This article will guide you through the process of connecting multiple Amazon Web Services (AWS) cloud accounts to the Orca Security Platform.
Orca's SaaS deployment mode means that you do not have to run any code from Orca within your cloud accounts. Your payload will be scanned inside Orca's AWS cloud backend in the same data center where your assets reside.
- Before you begin
- Step 1: AWS login
- Step 2: Create Orca onboarding resources
- Step 3: Connect your account to Orca Security
- Step 4: Create a stack set to connect your organization accounts
- Verify account connection
Before you begin
- Access your Orca Security account and navigate to Settings from the lower-left corner of the main menu.
- You will land on the Connect Account page by default.
- From here, select the Amazon Web Services tab (unless already selected).
- Change the Policy mode from DEFAULT to MULTIPLE.
Step 1: AWS login
Log in to your AWS account using the MASTER ACCOUNT link.
Step 2: Create Orca onboarding resources
Select the check box to allow scanning of images in password protected registries. If unchecked, Orca will not have permission to scan images stored outside of AWS.
Use the CLOUDFORMATION TEMPLATE link to create the “orca-security” stack, which will add the necessary security role and policies, as well as a stacker for deploying the Orca Security Role into existing and new accounts in your organization.
The template link will open the AWS CloudFormation page in a new browser tab where you can review the stack parameters. Scroll to the bottom of the page to acknowledge that AWS CloudFormation might create IAM resources.
After you click Create stack, AWS CloudFormation will open the Events tab where the status of the “orca-security” stack will be indicated as “CREATE_IN_PROGRESS”. Please allow several seconds for AWS to create the stack and update the status to “CREATE_COMPLETE”. You can refresh the AWS CloudFormation page to get the latest status update.
Step 3: Connect your account to Orca Security
After the stack has been created, you will need to copy the resulting Amazon Resource Name (ARN) and provide it to Orca.
Navigate to the Outputs tab of the "orca-security" stack and copy the OrcaRoleArn value.
Return to the Orca UI and paste the ARN into the Orca Role ARN field.
Note that AWS CloudFormation template also defines the OrcaSecurityStackSet, which will be used in the next step of the onboarding process.
Step 4: Create a stack set to connect your organization accounts
Open the AWS StackSet page using the STACKSET PAGE link.
The OrcaSecurityStackSet uses the service managed permission model, which allows it to deploy stack instances with the necessary IAM permissions in the target organization or organizational units.
When prompted, enable the use of service managed permissions by clicking Enable trusted access from the info banner on the AWS StackSets page.
- Select the OrcaSecurityStackSet from the StackSet list.
- Expand the Actions dropdown menu and select Add stacks to StackSet.
- For the deployment targets, choose between deploying Orca stack instances to your organization or specific organizational units. In this example, we chose the Deploy to organization option to onboard all AWS accounts under our organization.
- Specify the deployment region (has no implications but at least one region is required for deployment). This must be a region that is already enabled in your AWS account.
- Click Next.
- Click Next on the “Specify overrides” page without overriding the ExternalId value.
On the next page, review the deployment configuration and click Continue. You will land on the OrcaSecurityStackset details page. Depending on the number of AWS cloud accounts to be onboarded, the status of your deployment should be indicated as RUNNING or SUCCEEDED. If the deployment is still running, please allow several minutes for the process to complete.
Return to the Orca UI and click the Connect Accounts button.
Please allow several minutes for the connection to be established. After a successful connection, Orca will redirect you to the Accounts page, where you can check the status of the newly onboarded AWS accounts.
Verify account connection
Scanning will begin immediately after the connection between Orca and your cloud accounts is established. The initial scan time will vary and may take anywhere from a few minutes to a few hours. We recommend that you wait at least 24 hours after onboarding a new account to get the complete picture of your security posture. Subsequent scans take significantly less time.
You can return to the Accounts page from the Settings menu to verify the status of your existing accounts.