Prerequisites
- A Saner CNAPP account with any of the following admin roles (Main Admin, Organization Admin, or Account Admin) can perform the onboarding
- A Saner CNAPP account where the AWS account will be onboarded. In this case, we have used the “AWS Demo” account for illustration
- An AWS account with admin access, or a user with permissions for CloudFormation stack creation, role creation, and policy management, is required
- Access to AWS IAM (Identity and Access Management)
Step1: In Saner, click on “Cloud Deployment”
Step2: Select “AWS Role (Manual)”, as shown in the image below, and copy the “AWS External ID,” that’s required for AWS account onboarding
Ensure you are in the correct region or switch to the required region

AWS Remediation Policy Creation
Step3: Log in to your AWS account and ensure you are in the correct region, or switch to the required region
Step4: Navigate to “IAM” and click on “Policies” under “Access Management,” as shown in the image below

Step5: Click on “Create Policy” and select “JSON,” which will open the “Policy Editor,” as shown in the image below.

Step6: Click here to download the policy. Open the JSON file, copy its contents, and paste the policy into the “Policy Editor,” then click “Next”
Step7: Enter the “Policy Name” as “Saner-CNAPP-Remediation-Policy” and provide the description, as shown in the image below

Step8: Add a new tag if necessary and click on “Create Policy.” Once the policy is successfully created, copy the “Policy Name” for future use
AWS Saner CNAPP Role Creation
Step9: Navigate to “IAM” and click on “Roles” under “Access Management,” as shown in the image below

Step10: Click on “Create Role,” as shown in the image above
Step11: Select the “Custom trust policy” option, then copy and paste the trust policy from this “Click here.” Replace the copied external ID(Refer Step 2) from Saner with “SanerCloud-Pre-Generated-Random-External-ID,” as shown in the image, and click “Next”

Step12: Search for and select the “ReadOnlyAccess” AWS managed policy, as shown in the image below

Step13: Search for and select the remediation policy “Saner-CNAPP-Remediation-Policy” that was created in the previous steps, as shown in the image below and click Next

Step14: Enter the “Role Name” as “Saner-CNAPP-Access-Role” and provide an appropriate description, as shown in the image below

Step15: Review all the entered details, as shown in the image above, and click “Create Role” to create the role
Step16: After the role is successfully created, search for the newly created role, “Saner-CNAPP-Access-Role,” as shown in the image below

Step17: Click on the “Saner-CNAPP-Access-Role” and copy the role ARN, “arn:aws:iam::1234567890:role/Saner-CNAPP-Access-Role,” as shown in the image below

Step18: Go to the Saner Cloud Deployment page, paste the copied ARN into the “AWS Role ARN” field, choose a Region as preferred(drop-down list) and click the “Onboard” button. This onboards the AWS account into Saner, as shown in the image below:
If you do not choose any region, then the system considers all the regions automatically for scanning.

Step19: You have now completed the AWS Role Manual Onboarding.
The Scan Configuration page opens automatically for you to make the necessary settings to initiate the scan. You have an option to:
- Update one or more regions by selecting from the drop-down list. Note that if you do not choose any region, then the system considers all the regions automatically for scanning.
- Validate credentials(Test Credentials button) to prevent scan failures due to authentication issues
- Setup the Scan Schedule run as needed
- Start the scan or Pause the scan and then resume it from the point where it was paused
