Bridgecrew integrates with AWS natively, using CloudFormation as a standardized mechanism to deploy all required configurations.
- AWS Read Access: allows Bridgecrew to perform read-only API calls. These calls enable basic configuration scanning and evaluation.
- AWS Remediation Stack: this optional add-on allows you to remediate policy violations by modifying the configuration of your cloud environment.
The diagram below illustrates the Bridgecrew - AWS Remediation Stack flow. Note that Bridgecrew never has direct write access into your account.
You can use the CloudFormation change set or
terraform plan output to view a list of the resources that will be created prior to actually creating them.
The AWS read only integration creates the following resources:
- IAM role with AWS managed SecurityAudit policy
- An SNS notification message to notify Bridgecrew of the integration
The remediation integration creates the following resources:
- SQS queue
- Lambda function
- IAM lambda service role
- SSM parameter for Bridgecrew token
- From Integrations Catalog, under Cloud Providers, select AWS.
- Select Integration type (AWS Remediation Stack or AWS Read Access).
- Configure your account by clicking Launch Stack. You'll be redirected to the AWS sign in page in a new tab.
To permit creation of IAM resources, sign in to your user, then click Next .
The CloudFormation template for AWS Remediation Stack can be reviewed here.
If you do not set up AWS Remediation Stack, you will be prompted to do so the first time you attempt to Remediate a violation via Playbook; see Step 4: Investigate Incidents.
From time to time, you may be prompted to redeploy the CloudFormation stack to provide additional roles required for performing to perform remediation.
Updated about 2 years ago