AWS Cloud Registration

This Terraform module enables registration and configuration of AWS accounts with CrowdStrike’s Falcon Cloud Security.

View on GitHub

Key Features

Asset Inventory
Real-time Visibility and Detection
Identity Protection (IDP)
Sensor Management
Agentless Scanning:
- Data Security Posture Management (DSPM)
- Vulnerability Scanning

Pre-requisites

Generate API Keys

CrowdStrike API keys are required to use this module. It is highly recommended that you create a dedicated API client with only the required scopes.

In the CrowdStrike console, navigate to Support and resources > API Clients & Keys. Click Add new API Client.
Add the required scopes for your deployment:

Option	Scope Name	Permission
Automated account registration	CSPM registration	Read and Write
Automated account registration	Cloud security AWS registration	Read and Write
1-click sensor management	CSPM sensor management	Read and Write
	Installation tokens	Read
	Sensor download	Read
DSPM	DSPM Data scanner	Read and Write

Click Add to create the API client. The next screen will display the API CLIENT ID, SECRET, and BASE URL. You will need all three for the next step.

picture

Usage

terraform {
  required_version = ">= 1.5.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 5.0.0"
    }
    crowdstrike = {
      source  = "CrowdStrike/crowdstrike"
      version = ">= 0.0.58"
    }
  }
}

variable "falcon_client_id" {
  type        = string
  sensitive   = true
  description = "Falcon API Client ID"
}

variable "falcon_client_secret" {
  type        = string
  sensitive   = true
  description = "Falcon API Client Secret"
}

variable "account_id" {
  type        = string
  default     = ""
  description = "The AWS 12 digit account ID"
  validation {
    condition     = length(var.account_id) == 0 || can(regex("^[0-9]{12}$", var.account_id))
    error_message = "account_id must be either empty or the 12-digit AWS account ID"
  }
}

locals {
  enable_realtime_visibility    = true
  primary_region                = "us-east-1"
  enable_idp                    = true
  enable_sensor_management      = true
  enable_dspm                   = true
  enable_vulnerability_scanning = true
  agentless_scanning_regions    = ["us-east-1", "us-east-2"]
  use_existing_cloudtrail       = true
}

provider "crowdstrike" {
  client_id     = var.falcon_client_id
  client_secret = var.falcon_client_secret
}
provider "aws" {
  region = "us-east-1"
  alias  = "us-east-1"
}
provider "aws" {
  region = "us-east-2"
  alias  = "us-east-2"
}

# Provision AWS account in Falcon.
resource "crowdstrike_cloud_aws_account" "this" {
  account_id = local.account_id

  asset_inventory = {
    enabled = true
  }

  realtime_visibility = {
    enabled                 = local.enable_realtime_visibility
    cloudtrail_region       = local.primary_region
    use_existing_cloudtrail = local.use_existing_cloudtrail
  }

  idp = {
    enabled = local.enable_idp
  }

  sensor_management = {
    enabled = local.enable_sensor_management
  }

  dspm = {
    enabled = local.enable_dspm
  }

  vulnerability_scanning = {
    enabled = local.enable_vulnerability_scanning
  }
}

module "fcs_account_onboarding" {
  source                        = "CrowdStrike/cloud-registration/aws"
  falcon_client_id              = var.falcon_client_id
  falcon_client_secret          = var.falcon_client_secret
  account_id                    = var.account_id
  primary_region                = local.primary_region
  enable_sensor_management      = local.enable_sensor_management
  enable_realtime_visibility    = local.enable_realtime_visibility
  enable_idp                    = local.enable_idp
  use_existing_cloudtrail       = local.use_existing_cloudtrail
  enable_dspm                   = local.enable_dspm && contains(local.agentless_scanning_regions, "us-east-1")
  enable_vulnerability_scanning = local.enable_vulnerability_scanning && contains(local.agentless_scanning_regions, "us-east-1")
  agentless_scanning_regions    = local.agentless_scanning_regions

  iam_role_name                = crowdstrike_cloud_aws_account.this.iam_role_name
  external_id                  = crowdstrike_cloud_aws_account.this.external_id
  intermediate_role_arn        = crowdstrike_cloud_aws_account.this.intermediate_role_arn
  eventbus_arn                 = crowdstrike_cloud_aws_account.this.eventbus_arn
  agentless_scanning_role_name = crowdstrike_cloud_aws_account.this.agentless_scanning_role_name
  cloudtrail_bucket_name       = crowdstrike_cloud_aws_account.this.cloudtrail_bucket_name

  providers = {
    aws         = aws.us-east-1
    crowdstrike = crowdstrike
  }
}

# For each region where you want to onboard DSPM features or Vulnerability Scanning features
# - duplicate this module
# - update the provider with region specific one
# If you want to onboard Real-time Visibility with 'eventbridge' as the log_ingestion_method, for each region you want to onboard Real-Time Visibility features
# - duplicate this module
# - update the provider with region specific one
# If you want to onboard Real-time Visibility with 's3' as the log_ingestion_method, for the region that your SNS topic is in
# - duplicate this module
# - update the provider with region specific one
module "fcs_account_us_east_2" {
  source                        = "CrowdStrike/cloud-registration/aws"
  falcon_client_id              = var.falcon_client_id
  falcon_client_secret          = var.falcon_client_secret
  account_id                    = var.account_id
  primary_region                = local.primary_region
  enable_sensor_management      = local.enable_sensor_management
  enable_realtime_visibility    = local.enable_realtime_visibility
  enable_idp                    = local.enable_idp
  use_existing_cloudtrail       = local.use_existing_cloudtrail
  enable_dspm                   = local.enable_dspm && contains(local.agentless_scanning_regions, "us-east-2")
  enable_vulnerability_scanning = local.enable_vulnerability_scanning && contains(local.agentless_scanning_regions, "us-east-2")
  agentless_scanning_regions    = local.agentless_scanning_regions

  iam_role_name                                 = crowdstrike_cloud_aws_account.this.iam_role_name
  external_id                                   = crowdstrike_cloud_aws_account.this.external_id
  intermediate_role_arn                         = crowdstrike_cloud_aws_account.this.intermediate_role_arn
  eventbus_arn                                  = crowdstrike_cloud_aws_account.this.eventbus_arn
  agentless_scanning_role_name                  = crowdstrike_cloud_aws_account.this.agentless_scanning_role_name
  cloudtrail_bucket_name                        = crowdstrike_cloud_aws_account.this.cloudtrail_bucket_name
  agentless_scanning_integration_role_unique_id = module.fcs_account_onboarding.integration_role_unique_id
  agentless_scanning_scanner_role_unique_id     = module.fcs_account_onboarding.scanner_role_unique_id

  providers = {
    aws         = aws.us-east-2
    crowdstrike = crowdstrike
  }
}

Providers

Name	Version
aws	>= 5.0.0
crowdstrike	>= 0.0.44

Resources

Name	Type
aws_caller_identity.current	data source
aws_region.current	data source
crowdstrike_cloud_aws_account.target	data source

Inputs

Name	Description	Type	Default	Required
account_id	The AWS 12 digit account ID	`string`	`""`	no
account_type	Account type can be either ‘commercial’ or ‘gov’	`string`	`"commercial"`	no
agentless_scanning_create_nat_gateway	Set to true to create a NAT Gateway for agentless scanning environments	`bool`	`true`	no
agentless_scanning_custom_vpc_resources_map	Map of regions to custom VPC resources for Agentless Scanning deployment. Each region can specify existing VPC resources to use instead of creating new ones. Example: { “us-east-1” = { vpc = “vpc-0123456789abcdef0” scanner_subnet = “subnet-0123456789abcdef0” scanner_sg = “sg-0123456789abcdef0” db_subnet_a = “subnet-1123456789abcdef0” db_subnet_b = “subnet-2123456789abcdef0” db_sg = “sg-1123456789abcdef0” } } All resource IDs must exist in the specified region.	map(object({ vpc = string scanner_subnet = string scanner_sg = string db_subnet_a = string db_subnet_b = string db_sg = string }))	`{}`	no
agentless_scanning_host_account_id	The AWS account ID where agentless scanning host resources are deployed	`string`	`""`	no
agentless_scanning_host_role_name	Name of agentless scanning integration role in host account	`string`	`"CrowdStrikeAgentlessScanningIntegrationRole"`	no
agentless_scanning_host_scanner_role_name	Name of agentless scanning scanner role in host account	`string`	`"CrowdStrikeAgentlessScanningScannerRole"`	no
agentless_scanning_integration_role_unique_id	The unique ID of the Agentless scanning integration role	`string`	`""`	no
agentless_scanning_regions	List of regions where agentless scanning will be deployed	`list(string)`	[ “us-east-1” ]	no
agentless_scanning_role_name	The unique name of the IAM role that Agentless scanning will be assuming	`string`	`"CrowdStrikeAgentlessScanningIntegrationRole"`	no
agentless_scanning_scanner_role_name	The unique name of the IAM role that Agentless scanning scanner will be assuming	`string`	`"CrowdStrikeAgentlessScanningScannerRole"`	no
agentless_scanning_scanner_role_unique_id	The unique ID of the Agentless scanning scanner role	`string`	`""`	no
agentless_scanning_use_custom_vpc	Use existing custom VPC resources for ALL deployment regions (requires agentless_scanning_custom_vpc_resources_map with all regions)	`bool`	`false`	no
cloudtrail_bucket_name	Name of the S3 bucket for CloudTrail logs	`string`	`""`	no
create_rtvd_rules	Set to false if you don’t want to enable monitoring in this region	`bool`	`true`	no
dspm_create_nat_gateway	DEPRECATED: Use agentless_scanning_create_nat_gateway instead. Set to true to create a NAT Gateway for DSPM scanning environments	`bool`	`true`	no
dspm_dynamodb_access	Apply permissions for DSPM DynamoDB table scanning	`bool`	`true`	no
dspm_ebs_access	Apply permissions for DSPM VM scanning	`bool`	`true`	no
dspm_integration_role_unique_id	DEPRECATED: Use agentless_scanning_integration_role_unique_id instead. The unique ID of the DSPM integration role	`string`	`""`	no
dspm_rds_access	Apply permissions for RDS instance scanning	`bool`	`true`	no
dspm_redshift_access	Apply permissions for DSPM Redshift cluster scanning	`bool`	`true`	no
dspm_regions	DEPRECATED: Use agentless_scanning_regions instead. List of regions where DSPM scanning will be deployed	`list(string)`	`[]`	no
dspm_role_name	DEPRECATED: Use agentless_scanning_role_name instead. The unique name of the IAM role that DSPM will be assuming	`string`	`""`	no
dspm_s3_access	Apply permissions for DSPM S3 bucket scanning	`bool`	`true`	no
dspm_scanner_role_name	DEPRECATED: Use agentless_scanning_scanner_role_name instead. The unique name of the IAM role that CrowdStrike Scanner will be assuming	`string`	`""`	no
dspm_scanner_role_unique_id	DEPRECATED: Use agentless_scanning_scanner_role_unique_id instead. The unique ID of the DSPM scanner role	`string`	`""`	no
enable_dspm	Set to true to enable Data Security Posture Managment	`bool`	`false`	no
enable_idp	Set to true to install Identity Protection resources	`bool`	`false`	no
enable_realtime_visibility	Set to true to install realtime visibility resources	`bool`	`false`	no
enable_sensor_management	Set to true to install 1Click Sensor Management resources	`bool`	n/a	yes
enable_vulnerability_scanning	Set to true to enable Vulnerability Scanning	`bool`	`false`	no
eventbridge_role_name	The eventbridge role name	`string`	`"CrowdStrikeCSPMEventBridge"`	no
eventbus_arn	Eventbus ARN to send events to	`string`	`""`	no
external_id	The external ID used to assume the AWS reader role	`string`	`""`	no
falcon_client_id	Falcon API Client ID	`string`	n/a	yes
falcon_client_secret	Falcon API Client Secret	`string`	n/a	yes
iam_role_name	The name of the reader role	`string`	`""`	no
intermediate_role_arn	The intermediate role that is allowed to assume the reader role	`string`	`""`	no
is_gov	Set to true if you are deploying in gov Falcon	`bool`	`false`	no
log_ingestion_kms_key_arn	Optional KMS key ARN for decrypting S3 objects (when log_ingestion_method=s3)	`string`	`""`	no
log_ingestion_method	Choose the method for ingesting CloudTrail logs - eventbridge (default) or s3	`string`	`"eventbridge"`	no
log_ingestion_s3_bucket_name	S3 bucket name containing CloudTrail logs (required when log_ingestion_method=s3)	`string`	`""`	no
log_ingestion_s3_bucket_prefix	Optional S3 bucket prefix/path for CloudTrail logs (when log_ingestion_method=s3)	`string`	`""`	no
log_ingestion_sns_topic_arn	SNS topic ARN that publishes S3 object creation events (required when log_ingestion_method=s3)	`string`	`""`	no
organization_id	The AWS Organization ID. Leave blank if when onboarding single account	`string`	`""`	no
permissions_boundary	The name of the policy used to set the permissions boundary for IAM roles	`string`	`""`	no
primary_region	Region for deploying global AWS resources (IAM roles, policies, etc.) that are account-wide and only need to be created once. Distinct from agentless_scanning_regions which controls region-specific resource deployment.	`string`	n/a	yes
resource_prefix	The prefix to be added to all resource names	`string`	`"CrowdStrike"`	no
resource_suffix	The suffix to be added to all resource names	`string`	`""`	no
tags	A map of tags to add to all resources that support tagging	`map(string)`	`{}`	no
use_existing_cloudtrail	Set to true if you already have a cloudtrail	`bool`	`false`	no
use_existing_iam_reader_role	Set to true if you want to use an existing IAM role for asset inventory	`bool`	`false`	no
vpc_cidr_block	VPC CIDR block	`string`	`"10.0.0.0/16"`	no

Outputs

Name	Description
integration_role_unique_id	The unique ID of the DSPM integration role
scanner_role_unique_id	The unique ID of the DSPM scanner role