# AWS Organizations

AWS Organizations allow you to centrally manage and govern many AWS accounts. If you only have several AWS accounts or do not use AWS Organizations, you should refer to the instructions on adding a single AWS account by default.

EASM supports AWS Organizations by continually discovering new AWS sub-accounts present in the Organization. If you have many sub-acounts in your Organization, integrating your cloud accounts at the Organization level will save time and ensure consistency. Adding a single AWS Organization will add all sub-accounts to your Attack Surface for monitoring.

# Role Creation for AWS Organizations

This guide provides instructions on how to use a CloudFormation template to upload policies to all sub-accounts in your AWS Organization. EASM customers with many sub-accounts can use this method to create roles and trust policies in their sub-accounts.

Before following these instructions to configure AWS sub-accounts, you must follow steps 1-13 on the single AWS integration page using a role name of "NetSPI-EASM-ExecutionRole" to add your AWS Organization root account manually. Save the externalId value for reuse during StackSet creation here.

Do not add the Organization root account in the EASM UI until you have completed all of the steps below to configure permissions in sub-accounts.

Save the following CloudFormation template to a file, e.g., netspi-easm-aws-organization.yaml:

AWSTemplateFormatVersion: "2010-09-09"
Description: "
              StackSet template to create roles and permissions inside Organization sub-accounts
              necessary for the NetSPI EASM AWS Cloud Integration at the Organization level.
              "

Parameters:
  ExternalId:
    Type: String
    Description: "
                 ExternalId to be used in the AssumeRolePolicyDocument. Reuse the externalId
                 created when setting up permissions in the root Organization account.
                 "

Resources:
  EASMExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: "NetSPI-EASM-ExecutionRole"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS: "arn:aws:iam::339712971568:root"
            Action: "sts:AssumeRole"
            Condition:
              StringEquals:
                "sts:ExternalId": !Ref ExternalId

      Policies:
        - PolicyName: "NetSpiEASMPermissionPolicy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - "ec2:DescribeAddresses"
                  - "ec2:DescribeInstances"
                  - "ec2:DescribeRegions"
                  - "ec2:DescribeNetworkInterfaces"
                  - "ec2:DescribeVpcPeeringConnections"
                  - "ec2:DescribeVpcEndpoints"
                  - "ec2:DescribeVpcEndpointServices"
                  - "appsync:ListDomainNames"
                  - "appsync:ListGraphqlApis"
                  - "cloudfront:ListDistributions"
                  - "eks:ListClusters"
                  - "elasticbeanstalk:DescribeEnvironments"
                  - "elasticloadbalancing:DescribeLoadBalancers"
                  - "es:ListDomainNames"
                  - "kafka:DescribeCluster"
                  - "kafka:ListClusters"
                  - "lightsail:GetInstances"
                  - "lightsail:GetLoadBalancers"
                  - "rds:DescribeDBClusterEndpoints"
                  - "rds:DescribeDBClusters"
                  - "rds:DescribeDBInstances"
                  - "rds:DescribeDBProxies"
                  - "rds:DescribeDBProxyEndpoints"
                  - "redshift:DescribeClusters"
                  - "route53:ListHostedZones"
                  - "route53:ListResourceRecordSets"
                  - "route53:ListTagsForResource"
                  - "route53domains:ListDomains"
                  - "route53domains:GetDomainDetail"
                  - "s3:ListAllMyBuckets"
                  - "s3:GetBucketPolicy"
                  - "s3:GetBucketAcl"
                  - "organizations:ListAccounts"
                Resource: "*"

In the AWS console for your Organization account, navigate to CloudFormation > StackSets.
Select "Create StackSet".
Select "Service-managed permissions", "Template is ready", and "Upload a template file", selecting the file saved in step 1.
Reuse the externalId value created in the Single Account AWS Integration steps used for the AWS Organization.
Proceed with StackSet creation and select "Submit".
Once the StackSet has successfully been deployed, go into an AWS sub-account console and confirm that the role name created is identical to "NetSPI-EASM-ExecutionRole".

# Add Organization account to the NetSPI Platform

Log in to the NetSPI Platform.
Select or hover over EASM in the left navigation and select Assets to display the Assets page.
Select Cloud Account from the Assets list on the left side of the page and then select the Add Asset button.
Select the "Cloud" tab in the "Add Asset" side panel.
Provide a logical name for the account and select "Amazon Web Services" as the Cloud Provider.
- The "External ID" field will be the same password value used in the StackSet creation process.
- The "Role ARN" value will be the role ARN created in the Organization account by the StackSet.
- Toggle the "AWS Organization Root Account" switch to true.
- Select the Add button.
After a successful request, you should see your AWS Organization account present in the "Cloud Account" table.
A discovery scan will begin that pulls in all AWS sub-accounts present inside the Organization. This scan can last up to 15 minutes and will run every 24 hours.