By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Needing help with MS Defender for Cloud monitoring AWS master account (issue with failing to verify Defender for Cloud connector with the created CloudFormation template)

0

Good afternoon,

Needing some advice where we're looking to get MS Defender for Cloud to see and monitor one of our AWS master accounts and any member accounts linked to this via AWS organization under this master account. The process seems simple enough when creating the AWS connector in MS Defender for Cloud and this creates a CloudFormation template for you to then deploy as a StackSet in CloudFormation in the AWS master account, (this also seems fairly straight forward and is successfully deployed) but then when going back to complete the AWS connector wizard in MS Defender for Cloud and verifying/completing, it cannot connect to the AWS master account and fails with an error;

{"statusCode":400,"errorMessage":"error occured for security connector: Identity provider is missing from AWS account/s. Defender for Cloud cannot authenticate without it. Create the identity provider to complete the onboarding.","errorCorrelation":"xxxxxxxxxxxx"}

This seems fairly clear that there's no Identity provider in the master account level and sure enough when going in and checking IAM for the master account there is no new Identity provider created and also no new roles/policies/etc that I expect would/should be created for Defender for Cloud connector at this master account level, yet when I check a member account in a lower down org, these new settings for Identity provider and roles/policies/etc are there (this member account has also a CloudFormation Stack newly created from the StackSet created at the master account level). To confirm, the CloudFormation StackSet template was also deployed/setup using the root account for our AWS master account. My understanding would be that creating a CloudFormation StackSet at the master account level would/should create the Identity provider and roles/policies/etc at the master account level as well as the member account level (and any further member accounts you add into the AWS Organization under this master account). Just to clarify, the correct master account number was set up in the setting up of the AWS connector in Defender for Cloud and I've raised this as a ticket with Microsoft support and demonstrated this behaviour a few times to them and and they can't really give an explanation to this and are now saying to talk with AWS as to why this may be happening (good old Microsoft!).

Any advice on this is appreciated in advance :-)

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS CloudFormationAWS IAM Identity Center
Language
English
normski74
asked a month ago212 views
1 Answer
0

It sounds like you're encountering an issue with the integration between Microsoft Defender for Cloud and AWS, specifically around the creation of the identity provider and roles/policies at the AWS master account level.

Here are a few things you can try to resolve this issue:

  1. Verify the CloudFormation StackSet deployment:

    • Ensure that the CloudFormation StackSet was deployed successfully at the master account level.
    • Check the CloudFormation StackSet events and logs for any errors or issues during the deployment.
    • Verify that the StackSet was deployed to the correct AWS Organization and that the master account is part of the target accounts.

  2. Check the IAM identity provider and roles/policies:

    • Manually check the IAM console in the AWS master account to see if the identity provider and the necessary roles/policies have been created.
    • Ensure that the identity provider is of the correct type (e.g., SAML) and that it's configured correctly.
    • Verify that the roles and policies are named and configured as expected by Defender for Cloud.

  3. Troubleshoot the StackSet deployment process:

    • Review the AWS CloudFormation documentation on StackSets and ensure that you've followed the correct steps for deploying the StackSet.
    • Check if there are any IAM-related permissions or configurations that might be preventing the StackSet deployment from creating the necessary resources in the master account.
    • Try deploying the StackSet manually in the master account, instead of using the StackSet, to see if the issue is specific to the StackSet deployment process.

  4. Validate the AWS Organization and member accounts:

    • Ensure that the AWS Organization is configured correctly and that the master account and member accounts are properly set up.
    • Check if the member accounts are properly linked to the master account in the AWS Organization.
    • Verify that the CloudFormation StackSet is being deployed to the correct target accounts, including the master account.

  5. Engage with AWS and Microsoft support:

    • Continue to work with the Microsoft support team, as they may be able to provide more insights or escalate the issue to the appropriate engineering teams.
    • Reach out to AWS support as well, as they may be able to help troubleshoot any AWS-specific issues or configurations that could be causing the problem.

It's important to note that the identity provider and roles/policies should be created at the master account level, and then propagated to the member accounts through the AWS Organization. If this is not happening as expected, there may be an underlying issue that needs to be addressed.

By following these troubleshooting steps and working closely with both AWS and Microsoft support, you should be able to identify and resolve the issue, allowing Defender for Cloud to successfully monitor your AWS master account and member accounts.

AWS
JonQ
answered 8 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content