Versions Compared

Old Version 3

changes.mady.by.user John Gerlock

Saved on

compared with

New Version 4

changes.mady.by.user John Gerlock

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This feature is in preview and is not yet available in the user interface. To participate in this feature, contact support@datatheorem.com to retrieve the AWS CloudFormation Template file for your account.

The AWS CloudFormation template will perform the following actions:

  • Create the “organization role”, that will give Data Theorem the capability to list AWS accounts belonging to the organization for onboarding purpose, and perform discovery.

  • Create a CloudFormation StackSet that will take care of creating a role in each children account of the organization (with the SecurityAudit role, to enable discovery on the account)

  • Note that all the created roles will be bound to Data Theorem, and require an external ID.

Prerequisites

  • Administrator access to the root AWS account for the organization

  • The “Organization Id” of your AWS Organization root

  • The AWS organization must have the following features enabled:

    • Trusted access for AWS Account Management

    • CloudFormation StackSets

  • The AWS Cloud Formation Quick Create link you received from Data Theorem

...

  1. Ensure “AWS Account Management” is enabled

  2. Ensure “CloudFormation StackSets“ is enabled

...

image-20230814-190406.pngImage Added

Image Removedimage-20230814-190439.pngImage Added

Collect your AWS Organization ID

  1. Before running the CloudFormation template, you will need to retrieve the organization ID (prefixed with r-), it can be found in the “AWS Organizations” service page (r-hd2b in the example)

...

image-20230814-191241.pngImage Added

Running the AWS CloudFormation template

The AWS CloudFormation template will perform the following actions:

  • Create the “organization role”, that will give Data Theorem the capability to list AWS accounts belonging to the organization for onboarding purpose, and perform discovery.

  • Create a CloudFormation StackSet that will take care of creating a role in each children account of the organization (with the SecurityAudit role, to enable discovery on the account)

  • Note that all the created roles will be bound to Data Theorem, and require an external ID.

On the next section, input the following details:

DataTheoremOnboarding as the Stack name (feel free to choose another name)

...

  1. Open the link you received from DT in your browser. This will open the AWS console. Sign in as a user with admin privileges in your AWS Organization root account. The link will open the Data Theorem Cloud Formation Template

  2. Input the r- prefixed organization ID in the

...

It should look like this:

  1. OrganizationalUnitIds field

  2. Click Next twice, and submit the Stack

...

Once the stack has completed, send back the 2 output values to Data Theorem support

...