This repository provides Terraform to onboard AWS Organizations with CrowdStrike Cloud Security.
- Customer declines the bash and/or terraform methods presented in the Falcon Console
- Customer needs to exclude regions prohibited by SCPs
- Customer wants to use terraform ONLY solution (terraform in console uses AWS Stacksets)
Create a Falcon API Client with the following scope:
- CSPM registration [read]
- CSPM registration [write]
- Terraform: tested with v1.4.6
- Python3: tested with 3.11.3
Modify each of the following sections of the locals block to set your configuration
- Set your AWS CLI profile name and Region for the AWS Organization Management account
root_account = {
profile = "default"
region = "us-east-1"
}
- Configure your CrowdStrike Falcon API keys. These will be used to call registration API. Required Scope: CSPM registration Read & Write
falcon_client_id = ""
falcon_secret = ""
crowdstrike_cloud = "" us-1 or us-2 or eu-1
- Enable Behavioral Assessment? If true, EventBridge rules will be deployed in each enabled region to forward indicators of attack (IOA) to CrowdStrike.
enable_ioa = true
- Optional, change to false to add CloudTrail for Read Only IOAsS
use_existing_cloudtrail = true
- Uncomment regions to exclude from IOA Provisioning (EventBridge Rules). This will be useful if your organization leverages SCPs to deny specific regions.
exclude_regions = [
#us-east-1
us-east-2 << This region would be excluded
Note
How to provision multiple accounts: In main.tf duplicate the following local, provider and module blocks for each additional account you wish to provision. You will need to increment numeral values eg. account_2, provision_2, account_3, provision_3 etc
locals {
account_2 = {
profile = "profile2"
region = "us-east-1"
}
}
provider "aws" {
alias = "account_2"
region = local.account_2.region
profile = local.account_2.profile
}
module "provision_2" {
source = "./modules/provision"
profile = local.account_2.profile
intermediate_role = module.register.registration_intermediate_role
external_id = module.register.registration_external_id
iam_role_arn = module.register.registration_iam_role
cs_eventbus_arn = module.register.registration_cs_eventbus
enable_ioa = local.enable_ioa
exclude_regions = local.exclude_regions
providers = {
aws = aws.account_2
}
}
- Initialize terraform providers and environment
terraform init
- Generate Plan
terraform plan
- Apply configuration
terraform apply
- Destroy configuration Note This will deregister your AWS Accounts from Horizon
terraform destroy
This terraform configuration will leverage two modules: one to register the AWS Accounts and one to provision CSPM-required resources.
This only applies to the AWS Organization Management Account
- Install falconpy python package locally in /source
- Archive falconpy python package as zip for lambda layer
- Archive lambda.py fucntion as zip for lambda function
- Create AWS Secrets Manager Secret to store Falcon API Keys
- Create IAM Role to allow Lambda basic execution and access to Secret containing Falcon API Keys
- Create and invoke lambda function
- Lambda function leverages the CrowdStrike Falcon API to register the AWS Account with Horizon
- Lambda function returns API response and values to be used by provision module
This applies to each account
- Create Read Only IAM Role to enable Indicators of Misconfiguration (IOM) Scans
- Create IAM Role to Allow Event Bridge rules to Put Events on CrowdStrike EventBus
- Create EventBridge Rules in each region which target CrowdStrike EventBus to forward IOAs
- Optional: For Org Management Account only, Create new Org-Wide CloudTrail with CrowdStrike S3 Bucket as Target to enable Read-Only IOAs
If you encounter any issues or have questions about this repository, please open an issue.
CrowdStrike AWS Registration is a community-driven, open source project designed to provide options for onboarding AWS with CrowdStrike Cloud Security. While not a formal CrowdStrike product, this repo is maintained by CrowdStrike and supported in partnership with the open source community.