As a cloud administrator or a cloud account owner, you can onboard all AWS member accounts under an AWS organization by providing the IAM role of the AWS management account with security audit policy. Carbon Black Cloud assumes the role to retrieve the AWS member accounts and list them in the console.

Prerequisites

  • Make sure that you have the AWS management account ID available. For details, see Viewing details of an account (external link).
  • Make sure that you have the IAM role ARN of the AWS account available. You can access the Role ARN from the role's Summary page in the AWS Management Console.
  • Make sure that you can set up the AWS services for the accounts that must onboard to Carbon Black Cloud. For details, see Enable AWS Services.
  • Have the AWS management account credentials available. This account is part of an organization managed by the AWS Organizations Service. For details, see What is AWS Organizations?.

Procedure

  1. On the left navigation pane, go to Settings > Public Cloud Accounts.
  2. On the Public Cloud Accounts page, click Add Account.
    The Add Public Cloud Account window displays.
  3. Select AWS under Cloud Provider and select Organization (multi-accounts) under Method. Click Next.
  4. Populate all required fields for the AWS account details and the account connectivity credential attributes and click Next.
    The Carbon Black Cloud console lists all the discovered member accounts associated with the AWS management account.
  5. Use the search text box to narrow dthe results and select the accounts to onboard. Click Next.
    Listed AWS member accounts that you can onboard into your organization.
  6. To enable AWS services monitoring on the Event Stream page:
    1. Copy the command for executing the scripts, which onboard the selected AWS accounts and set up the trust relationship.
    2. Copy the command for setting up the event stream mechanism, which provides real-time updates for your monitored AWS public cloud accounts.
    The two commands, with sample values, you can use to onboard the AWS member accounts into your organization and set up monitoring for these accounts.
  7. Run the scripts in the AWS CLI of the management account.
    You must execute the scripts using the management account credentials.
    Note: You can run the scripts before or after selecting the Add Account button.
  8. To save the account information and connect to the AWS management account, click Add Account.

Results

The newly added AWS accounts display at the top of the list of accounts on the Public Cloud Accounts page. Refresh the page to see the status change from In Progress to Active after validation completes. All EC2 instances that are associated with these accounts are available at Inventory > Public Cloud > AWS.

What to do next

Onboard additional member accounts in your organization. See Add Member Accounts.