Prerequisites

• A Saner CNAPP account with any of the following admin roles: Main Admin, Organization Admin, or Account Admin that can perform the onboarding
• A Saner CNAPP account where the AWS account gets onboarded. For illustration purpose a demo account is used
• An AWS account with admin access, or a user with permissions for CloudFormation stack creation, role creation, and policy management is required
• Access to AWS IAM (Identity and Access Management)
• Make sure that you provide unique Roles and Policy Name

Setup

Step1: Login to Saner CNAPP platform

Step2: Click on “Control Panel” and select the account that you need to onboard. As an example, “AWS Demo” account is illustrated.

Available Integration Methods

There are three ways to connect your AWS account with Saner CNAPP, listed in order of recommendation:

1. AWS Role CloudFormation (Automatic) – Recommended
2. Fastest and most secure method
3. Automatically sets up all the required permissions
4. Minimal manual configuration needed
5. AWS Role (Manual)
6. Secure method with more control
7. Requires manual setup of permissions
8. Good for organizations with strict security policies
9. AWS Access Keys – Least Recommended
10. Uses access key credentials
11. Higher security risk
12. Requires manual key management

Method 1: AWS Role CloudFormation (Automatic) – Recommended

Step1: Log in to your AWS account and ensure that you are in the correct region, or switch to the required region. This is necessary to onboard your AWS account to Saner CNAPP.

Step2: In Saner, click on “Cloud Deployment”

Step3: Choose “AWS CloudFormation (Automatic)” and click the “Automatic Onboarding” button, as shown in the following image along-with the Regions(drop-downlist)

If you do not choose any region, then the system considers all the regions automatically for scanning.

Step4: The control redirects to the AWS account CloudFormation stack, as shown following image

Step5: Acknowledge the creation of the required resources by selecting the checkbox. If necessary, append a name to the “Stack Name” field (ensure it is unique), as shown in the image (refer step4).

Make sure you do not modify any other field.

Step6: Click the “Create Stack” button(image in step4) to initiate the creation of the required resources in your AWS account

Step7: Once the CloudFormation stack task completes, all the required resources, such as policies, roles, and Lambda functions gets created in your AWS account as shown in the following image

Now that you have now completed the AWS Credentials Onboarding, the Scan Configuration page opens automatically for you to make the necessary settings to initiate the scan. You have an option to:

• Update one or more regions by selecting from the drop-down list. Note that if you do not choose any region, then the system considers all the regions automatically for scanning.
• Validate credentials(Test Credentials button) to prevent scan failures due to authentication issues
• Setup the Scan Schedule run as needed
• Start the scan or Pause the scan and then resume it from the point where it was paused

Best Practices

• Regularly review and audit access permissions
• Monitor CloudFormation stack status
• Keep access keys secure and rotate them regularly
• Document any custom configurations
• Regularly verify integration status

Troubleshooting Guide

If you encounter any issues during the onboarding or deployment process, follow the steps to diagnose and resolve them efficiently:

Step1: Perform Verification on All Permissions Setup Correctly

Ensure that the necessary IAM permissions are granted for the user or role performing the deployment. Missing or insufficient permissions may cause failures during onboarding.

• Check IAM role and policy assignments
• Ensure the user has administrative privileges or the required set of permissions
• Confirm that AWS services involved in the deployment have the necessary permissions

Step2: Clean Up Previous Failed Onboarding Attempts

If you try the onboarding process once again due to a previous failure, make sure to remove all remnants of the prior attempt before trying again.

• Delete any incomplete AWS CloudFormation stacks
• Remove any IAM roles or policies, if created in the failed attempt
• Make sure you have no residual configurations that cause conflicts in a new attempt

Step3: Verify Deployment in the Correct AWS Region

AWS services are region-specific, and deploying in an incorrect region can lead to failures.

• Double-check that you operate in the intended AWS region
• Verify the selected region in the AWS Management Console or CLI
• Make sure that all required AWS resources are available in that region

Step4: Confirm Required Policies Are Attached to the User

The onboarding process requires the user executing the deployment to have the correct IAM policies assigned. The required privileges include:

• AWS CloudFormation Execution – Ability to create, update, and delete CloudFormation stacks
• IAM Role and Policy Creation – Permissions to create and manage IAM roles and policies
• Lambda Execution – Permissions to deploy and execute AWS Lambda functions and reach to our server to acknowledge successful onboarding.
• Service-Specific Permissions – Depending on the services being configured, additional permissions may be needed for scan for which policy is automatically created in cloud formation, manually with role and policy creation steps (e.g., read S3 configuration, EC2, Security Groups, etc. or patching permissions such as create, update or delete.)

Use the AWS IAM Console or AWS CLI to confirm that the logged-in user has the required permissions before proceeding.

Step5: Contact Support if Issues Persist

If you have verified the above steps and are still facing issues, reach out to the support team for assistance.

• Provide detailed logs and error messages
• Mention the AWS services and region you are working with
• Describe the steps already taken for troubleshooting