CloudGuard has multiple separate modules, Inventory + Posture, Intelligence and Serverless.
Till now, there were a separate and manual onboarding process for each module.
The Unified Onboarding is here to solve this two problems, it gives the option to onboard all moduls at once,
and in one simple click by running a CFT on your environment.
You reach out CloudGuard with the configuration of which modules you want to onboard, then
you get a link for the AWS CloudFormation console, then you just need to run the CFT to get onboarded.
The CFT will create a lambda that will onboard all the selected modules into CloudGuard.
Note
Lambda is deleted once the CFT deployment completes.
Important
Those policies required for Data fetching, The metadata is used in Inventory and compliance modules.
SecurityAudit (AWS managed policy) - Mandatory - The system relies on most of the actions
ReadOnlyAccess (AWS managed policy) - Optional - An extension to the SecurityAudit policy, Reduce the effort to constantly update the CloudGuard-readonly-policy whenever we add newer entities support
CloudGuard-readonly-policy - Mandatory - An extension to the SecurityAudit policy, contains minimum required actions
CloudGuard-write-policy - Optional - Required for network security management actions.
SecurityAudit (AWS managed policy) - Mandatory - The system relies on most of the actions
ReadOnlyAccess (AWS managed policy) - Optional - An extension to the SecurityAudit policy, Reduce the effort to constantly update the CloudGuard-readonly-policy whenever we add newer entities support
CloudGuard-readonly-policy - Mandatory - An extension to the SecurityAudit policy, contains minimum required actions
CloudGuard-write-policy - Optional - Required for network security management actions.
SecurityAudit (AWS managed policy) - Mandatory - The system relies on most of the actions
ReadOnlyAccess (AWS managed policy) - Optional - An extension to the SecurityAudit policy, Reduce the effort to constantly update the CloudGuard-readonly-policy whenever we add newer entities support
CloudGuard-readonly-policy - Mandatory - An extension to the SecurityAudit policy, contains minimum required actions
CloudGuard-write-policy - Optional - Required for network security management actions.
onboarding.yml
permissions_readonly_cft.yml
permissions_readwrite_cft.yml
serverless_cft.yml
intelligence_cft.yml
onboarding.yml
permissions_readonly_cft.yml
permissions_readwrite_cft.yml
https://wiki.checkpoint.com/confluence/display/GlobalPO/CloudGuard+-+Unified+Onboarding
Flow:
https://wiki.checkpoint.com/confluence/display/GlobalPO/Unified+Onboarding+Flow