Prerequisites
- A Saner CNAPP account with any of the following admin roles (Main Admin, Organization Admin, or Account Admin) can perform the onboarding
- A Saner CNAPP account where the AWS account will be onboarded. In this case, we have used the “AWS Demo” account for illustration
- An AWS account with admin access, or a user with permissions for CloudFormation stack
- creation, role creation, and policy management, is required
- Access to AWS IAM (Identity and Access Management)
Step1: In Saner, click on “Cloud Deployment”
Step2: Select “AWS Credentials,” as shown in the image below
Ensure you are in the correct region or switch to the required region
Step3: Log in to your AWS account and ensure you are in the correct region, or switch to the required region
Step4: To onboard the AWS account, you need the AWS Account ID, AWS Access Key ID, and AWS Secret Access Key, as shown in the image above
AWS Remediation Policy Creation
Step5: Navigate to “IAM” and click on “Policies” under “Access Management,” as shown in the image below
Step6: Click on “Create Policy” and select “JSON,” which opens the “Policy Editor,” as shown in the image below
Step7: Click here to download the policy. Open the JSON file, copy its contents, and paste the policy into the “Policy Editor,” then click “Next.”
Step8: Enter the “Policy Name” as “Saner-CNAPP-Remediation-Policy” and provide the description, as shown in the image below
Step9: Add a new tag if necessary, then click “Create Policy.” Once the policy is successfully created, copy the “Policy Name” for future use.
AWS Saner CNAPP IAM User Creation
Step10: Navigate to “IAM,” click on “Users” under “Access Management,” and then click on “Create User,” as shown in the image below
Step11: Enter the “User Name” (e.g., “Saner-CNAPP-AWS-IAM-User”) and click “Next,” as shown in the image below
Step12: Search for and select the “ReadOnlyAccess” AWS managed policy, as shown in the image below
Step13: Search for and select the remediation policy “Saner-CNAPP-Remediation-Policy” that was created in the previous steps, as shown in the image below, and click “Next.”
Step14: Review the details, as shown in the image below, and click “Create User”
Step15: After the user is successfully created, search for and select the user “Saner-CNAPP-AWS-IAM-User,” as shown in the image below
AWS Access Key Creation
Step16: Verify the details and click on “Create Access Key,” as shown in the image below
Step17: Select “Third-party service,” check the box confirming the creation of the access key, and click “Next,” as shown in the image below
Step18: Click on “Create Access Key” to generate the AWS access key, as shown in the image below
Step19: Once the access key is created, copy the “Access Key” and “Secret Access Key” for future use. Additionally, download the access key details and store them in a safe place, as shown in the image below. After copying the access keys, click “Done” to complete the process.
Make sure to read the “Access Key Best Practices” and follow the instructions.
Step20: Navigate to the created user “Saner-CNAPP-AWS-IAM-User” and verify all the details, as shown in the image below
Step21: Navigate to Saner Cloud Deployment page, enter the “Cloud Account ID,” “AWS Access Key ID,” “AWS Secret Access Key” and “Region” as applicable. Verify all the details, and click the “Onboard” button as shown in the image below.
If you do not choose any region, then the system considers all the regions automatically for scanning.
Step22: You have now completed the AWS Credentials Onboarding.
The Scan Configuration page opens automatically for you to make the necessary settings to initiate the scan. You have an option to:
- Update one or more regions by selecting from the drop-down list. Note that if you do not choose any region, then the system considers all the regions automatically for scanning.
- Validate credentials(Test Credentials button) to prevent scan failures due to authentication issues
- Setup the Scan Schedule run as needed
- Start the scan or Pause the scan and then resume it from the point where it was paused
