Prerequisites
- A Saner CNAPP account with any of the following admin roles: Main Admin, Organization Admin, or Account Admin that can perform the onboarding
- A Saner CNAPP account where the AWS account gets onboarded. For illustration purpose a demo account is used
- An AWS account with admin access, or a user with permissions for CloudFormation stack creation, role creation, and policy management is required
- Access to AWS IAM (Identity and Access Management)
- Make sure that you provide unique Roles and Policy Name
Setup
Step1: Login to Saner CNAPP platform
Step2: Click on “Control Panel” and select the account that you need to onboard. As an example, “AWS Demo” account is illustrated.
Available Integration Methods
There are three ways to connect your AWS account with Saner CNAPP, listed in order of recommendation:
- AWS Role CloudFormation (Automatic) – Recommended
- Fastest and most secure method
- Automatically sets up all required permissions
- Minimal manual configuration needed
- AWS Role (Manual)
- Secure method with more control
- Requires manual setup of permissions
- Good for organizations with strict security policies
- AWS Access Keys – Least Recommended
- Uses access key credentials
- Higher security risk
- Requires manual key management
Method 3: AWS Credentials(Least Recommended Method)
Step1: In Saner, click on “Cloud Deployment”
Step2: Select “AWS Credentials,” as shown in the image below.
Ensure you are in the correct region or switch to the required region. |
Step3: Log in to your AWS account and ensure you are in the correct region, or switch to the required region
Step4: To onboard the AWS account, you need the AWS Account ID, AWS Access Key ID, and AWS Secret Access Key, as shown in the image(refer step 3)
AWS Remediation Policy Creation
Step5: Navigate to “IAM” and click on “Policies” under “Access Management,” as shown in the following image
Step6: Click on “Create Policy” and select “JSON,” that opens the “Policy Editor,” as shown in the following image
Step7: Download the policy from this link: “link.” Open the JSON file, copy its contents, and paste the policy into the “Policy Editor,” then click “Next”
Step8: Enter the “Policy Name” as “Saner-CNAPP-Remediation-Policy” and provide the description, as shown in the following image
Step9: Add a new tag if necessary, then click “Create Policy.” Once the policy is successfully created, copy the “Policy Name” for future use.
AWS Saner CNAPP IAM User Creation
Step10: Navigate to “IAM,” click on “Users” under “Access Management,” and then click on “Create User,” as shown in the following image
Step11: Enter the “User Name” (e.g., “Saner-CNAPP-AWS-IAM-User”) and click “Next,” as shown in the following image
Step12: Search for and select the “ReadOnlyAccess” AWS managed policy, as shown in the following image
Step13: Search for and select the remediation policy “Saner-CNAPP-Remediation-Policy” that was created in the previous steps, as shown in the following image, and click “Next.”
Step14: Review the details, as shown in the image below, and click “Create User.”
Step15: After the user is successfully created, search for and select the user “Saner-CNAPP-AWS-IAM-User”
AWS Access Key Creation
Step16: Verify the details and click on “Create Access Key,” as shown in the following image:
Step17: Select “Third-party service”, check the box confirming the creation of the access key, and click “Next,” as shown in the following image:
Step18: Click on “Create Access Key” to generate the AWS access key, as shown in the following image
Step19: Once the access key is created, copy the “Access Key” and “Secret Access Key” for future use. Additionally, download the access key details and store them in a safe place, as shown in the following image. After copying the access keys, click “Done” to complete the process.
Note: Make sure to read the “Access Key Best Practices” and follow the instructions.
Step20: Navigate to the created user “Saner-CNAPP-AWS-IAM-User” and verify all the details, as shown in the following image:
Step21: Navigate to Saner Cloud Deployment page, enter the “Cloud Account ID,” “AWS Access Key ID,” “AWS Secret Access Key” and “Region” as applicable. Verify all the details and click the “Onboard” button as shown in the following image:
If you do not choose any region, then the system considers all the regions automatically for scanning |
Step22: You have now completed the AWS Credentials Onboarding.
The Scan Configuration page opens automatically for you to make the necessary settings to initiate the scan. You have an option to:
- Update one or more regions by selecting from the drop-down list. Note that if you do not choose any region, then the system considers all the regions automatically for scanning.
- Validate credentials(Test Credentials button) to prevent scan failures due to authentication issues
- Setup the Scan Schedule run as needed
- Start the scan or Pause the scan and then resume it from the point where it was paused
Best Practices
- Regularly review and audit access permissions
- Monitor CloudFormation stack status
- Keep access keys secure and rotate them regularly
- Document any custom configurations
- Regularly verify integration status
Troubleshooting Guide
If you encounter any issues during the onboarding or deployment process, follow these steps to diagnose and resolve them efficiently:
Step1: Verify All Permissions Are Correctly Set
Ensure that the necessary IAM permissions are granted for the user or role performing the deployment. Missing or insufficient permissions may cause failures during onboarding.
- Check IAM role and policy assignments
- Ensure the user has administrative privileges or the required set of permissions
- Confirm that AWS services involved in the deployment have the necessary permissions
Step2: Clean Up Previous Failed Onboarding Attempts
If you are retrying the onboarding process due to a previous failure, make sure all remnants of the prior attempt are removed before trying again.
- Delete any incomplete AWS CloudFormation stacks
- Remove any IAM roles or policies that may have been created in the failed attempt
- Ensure there are no residual configurations that could cause conflicts in a new attempt
Step3: Verify Deployment in the Correct AWS Region
AWS services are region-specific, and deploying in an incorrect region can lead to failures.
- Double-check that you are operating in the intended AWS region
- Verify the selected region in the AWS Management Console or CLI
- Ensure that all required AWS resources are available in that region
Step4: Confirm Required Policies Are Attached to the User
The onboarding process requires the user executing the deployment to have the correct IAM policies assigned. The required privileges include:
- AWS CloudFormation Execution – Ability to create, update, and delete CloudFormation stacks
- IAM Role and Policy Creation – Permissions to create and manage IAM roles and policies
- Lambda Execution – Permissions to deploy and execute AWS Lambda functions and reach to our server to acknowledge successful onboarding.
- Service-Specific Permissions – Depending on the services being configured, additional permissions may be needed for scan for which policy is automatically created in cloud formation, manually with role and policy creation steps (e.g., read S3 configuration, EC2, Security Groups, etc. or patching permissions such as create, update or delete.)
Use the AWS IAM Console or AWS CLI to confirm that the logged-in user has the required permissions before proceeding.
Step5: Contact Support if Issues Persist
If you have verified the above steps and are still facing issues, reach out to the support team for assistance.
- Provide detailed logs and error messages
- Mention the AWS services and region you are working with
- Describe the steps already taken for troubleshooting