click on “+ Add” option at the top and select “Add Role Assignment” option

User Guide CoreStack App Microsoft Partner Network Add Role Assignment

 

  1. You will see a right panel for Add role assignment. Start by selecting the Role from the dropdown. Select the value “Contributor”

Note: Contributor access is required for subscriptions which will be onboarded with Assessment + Governance option. If you plan to use only Assessment, you can choose to select “Reader” role.

User Guide CoreStack App Add Role Assignment Reader

  1. The next field “Assign access to” can remain with default value “Azure AD user, group, or service principal”
  2. In the user selection, search for the app name – in this example “CoreStack.App” and click on it

User Guide CoreStack App Role Assignment

  1. Click on Save button to complete the process. Once saved, you will see the Role Assignments listed as below:

User Guide CoreStack App Role Assignment Save

  1. Repeat the steps 2 to 6 above with the Role as “Resource Policy Contributor” and everything else remaining the same. This is required only if you intend to use CoreStack to create policies for your Azure subscription.
  2. Once completed, you will see the role assignments as below:

User Guide CoreStack App Role Assignment Complete

You are now all set to begin the on-boarding process into CoreStack. Happy On-boarding!

Why are these Permissions Required?

CoreStack requires Contributor access to the following Service Providers, however the account owner can restrict access to specific services that will only be managed through CoreStack.

Following table explains the need for access to the service with the rationale:

Azure ProviderProduct/Category Reader Access (For Discovery)Contributor Access (For Actions)Remarks
Microsoft.ComputeVirtual Machines

Virtual Machines Scale Sets

Virtual Machines Sizes

Availability Sets

Image Publishers

Images

Disks
PreferredOptional
Microsoft.ContainerInstance Container GroupsPreferredOptional
Microsoft.ContainerRegistryContainer Registry PreferredOptional
Microsoft.ContainerService Container Service

Kubernetes
PreferredOptional
Microsoft.Storage Storage accounts

Storage Snapshots
MandatoryMandatory
Microsoft.RecoveryServicesRecovery Vault PreferredOptional
Microsoft.Network Route Tables

Network Security Group

Virtual Networks

Public IP Address

Traffic Manager Profiles

Load Balancer

Express Routes

Application Gateway

Application Gateway Available SSL Policy
PreferredOptional
Microsoft.Sql SQL PreferredOptional
Microsoft.DBforPostgreSQL PGSQL PreferredOptional
Microsoft.DBforMySQLMysql Preferred Optional
Microsoft.WebSitesPreferred Optional
Microsoft.ApiManagement ServiceList MandatoryMandatoryAuth Validation
Microsoft.Logic Logic Services PreferredOptional
Microsoft.DataFactoryDataFactories PreferredOptional
Microsoft.Commerce FinanceMandatoryMandatoryCost Analytics
Microsoft.OperationalInsights Alerts

Utilization
MandatoryMandatory
Microsoft.PolicyInsights (Resource Policy Contributor) Policy Creation MandatoryMandatory
Microsoft.Authorization Auth Service MandatoryMandatory
Microsoft.Insights Metrics

Activity logs
MandatoryMandatory
Microsoft.AzureActiveDirectory ListRoles

List Users

Users Basic Profile
MandatoryMandatoryOnly in case of SSO
Microsoft.Security Azure Security Center

Azure Threat Management
Preferred Optional
Microsoft.DevTestLab Auto Shutdown Optional Optional
Microsoft.Billing Auto Shutdown OptionalOptional
Azure Policy

Preferable: Access is not mandatory however some of the automation features will be not functional without the required access. You can exclude them for “Assessment-Only”.

Optional: Not mandatory, similar to that of Preferable, core features will continue to work. Some low-level actions will have an Impact. You can exclude them for “Assessment-Only”.

Mandatory: Non-negotiable, even to on-board account with read-only permissions (“Assessment-Only”) these access details would be needed.

Impact on the Azure Subscription

If you intend to use CoreStack for remediation and automation as well, as part of such configurations, CoreStack creates resources and applies some configurations in Azure.

Alert Rules and Alert Action:

Alert rules will be created when monitoring thresholds are configured during as part of the Operations – Alerts module.

A new alert action will be added to the created rules to invoke CoreStack notification webhook when threshold alert is triggered.

Azure Policy

CoreStack will create the Policy Definitions and Assignments based on the GuardRails you prefer to set-up for your Azure Subscription.

Security Centre

CoreStack will enable the Free-tier or Standard Tier for the resources based on the security configurations. (Enabling Standard Tier has cost implications, please exercise caution during configuration)

Billing Impact due to CoreStack onboarding

There is no billing impact as such in configuring your account with CoreStack until certain services are consumed through CoreStack. Following are the few areas where there might be cost implications. 

FeatureFree Units Included PriceCS Remarks
Alert Notifications 100,000 web hooks per month $0.60/1,000,000 web hooks
Dynamic Thresholds None$0.10 per dynamic threshold per monthCoreStack doesn’t create Dynamic Thresholds as part of account on-boarding. However, you can configure through Operations template
Azure Security Centre Free Tier Pricing varies per resource type. Please see here Standard Tier if opted will have higher cost impact.
Monitoring Metrics 10 monitored metric time-series per month $0.10 per metric time-series monitored per month