diff --git a/.github/wordlist.txt b/.github/wordlist.txt index 24273ad..bce0eb7 100644 --- a/.github/wordlist.txt +++ b/.github/wordlist.txt @@ -1,5 +1,6 @@ ABCDEF ABCDEFG +ABI ACL ACS AIDAXRCSSEFWMXXXXXXXX diff --git a/Control-Tower/README.md b/Control-Tower/README.md index cf0cde1..b2db5be 100644 --- a/Control-Tower/README.md +++ b/Control-Tower/README.md @@ -2,12 +2,10 @@ ![Twitter URL](https://img.shields.io/twitter/url?label=Follow%20%40CrowdStrike&style=social&url=https%3A%2F%2Ftwitter.com%2FCrowdStrike) -# CrowdStrike with AWS Control Tower +# Automated AWS Account Onboarding with Falcon Cloud Security via AWS Control Tower -CrowdStrike now supports AWS Organization registration directly from the CrowdStrike console. This is the recommended and officially supported approach for customers looking to onboard their AWS accounts across their AWS Organization(s) into the platform. +CrowdStrike now supports AWS Organization registration through the AWS Built-In (ABI) program. ABI is a differentiation program that validates AWS Partner solutions that have automated their integrations with relevant AWS foundational services such as identity, management, security, and operations. -> Note: We strongly recommend that you review the requirements section before proceeding so that you understand the resources that the registration process will create for you. For details, please refer to this [document](horizon-organization-onboarding.md) +This AWS Built-In (ABI) solution deploys CrowdStrike Falcon Cloud Security integrations for AWS Organizations on the AWS Cloud. It’s for IT administrators and security professionals who want to provide Cloud Security Posture Management (CSPM) across multiple AWS accounts. -## Instructions - -The AWS Control Tower integration is being updated to reflect the recent updates to Falcon CSPM account registration process. The project will be released shortly, with major improvements to functionality and user experience to come. +[Click Here to Get Started](https://aws-abi.s3.amazonaws.com/guide/cfn-abi-crowdstrike-fcs/index.html) diff --git a/Control-Tower/horizon-organization-onboarding.md b/Control-Tower/horizon-organization-onboarding.md deleted file mode 100644 index 0dd3be4..0000000 --- a/Control-Tower/horizon-organization-onboarding.md +++ /dev/null @@ -1,48 +0,0 @@ - -# Registering AWS Organizations within Falcon Horizon - -CrowdStrike's AWS Organization registration process is designed to support all AWS Organization setups, including AWS Control Tower. This document provides an overview of the registration process and the resources it creates. - -## Overview - -Falcon Horizon delivers continuous agentless discovery and visibility of cloud-native assets from the host to the cloud, providing valuable context and insights into the overall security posture and the actions required to prevent potential security incidents. Falcon Horizon also provides intelligent agentless monitoring of cloud resources to detect *Indicators of Misconfiguration (IOM)* by assuming an IAM Role in your AWS accounts and performing API queries to discover and assess the state of your assets. - -By processing a real-time stream of events across your accounts via Amazon EventBridge, CrowdStrike applies algorithms that reveal adversarial or anomalous activities that would otherwise go unnoticed. CrowdStrike enriches these events with CrowdStrike threat data and correlates this data with historical events in your environment. If suspicious activity is detected, CrowdStrike will generate an *Indicator of Attack (IOA)* alert. Each IOA is prioritized with the likelihood of activity being malicious through a scoring matrix and mapped to the MITRE ATT&CK framework. - -CrowdStrike's adversary-focused approach provides real-time threat intelligence on ~200 adversary groups, 50+ IOA detections and guided remediation that improves investigation speed by up to 88%, enabling teams to respond faster and stop breaches. - -| ![Falcon Horizon data flow architecture diagram](./images/horizon-general-data-flow.png) | -|:--:| -| *Falcon Horizon data flow architecture diagram* | - -## Resources created by the registration process - -The registration process creates the following resources across your accounts: - -1. An IAM Role in each account that is assumed by CrowdStrike to discover assets and assess them for *Indicators of Misconfiguration*. - -1. Amazon EventBridge rules in each active region of every account that forward AWS CloudTrail events to CrowdStrike. CrowdStrike uses these events to scan for *Indicators of Attack*. - 1. *Optional, but highly recommended. Enabled by default* - -1. An additional *Organization Wide* CloudTrail trail in the master or delegated account to forward `read` events from CloudTrail. - 1. *Optional, but recommended. The additional trail is disabled by default, as this is an additional cost item.* - 1. *AWS CloudTrail doesn't forward `read` events to Amazon EventBridge as of this writing, hence the need for an additional trail to receive all possible events* - -| ![Falcon Horizon Indicators of Attack (IOA) architecture diagram](./images/horizon-ioa-data-flow.png) | -|:--:| -| *Falcon Horizon Indicators of Attack (IOA) architecture diagram* | - -### CloudFormation templates - -The registration process deploys the following CloudFormation resource: - -| Name | Type | Description | -|:- | :- | :- | -| CrowdStrike-CSPM-Integration | Stack | CloudFormation Stack that deploys a StackSet instance in every account within your AWS Organization *(see below)* | -| CrowdStrike-CSPM-Integration | StackSet | This is a `SERVICE-MANAGED` StackSet that defines the IAM Role which CrowdStrike assumes to discover and assess the state of the resources in your account. | -| CrowdStrike-CSPM-Integration-EB | StackSet | This is a `SERVICE-MANAGED` StackSet that defines the Amazon EventBridge rules in every active region in your accounts. | -| CrowdStrike-CSPM-Integration-Root-EB | StackSet | This is a `SELF-MANAGED` StackSet that defines the Amazon EventBridge rules in every region of your organization master account. | - -## Resources - -- [Detect Adversary Behavior in Milliseconds with CrowdStrike and Amazon EventBridge](https://aws.amazon.com/blogs/architecture/detect-adversary-behavior-in-seconds-with-crowdstrike-and-amazon-eventbridge/)