This repository provides CloudFormation templates to onboard AWS Organizations with CrowdStrike Cloud Security.
- In CrowdStrike Console, Navigate to API Clients and Keys page.
- Click on "Add new API client".
- Within the "Add new API client" modal, create a new client name and click on the Read and Write checkboxes next to CSPM registration under API Scopes..
- Add new API Client
- Save the CLIENT ID and SECRET displayed for your records. The SECRET will not be visible after this step.
- In CrowdStrike Console, Navigate to Cloud Accounts Registration page.
- Verify the AWS Organization and child accounts are not listed.
- If they are listed, deregister and remove CrowdStrike resources from those accounts before proceeding.
If the Organization is currently registered, or you do not want to run the Registration Lambda in the Management Account for any reason, see Provision Only Steps
- Download the contents of this repository.
- Log in to the Management Account of your AWS Organization
- Upload the following files to the root of an S3 Bucket.
- crowdstrike_aws_cspm_register_lambda.zip
- crowdstrike_aws_cspm.json (Commercial AWS Only)
- crowdstrike_aws_gov_cspm.json (GovCloud AWS Only)
- In the CloudFormation console select create stack.
- Choose Specify Template and upload init_crowdstrike_aws_cspm_register.yml
- Fill out the parameters, click next.
- Optional: change Stack Failure Options to Preserve successfully provisioned resources. This option will allow you to maintain the stack and update parameters in the event of a mistake.
- Enabled the capabilities in the blue box and click submit.
| Parameter | Description | Options |
|---|---|---|
| FalconAccountType | Type of CrowdStrike Falcon Account | commercial or govcloud |
| AWSAccountType | Type of AWS Account | commercial or govcloud |
| S3Bucket | Name of the S3 Bucket containing lambda.zip | |
| PermissionsBoundary | Optional: Name of the Permissions Boundary Policy to apply to IAM Roles | |
| FalconClientID | Falcon API client Id | |
| FalconSecret | Falcon API client secret | |
| CSCloud | Falcon Cloud region | us1, us2, eu1, usgov1, usgov2 |
| EnableIOA | Whether to enable IOA | true, false |
| Regions | Which regions to deploy IOA resources | eg. us-east-1, us-east-2 |
| ProvisionOU | Which OUs to deploy all CSPM resources. root OU to provision entire org or commademlimited list of child OUs | r-**** or ou-****-****, ou-****-**** etc |
| EnableSensorManagement | Whether to enable Sensor Management | true, false |
| StackSetAdminRole | Name of new StackSet Admin role for root account stackset | |
| StackSetExecRole | Name of new StackSet Execution role for root account stackset |
- Root CloudFormation Stack
- Create Secret to manage Falcon API Credentials
- Create Lambda to register AWS Org with Falcon Cloud Security Service via API
- Create Child Stacks and StackSets to provision root account and child accounts with CrowdStrike Cloud Security resources
- Root CrowdStrikeStack
- Create Stacks in root account using IOM template
- Create CSPM Reader Role for IOMs
- Create IOA Role for Eventbridge (if EnableIOA = true)
- Create Sensor Management Role and Lambda (if EnableSensorManagement = true)
- CrowdStrike-Cloud-Security-Stackset
- Create Stacks in each child account using IOM template
- Create CSPM Reader Role for IOMs
- Create IOA Role for Eventbridge (if EnableIOA = true)
- Create Sensor Management Role and Lambda (if EnableSensorManagement = true)
- CrowdStrike-Cloud-Security-EB-Stackset
- Create Stacks in each child account using IOA template
- Create EventBridge rules to forward IOAs
- CrowdStrike-Cloud-Security-Root-EB-Stackset
- Create Stacks in root account using IOA template
- Create EventBridge rules to forward IOAs
Note: If provisioning govcloud, the following templates are used instead:
If you encounter any issues or have questions about this repository, please open an issue.
CrowdStrike AWS Registration is a community-driven, open source project designed to provide options for onboarding AWS with CrowdStrike Cloud Security. While not a formal CrowdStrike product, this repo is maintained by CrowdStrike and supported in partnership with the open source community.