Extend Cortex Xpanse visibility into cloud assets from AWS.
Cortex Xpanse provides a unified, normalized asset inventory for cloud assets in AWS. This capability provides deeper visibility to all the assets and superior context for incident investigation.
To receive cloud assets from AWS, you must configure the Collection Integrations settings in Cortex Xpanse using the Cloud Inventory data collector to configure the AWS wizard. The AWS wizard includes instructions to be completed both in AWS and the AWS wizard screens. After you set up data collection, Cortex Xpanse begins receiving new data from the source.
As soon as Cortex Xpanse begins receiving cloud assets, you can view the data in the Asset Inventory, where the All Assets and Cloud Compute Instances pages display the data in a table format.
To configure the AWS cloud assets collection in Cortex Xpanse, perform the following steps:
Open the AWS wizard in Cortex Xpanse.
In the Cloud Inventory configuration, click Add Instance to begin a new configuration.
Click AWS.
Define the Account Details screen of the wizard.
Setting the connection parameters on the right-side of the screen is dependent on certain configurations in AWS as explained below.
Select the Organization Level as either Account (default), Organization, or Organization Unit. The Organization Level that you select changes the instructions and fields displayed on the screen.
Sign in to your AWS master account.
Create a stack called XDRCloudApp using the preset Cortex Xpanse template in AWS.
The following details are automatically filled in for you in the AWS CloudFormation stack template.
Stack Name—The default name for the stack is XDRCloudApp.
CortexXDRRoleName—The name of the role that will be used by Cortex Xpanse to authenticate and access the resources in your AWS account.
External ID—The Cortex Xpanse Cloud ID, a randomly generated UUID that is used to enable the trust relationship in the role's trust policy.
To create the stack, accept the IAM acknowledgment for resource creation by selecting the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox, and click Create Stack.
Wait for the Status to update to CREATE_COMPLETE in the Stacks page that is displayed, and select the XDRCloudAPP stack under the Stack name column in the table.
Select the Outputs tab and copy the Value of the Role ARN.
Paste the Role ARN value in one of the following fields in the Account Details screen in Cortex Xpanse. The field name is dependent on the Organization Level that you selected.
Account—Paste the value in the Account Role ARN field.
Organization—Paste the value in the Master Role ARN field.
Organization Unit—Paste the value in the Master Role ARN field.
Set the Root ID in Cortex Xpanse.
Note
This step is only relevant if you’ve configured the Organization Level as Organization in the Account Details screen in Cortex Xpanse. Otherwise, you can skip this step if the Organization Level is set to Account or Organization Unit.
From the main menu of the AWS Console, select
→ .Copy the Root ID displayed under the Root directory and paste it in the Root ID field in the Account Details screen in Cortex Xpanse.
Set the Organization Unit ID in Cortex Xpanse.
Note
This step is only relevant if you’ve configured the Organization Level as Organization Unit in the Account Details screen in Cortex Xpanse. Otherwise, you can skip this step if the Organization Level is set to Account or Organization.
On the main menu of the AWS Console, select your username, and then My Organization.
Select the Organization Unit with an icon-ou () beside it in the organizational structure that you want to configure.
Copy the ID and paste it in the Organization Unit ID field in the Account Details screen in Cortex Xpanse.
Define the following remaining connection parameters in the Account Details screen in Cortex Xpanse.
Account Role External ID / Master External ID—The name of this field is dependent on the Organization Level configured. This field is automatically populated with a value. You can either leave this value or replace it with another value.
Cortex XDR Collection Name—Specify a name for your Cortex Xpanse collection that is displayed underneath the Cloud Inventory configuration for this AWS collection.
Click Next.
Define the Configure Member Accounts screen of the wizard.
Note
This wizard screen is only displayed if you’ve configured the Organization Level as Organization or Organization Unit in the Account Details screen in Cortex Xpanse. Otherwise, you can skip this step when the Organization Level is set to Account.
Configuring member accounts is dependent on creating a stack set and configuring stack instances in AWS, which can be performed using either the Amazon Command Line Interface (CLI) or Cloud Formation template via the AWS Console. Both of these methods are explained in the instructions below.
Define the account credentials using Amazon CLI.
Select the Amazon CLI tab, which is displayed by default.
Open the Amazon CLI.
Note
For more information on how to set up the AWS CLI tool, see the AWS Command Line Interface Documentation.
Run the following command to create a stack set, which you can copy from the Configure Member Accounts screen by selecting the copy icon (), and paste in the Amazon CLI. This command includes the Role Name and External ID field values configured from the wizard screen.
aws cloudformation create-stack-set --stack-set-name StackSetCortexXdr01 --template-url https://cortex-xdr-xcloud-onboarding-scripts-dev.s3.us-east-2.amazonaws.com/cortex-xdr-xcloud-master-dev-1.0.0.template --permission-model SERVICE_MANAGED --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=true --parameters ParameterKey=ExternalID,ParameterValue=c9a7024c-3f07-40ed-a4fb-c3a5eba778e2 --capabilities CAPABILITY_NAMED_IAM
Run the following command to add stack instances to your stack set, which you can copy from the Configure Member Accounts screen by selecting the copy icon (), and paste in the Amazon CLI. For the
--deployment-targets
parameter, specify the organization root ID to deploy to all accounts in your organization, or specify Organization Unit IDs to deploy to all accounts in these Organization Units. In this parameter, you will need to replace<Org_OU_ID1>
,<Org_OU_ID2>
, and<Region>
according to your AWS settings.aws cloudformation create-stack-instances --stack-set-name StackSetCortexXdr01 --deployment-targets OrganizationalUnitIds='["<Org_OU_ID1>", "<Org_OU_ID2>"]' --regions '["<Region>"]'
In this example, the Organization Units are populated with
ou-rcuk-1x5j1lwo
andou-rcuk-slr5lh0a
IDs.aws cloudformation create-stack-instances --stack-set-name StackSet_myApp --deployment-targets OrganizationalUnitIds='["ou-rcuk-1x5j1lwo", "ou-rcuk-slr5lh0a"]' --regions '["eu-west-1"]'
Once completed, in the AWS Console, select
→ → , and you can see the StackSet is now listed in the table.
Define the account credentials using AWS CloudFormation.
Select the Cloud Formation tab.
Download the CloudFormation template. The name of the file downloaded is called
cortex-xdr-aws-master-ro-1.0.0.template
.Sign in to your AWS Master Account using the AWS console, select → → , and click Create StackSet.
Define the following settings.
-Select Template is ready.
-Select Upload a template file, Choose file, and select the CloudFormation template that you downloaded.
Click Next.
Define the following settings.
-StackSet name—Specify a name for the StackSet.
ExternalID—The ExternalID value specified here must be copied from the one populated in the External ID field on the right-side of the Configure Member Accounts screen in Cortex Xpanse .
Click Next.
Select Service-managed permissions, and click Next.
Define the following settings.
Deployment targets
-Select Deploy to the organization.
-Select Enabled for Automatic deployments.
-Select Delete stacks for Account removal behavior.
Specify regions
-Select a region.
Deployment options
-For the Maximum concurrent accounts, select Percentage, and in the field specify 100.
-For the Failure tolerance, select Percentage, and in the field specify 100.
Click Next.
To create the StackSet, accept the IAM acknowledgment for resource creation by selecting the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox, and click Submit.
When the process completes, the Status of the StackSet is SUCCEEDED in the StackSet details page.
Review the Summary screen of the wizard.
If something needs to be corrected, you can go Back to correct it.
Click Create.
Once cloud assets from AWS start to come in, a green check mark appears underneath the Cloud Inventory configuration with the Last collection time displayed. It can take a few minutes for the Last Collection time to display as the processing completes.
Note
Whenever the Cloud Inventory data collector integrations are modified by using the Edit, Disable, or Delete options, it can take up to 10 minutes for these changes to be reflected in Cortex Xpanse.
After Cortex Xpanse begins receiving AWS cloud assets, you can view the data in → , where All Assets and Specific Cloud Assets pages display the data in a table format. For more information, see Cloud Inventory Assets.
Once you've configured the AWS cloud collection integration it may take up to 48 hours for new asset records, services, websites, alerts, and incidents to appear in Expander. This is because the collection process must run multiple times to ensure that data is only loaded for high confidence resources and can be properly combined with Xpanse global scan findings.
If after 48 hours you don't see new asset records, services, websites, alerts, or incidents from the AWS integration, check for errors on the collection integration configuration page in Settings. You should also confirm that there are active compute instances in the linked account or organization.