Overview

This AWS Built-In (ABI) solution deploys CrowdStrike Cloud Security integrations for AWS Organizations on the AWS Cloud. It’s for IT administrators and security professionals who want to provide endpoint protection and Cloud Security Posture Management (CSPM) across multiple AWS accounts.

Deploying this ABI solution doesn’t guarantee an organization’s compliance with any laws, certifications, policies, or other regulations.

Protect endpoints with an intelligent, lightweight agent that consolidates point products and stops advanced attacks — both malware and malware-free — while capturing rich endpoint activity for industry-leading detection and response.

Avoid breaches and make sure your cloud security configuration meets industry security recommendations with CrowdStrike Cloud Security. Cloud Security monitors your cloud services to detect critical security issues, common configuration errors, and patterns of suspicious behavior. Triage findings and find recommended remediations to close the gaps and keep your cloud data secure.

Get started using Cloud Security by registering your cloud accounts. When registering, CrowdStrike is granted limited read-only access to your cloud account. When registering your ABI solution, all accounts in that organization are registered automatically.

AWS Marketplace listing

CrowdStrike Falcon Cloud Security

Next: Choose Terminologies.

Terminologies

• ABI : AWS Built-In (ABI).
• ABI modules : The GitHub repositories based on AWS Security Reference Architecture (AWS SRA). Modules provide templates for enabling AWS foundational services such as AWS CloudTrail, Amazon GuardDuty, AWS Security Hub, etc.
• ABI solutions : The GitHub repositories built by partners in collaboration with AWS. While building these solution, partners use ABI modules to enable AWS services as needed before creating partner-specific assets. The solution contains (1) Infrastructure as Code (IaC) templates to automate enablement of both AWS and partner services, and (2) wrappers for most common formats such as CfCT manifest, AWS Service Catalog baselines, and more, so customers can pick and choose from the available services.
• Assessment: An individual instance when CrowdStrike compares your cloud settings to the CSPM policies.
• Assessment schedules: You can select how frequently your cloud environment is assessed for misconfigurations. You can also exclude AWS services and Regions from assessment.
• Behavioral: Patterns of suspicious behavior in your cloud environment.
• Configuration: Findings based on policies and benchmarks compared to your cloud configuration.
• CrowdStrike API client: CrowdStrike Falcon API client authentication credentials for interaction with CrowdStike APIs via OAuth 2.0 token. Includes an API client ID and API client secret.
• CrowdStrike event bus: The AWS event bus in CrowdStrike’s environment for receiving events and providing the data to CrowdStrike Cloud Security service.
• CSPM policies: A set of rules defined to detect misconfigurations of the cloud resources (IOMs) or to detect suspicious behavior patterns (IOAs).
• ECR Registry Connections:
• Indicator of attack (IOA): A pattern of suspicious behavior that suggests an attack might be underway. In CrowdStrike Cloud Security, IOAs are labeled as findings.
• Indicator of misconfiguration (IOM): A configuration setting that doesn’t follow recommended security guidelines and might become a security vulnerability in a cloud environment. In CrowdStrike Cloud Security, IOMs are labeled as findings.
• Registration: Enroll your AWS account ID with the CrowdStrike Cloud Security service.
• Sensor Management: Enable 1-click sensor deployment to quickly and easily deploy the Falcon sensor to your cloud workloads. Use the Deployment dashboard to discover unmanaged AWS hosts and unregistered AWS accounts and to kick start workflows to register your cloud accounts and automate sensor deployments.
• SSM Distributor: Install the Falcon sensor on instances across your AWS accounts using AWS SSM State Manager Associations.

Next: Choose Cost and licenses.

Cost and Licenses

CrowdStrike Falcon cost and licenses

• CrowdStrike Bundles and Pricing
• CrowdStrike Terms and Conditions

AWS service cost

In addition to the CrowdStrike Falcon cost, consider costs associated with the AWS services you choose and the scale of your operations. AWS services such as EventBridge, CloudTrail, Lambda, Amazon S3, and AWS Key Management Service (AWS KMS) may have associated costs.

ABI cost and licenses

Using ABI doesn’t incur additional charges. You are charged only for the resources that ABI consumes. If other ABI licenses are required for your specific use case, obtain those separately.

ABI License

Next: Choose How it Works.

How it Works

Indicators of Misconfiguration (IOM)

Falcon Cloud Security performs configuration assessments to identify IOMs. These are configuration settings in your cloud environment that don’t follow recommended security guidelines and could be a security risk. CrowdStrike leverages read-only IAM permissions to collect the asset inventory and detect IOMs in your cloud environment.

This is accomplished by a single IAM Role, commonly referred to as the “reader role”, deployed to each account of the AWS Organization.

The IAM Role has only read-only permissions provided by a combination of the AWS-Managed SecurityAudit policy as well as a custom inline policy.

Note: This role will also be deployed in the Organization Management or Delegated Admin account to enable automatic registration of new AWS Accounts through the organizations:ListAccounts permission.

Threat Detection

Indicators of Attack (IOA)

Falcon Cloud Security performs behavior assessment to identify indicators of attack (IOA) in near real time. These are patterns of suspicious behavior that suggest an attack might be underway.

Falcon Identity Protection

If you have a Falcon Identity Protection subscription, enabling threat detection extends Falcon Identity Protection’s threat detection capabilities to include AWS IAM Identity Center. This allows visibility into IAM Identity Center users and insights into their authentication activity.

This is accomplished by

1. EventBridge Rules deployed to each region of each account of the AWS Organization
2. IAM Role deployed to each account of the AWS Organization

The EventBridge rules target the CrowdStrike EventBus for your tenant to automatically forward CloudTrail API Activity which generate IOAs and Identity Protection findings.

The IAM Role provides the permissions for the EventBridge rules to target an EventBus in an external account.

Sensor Management (1Click)

If your AWS environment uses AWS Systems Manager (SSM), you can leverage it to deploy the Falcon sensor to your EC2 instances from within the Falcon console with just one click. See CrowdStrike Documentation for more details.

This is accomplished by

1. IAM Role in each account to allow CrowdStrike to invoke the Sensor Management Lambda function.
2. Lambda function in each account to call SSM and deploy the CrowdStrike Falcon Distributor package against SSM-Managed EC2 Instances.
3. IAM Role in each account to provide execution role for Lambda function.
4. Secrets Manager Secret in each each account to store Falcon API Credentials for the CrowdStrike Falcon Distributor package.

Note: This feature will only apply to SSM-Managed EC2 Instances. See AWS Documentation for details.

SSM Distributor

If your AWS environment uses AWS Systems Manager (SSM), you can leverage it to deploy the Falcon sensor to your EC2 instances automatically via State Manager Associations. The same CrowdStrike Falcon Distributor Package that enables 1Click, can also be deployed against instances in your environment without clicking through the Falcon Console. See GitHub Documentation for details.

This solution allows you to easily set up the necessary State Manager Associations in each region of each account in the AWS Organization.

This is accomplished by

1. IAM Role in each account to provide execution role for State Manager Assocations
2. State Manager Association in each region of each account to execute the CrowdStrike Falcon Distributor package against SSM Managed EC2 instances. The Association can be configured with a schedule and will handle both Linux and Windows machines.
3. Secrets Manager Secret in each region of each account to store Falcon API Credentials for the CrowdStrike Falcon Distributor package.

Note: This feature will only apply to SSM-Managed EC2 Instances. See AWS Documentation for details.

EKS Protection

If your AWS environment uses EKS to run Kubernetes workloads, you can automatically deploy the Falcon Operator and Falcon sensor to each EKS Cluster. This solution will automically deploy Falcon to existing clusters as well as new clusters upon creation.

This is accomplished by

1. IAM Roles in each account to provide permissions to List Clusters and create EKS Access Entries.
2. EventBridge rules in each region of each account to trigger on CreateCluster events.
3. IAM Roles in root account to facilitate permissions for EventBridge, Lambda and CodeBuild.
4. Lambda function to list EKS clusters and invoke codebuild for initial deployment of Falcon to existing clusters.
5. Lambda function to be triggered by CreateCluster and invoke codebuild against new clusters.
6. CodeBuild project to update access entries, pull CrowdStrike images and deploy Falcon Operator/Sensor.

ECR Connections

Ensuring that the images in the registry are assessed for vulnerabilities before runtime is an important part of cloud workload protection. When a new registry connection is added, a job starts to discover all the repositories, and in parallel, the images and tags are collected from each repository to create the catalog. The catalog contains info about all images, the repository they come from, the image tag associated with that image, and the registry it belongs to. The catalog is used to compare the future and current state of the repo. We avoid showing duplicate image info by using the catalog info, including when tags move between images, to determine if we have already seen and assessed an image. When a catalog is created for a registry, the images in the catalog are inventoried.

This is accoomplished by

1. IAM Roles in each account to provide permissions to push images to CrowdStrike Falcon.
2. Lambda function in each account to register ECR Registries with Registry Connection service.

Note: This will connect registries in each AWS Account of the org, for each region.

Next: Choose Architecture.

Architecture

Deploying this ABI solution with default parameters builds the following architecture.

CSPM Architecture

Sensor Management (OneClick)

• In all current accounts in your AWS organization:

  • IAM role that allows CrowdStrike to perform read-only activities.
  • IAM role that allows Amazon EventBridge to perform PutEvents actions against CrowdStrike’s event bus.
  • EventBridge rules in each Region with CrowdStrike event bus as the target.
  • IAM Role for CrowdStrike to invoke Sensor Management Lambda Function
  • IAM Role for Sensor Management Lambda Function Execution
  • Log Group for Sensor Management Lambda Function
  • Sensor Management Lambda Function

• In the management account:

  • IAM role that allows CrowdStrike to perform read-only activities.
  • IAM role that allows EventBridge to perform PutEvents actions against CrowdStrike’s event bus.
  • IAM role for running the AWS Lambda function.
  • In the primary Region, AWS Secrets Manager secret for storing CrowdStrike API keys and a Lambda function to perform account registration with CrowdStrike.
  • EventBridge rules in both primary and additional Regions.
  • A custom AWS CloudFormation resource to trigger the Lambda function.
  • AWS CloudFormation StackSets to create EventBridge rules in each Region and to create IAM roles and EventBridge rules in member accounts.

• In the child AWS accounts (log archive and security tooling accounts):

  • EventBridge rules in each Region with CrowdStrike event bus as the target.
  • IAM role that allows CrowdStrike to perform read-only activities.
  • IAM role that allows EventBridge to perform PutEvents actions against CrowdStrike’s event bus.
  • Secrets Manager Secret to manage CrowdStrike API Credentials.
  • IAM role that allows SSM Associations to retrive API Credentials from Secrets Manager.
  • SSM Associations to deploy Falcon Sensor via SSM Distributor Package against SSM-Managed instances.

SSM Distributor

• In the child AWS accounts:
  • Secrets Manager Secret to manage CrowdStrike API Credentials.
  • IAM role that allows SSM Associations to retrive API Credentials from Secrets Manager.
  • SSM Associations to deploy Falcon Sensor via SSM Distributor Package against SSM-Managed instances.

EKS Protection

• If you enable EKS Protection:
  • In the centralized account:
    • IAM Role for EventBridge to trigger Lambda
    • IAM Role for Lambda Execution
    • IAM Role for CodeBuild Execution
    • EventBus to receive cluster events
    • EventBridge Rule to trigger Lambda
    • Lambda functions to process cluster events and trigger Codebuild
    • CodeBuild project to apply Falcon Operator to EKS Clusters
    • Secret to store Falcon API key
    • Optional ECR repositories if registry = ecr
    • VPC, NAT, EIP for CodeBuild project
  • In the child accounts:
    • IAM Role for EventBridge to trigger Lambda
    • IAM Role for Lambda Execution
    • IAM Role for CodeBuild Execution
    • EventBridge Rule to send cluster events to centralized EventBus

ECR Connections

• If you enable ECR Connections:
  • In the primary region of all child accounts:
    • IAM Role for ECR Registry Connection Scanning
    • Lambda Function to register each AWS Region with Registry Connection Service
    • IAM Role for Lambda Execution
    • Secret for storing Falcon API Credentials

Next: Choose Deployment options.

Deployment options

Deployment options supported by this ABI solution

The following deployment options are supported by this ABI solution:

• Launch the CloudFormation template in the AWS Management Console.
• Launch using Customizations for AWS Control Tower (CfCT).

Cloud types supported by this solution

You may use this solution to register the following account types:

• Register Commercial AWS Accounts with Commercial Falcon (us1, us2, eu1)
• Register Commercial AWS Accounts with GovCloud Falcon (usgov1, usgov2)
• Register GovCloud AWS Accounts with GovCloud Falcon (usgov1, usgov2)

Note: When registering Commercial AWS with GovCloud Falcon, this solution must be launched in us-east-1

Optional CloudTrail

This solution can deploy a CloudTrail for you AWS Organization.

• Create Default Organization CloudTrail: This optional trail is required if you do not have an Organization CloudTrail enabled for you AWS Organization.

Next: Choose Predeployment steps.

Predeployment steps

Before deploying this ABI solution, complete the following steps:

1. Subscribe to the CrowdStrike Falcon Cloud Security AWS Marketplace listing.
2. Create Crowdstrike API Client in Falcon UI with the following scope:

• Cloud Security AWS Registration: Read and Write
• CSPM registration: Read and Write
• CSPM sensor management: Read and Write (If Sensor Management enabled)
• Installation Tokens: Read, Sensor Download: Read (If Sensor Management or SSM Distributor enabled)
• Falcon Images Download: Read (If EKS Protection enabled)
• Sensor Download: Read (If EKS Protection enabled)

3. Become familiar with the additional resources later in this guide.

Next: Choose Deployment steps.

Deployment steps

Option 1: Launch the CloudFormation template in the AWS Organizations management account

1. Download the CloudFormation template.

2. Launch the CloudFormation template in your AWS Control Tower home Region.

   • Stack name: template-crowdstrike-enable-integrations
   • Update the follwoing parameters as needed:
     • Falcon CID Details
       • Falcon Account Type: Your Falcon Cloud type. Allowed values include commercial or govcloud
       • Falcon API Client ID: Your CrowdStrike Falcon API Client ID
       • Falcon API Secret: Your CrowdStrike Falcon API Client Secret
       • CrowdStrike Cloud: Your Falcon Cloud region. Allowed values include: us1, us2, eu1, usgov1, usgov2
       • Secrets Manager Secret Name: Name of the Secrets Manager Secret that will store the Falcon API Credentials.
     • AWS Org Details Note: if Falcon Account Type = govcloud and AWS Account Type = commercial, then you must launch this solution in us-east-1
       • AWS Account Type: Your AWS Cloud type. Allowed values include commercial or govcloud
       • Delegated Administrator Account: Indicates whether this is a Delegated Administrator account. Allowed values include true or false. Default is false
       • Deployment Scope: Comma Delimited List of AWS OU(s) to provision. If you are provisioning the entire organization, please enter the Root OU r-******
       • Permissions Boundary Policy Name: If your Organization requires a PermissionsBoundary policy applied to IAM Roles, enter the Name (not the ARN) of your Permissions Boundary policy
     • Realtime Visibility (IOA and/or IDP)
       • Enable IOA Scanning: Whether to enable IOA Scanning. Allowed vlaues include true or false. Default is true
       • StackSet Administration Role: Name of StackSet Administration role. Default is AWSCloudFormationStackSetAdministrationRole
       • StackSet Execution Role: Name of StackSet Execution role. Default is AWSCloudFormationStackSetExecutionRole
       • Exclude Prohibited Regions: List of regions to exclude from deployment. Use this when SCPs cause stacksets to fail. Eg. [<region-1>,<region-2>,....]
     • Sensor Management (1Click)
       • Enable Sensor Management
       • API Credentials Storage Mode
     • Deploy Falcon Sensors with SSM Distributor
       • EnableSSMDistributor: Whether to deploy SSM Associations in each AWS Region to automatically deploy the CrowdStrike Distributor Package against SSM-Managed Ec2 Instances. Allowed values include true or false. The default is false
       • Document Version: If EnableSSMDistributor is true: Define the version of the CrowdStrike SSM Automation document. The default is 2. This value should not change unless advised by CrowdStrike.
       • SSM Execution Role: If EnableSSMDistributor is true: Define the name of the SSM Automation Execution Role. The default is crowdstrike-distributor-deploy-role
       • Apply Only At Cron Interval: If EnableSSMDistributor is true: Whether to wait for cron interval to initiate SSM Distributor installation. Allowed values include true or false. The default is false
       • Cron Schedule Expression: If EnableSSMDistributor is true: Define the schedule or rate by which the SSM Automation runs. The default is cron(0 0 */1 * * ? *) (runs every hour)
       • Max Errors Allowed: If EnableSSMDistributor is true: The number or percent of errors that are allowed before the system stops sending requests to run the association on additional targets. The default is 10%
       • Max Concurrency Allowed: If EnableSSMDistributor is true: The maximum number or percent of targets allowed to run the association at the same time. The default is 20%
     • ECR Registry Connections
       • Enable ECR Connections for Image Assessment: Whether to set up ECR Registry Connections for Image Assessments
       • ECR Execution Role Name: The name of the role that will be used for Lambda execution.
       • ECR Lambda Function Name: The name of the lambda function used to register ECR registry connections.
     • Advanced Configuration Properties
       • Source S3 Bucket Name: Name of the S3 Bucket for staging files. The default is aws-abi-${AWS::AccountId}-${AWS::Region}
       • S3 Bucket Region: Region of the S3 Bucket for staging files.
       • Source S3 Bucket Name Prefix: Prefix of the S3 Bucket for sourcing files. Do not change the defult value.
       • Create Additional Organization CloudTrail (To enable ReadOnly IOAs): Whether you plan to create an additional CloudTrail to enable ReadOnly IOAs. If true the CrowdStrike Bucket name (target for your CloudTrail) will be in the outputs and exports of this stack. Allowed values include true or false. The default is false
     • Create Organization CloudTrail
       • Create Default Organization CloudTrail: Create org-wide trail, bucket, and bucket policy to enable EventBridge event collection. If you already have either an Organization CloudTrail or CloudTrails enabled in each account, please leave this parameter false.
       • Control Tower: If Create Default Org Trail = true: Indicates whether AWS Control Tower is deployed and being used for this AWS environment.
       • Governed Regions: If Create Default Org Trail = true: for AWS Control Tower, set to ct-regions (default). If not using AWS Control Tower, specify comma separated list of regions (e.g. us-west-2,us-east-1,ap-south-1) in lower case.
       • Security Account Id: If Create Default Org Trail = true: AWS Account ID of the Security Tooling account (ignored for AWS Control Tower environments).
       • Log Archive Account Id: If Create Default Org Trail = true: AWS Account ID of the Log Archive account (ignored for AWS Control Tower environments).
       • SRA Repo URL: AWS Security Reference Architecture examples repository URL
       • SRA Repo Branch: SRA version to tag
     • EKS Protection
       • EKSProtection: Enable CrowdStrike EKS Protection to automatically deploy Falcon Sensor against EKS Clusters. Allowed values include true or false. Default is false
       • FalconCID: Your CrowdStrike Falcon CID with checksum. (eg. ********************************-ab)
       • DockerAPIToken: Your Falcon Docker API Token
       • OrganizationId: Your AWS Organization ID (eg. o-********)
       • EventBusName: Name of the centralized EventBus. Default is crowdstrike-eks-eventbus
       • EventBridgeRoleName: Name of the EventBridge IAM role. Default is crowdstrike-eks-eventbridge-role
       • EKSExecutionRoleName: Name of the Target Execution IAM role. Default is crowdstrike-eks-execution-role
       • CodeBuildRoleName: Name of the CodeBuild IAM role. Default is crowdstrike-eks-codebuild-role
       • CodeBuildProjectName: Name of the CodeBuild Project. Default is crowdstrike-eks-codebuild
       • KubernetesUserName: Name of the Kubernetes UserName. Default is crowdstrike-eks
       • Registry: Source Falcon Image from CrowdStrike or mirror to ECR. Allowed values are crowdstrike or ecr. Default is crowdstrike
       • Backend: kernel or bpf for Daemonset Sensor. Allowed Values are kernel or bpf. Default is kernel
       • EnableKAC: Deploy Kubernetes Admission Controller (KAC). For more info see https://falcon.crowdstrike.com/documentation/page/aa4fccee/container-security#s41cbec3

3. Select both of the following capabilities and choose Submit to launch the stack.

   [] I acknowledge that AWS CloudFormation might create IAM resources with custom names.

   [] I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND

Wait for the CloudFormation status to change to CREATE_COMPLETE state.

Option 2: Launch using Customizations for Control Tower

Customizations for AWS Control Tower (CfCT) combines AWS Control Tower and other AWS services to help you set up an AWS environment. You can deploy the templates provided with the ABI solution using CfCT.

Prerequisites

Create an IAM role with the required permissions in the AWS management account to allow the CfCT solution to launch resources.

How it works

To deploy the sample partner integration page, add the following blurb to the manifest.yaml file from your CfCT solution and update the account and organizational unit (OU) names as needed.

resources:
  - name: deploy-crowdstrike-init-stack
    resource_file: https://aws-abi.s3.us-east-1.amazonaws.com/cfn-abi-crowdstrike-fcs/templates/crowdstrike_init_stack.yaml
    deploy_method: stack_set
    parameters:
      - parameter_key: FalconClientID
        parameter_value: $[alfred_ssm_/crowdstrike/falcon_client_id] # Create SSM parameter with the CrowdStrike API client ID
      - parameter_key: FalconSecret
        parameter_value: $[alfred_ssm_/crowdstrike/falcon_secret] # Create SSM parameter with the CrowdStrike API secret
      - parameter_key: ProvisionOU
        parameter_value: $[alfred_ssm_/crowdstrike/provision-ou] # Create SSM parameter with the OU name
      - parameter_key: ExcludeRegions
        parameter_value: $[alfred_ssm_/crowdstrike/exclude_regions] # Create SSM parameter with regions to exclude
      - parameter_key: SourceS3BucketName
        parameter_value: aws-abi
      - parameter_key: S3BucketRegion
        parameter_value: us-east-1 # Update as needed
      - parameter_key: CreateOrgTrail
        parameter_value: "true" # Update as needed. Set to "false" if you already have an organization trail.
    regions:
      - us-east-1 # Update as needed
    deployment_targets:
      accounts:
        - [[MANAGEMENT-AWS-ACCOUNT-ID]]

Next: Choose Post deployment options.

GovCloud Deployment steps

Step 1: Download and prepare the contents of this solution

1. Download the contents of the GitHub Repo
2. Navigate to the downloaded directory and run the source_prep.py script
   • python3 source_prep.py
3. Confirm the following directory and files were created
   • cfn-abi-crowdstrike-fcs/lambda_functions/packages/codebuild/lambda.zip
   • cfn-abi-crowdstrike-fcs/lambda_functions/packages/cw-helper/lambda.zip
   • cfn-abi-crowdstrike-fcs/lambda_functions/packages/ecr-registration/lambda.zip
   • cfn-abi-crowdstrike-fcs/lambda_functions/packages/eks-existing-clusters/lambda.zip
   • cfn-abi-crowdstrike-fcs/lambda_functions/packages/eks-new-clusters/lambda.zip
   • cfn-abi-crowdstrike-fcs/lambda_functions/packages/register-organization-v2/lambda.zip
   • cfn-abi-crowdstrike-fcs/templates/aws_cspm_cloudformation_eb_comm_gov.json
   • cfn-abi-crowdstrike-fcs/templates/aws_cspm_cloudformation_eb_v2.json
   • cfn-abi-crowdstrike-fcs/templates/aws_cspm_cloudformation_ioa_comm_gov.json
   • cfn-abi-crowdstrike-fcs/templates/aws_cspm_cloudformation_v2.json
   • cfn-abi-crowdstrike-fcs/templates/crowdstrike_init_stack.yaml
   • cfn-abi-crowdstrike-fcs/templates/ecr-registration-stackset.yml
   • cfn-abi-crowdstrike-fcs/templates/eks-eventbridge-stackset.yml
   • cfn-abi-crowdstrike-fcs/templates/eks-protection-stack.yml
   • cfn-abi-crowdstrike-fcs/templates/eks-root-roles.yml
   • cfn-abi-crowdstrike-fcs/templates/eks-target-roles-stackset.yml
   • cfn-abi-crowdstrike-fcs/templates/ssm-association-stackset.yml
   • cfn-abi-crowdstrike-fcs/templates/ssm-setup-stackset.yml

Step 2: Upload prepared contents to your S3 Bucket

1. In your AWS Console, navigate to the root of an S3 bucket
2. Click Upload
3. Click Add Folder
4. Select the new cfn-abi-crowdstrike-fcs directory.
   • Note: this directory may have the same name of the repo you downloaded. Please snure you are selecting the cfn-abi-crowdstrike-fcs directory which contains only the folders and files created by the source_prep.py script in the previous step.
5. Click Upload

Step 3: Launch the CloudFormation template in the AWS Organizations management account

1. Launch the CloudFormation template in your AWS Control Tower home Region.

   • Stack name: template-crowdstrike-enable-integrations
   • Update the follwoing parameters as needed:

     • Falcon CID Details

       • Falcon Account Type: Your Falcon Cloud type. Select govcloud
       • Falcon API Client ID: Your CrowdStrike Falcon API Client ID
       • Falcon API Secret: Your CrowdStrike Falcon API Client Secret
       • CrowdStrike Cloud: Your Falcon Cloud region. Allowed values include: Select usgov1 or usgov2
       • Secrets Manager Secret Name: Name of the Secrets Manager Secret that will store the Falcon API Credentials.

     • AWS Org Details

       • AWS Account Type: Your AWS Cloud type. Select govcloud
       • Delegated Administrator Account: Indicates whether this is a Delegated Administrator account. Allowed values include true or false. Default is false
       • Deployment Scope: Comma Delimited List of AWS OU(s) to provision. If you are provisioning the entire organization, please enter the Root OU r-******
       • Permissions Boundary Policy Name: If your Organization requires a PermissionsBoundary policy applied to IAM Roles, enter the Name (not the ARN) of your Permissions Boundary policy

     • Realtime Visibility (IOA and/or IDP)

       • Enable IOA Scanning: Whether to enable IOA Scanning. Allowed vlaues include true or false. Default is true
       • StackSet Administration Role: Name of StackSet Administration role. Default is AWSCloudFormationStackSetAdministrationRole
       • StackSet Execution Role: Name of StackSet Execution role. Default is AWSCloudFormationStackSetExecutionRole
       • Exclude Prohibited Regions: List of regions to exclude from deployment. Use this when SCPs cause stacksets to fail. Eg. [<region-1>,<region-2>,....]

     • Sensor Management (1Click)

       • Enable Sensor Management
       • API Credentials Storage Mode

     • Deploy Falcon Sensors with SSM Distributor Skip, this is not supported in GovCloud yet

       • EnableSSMDistributor: Whether to deploy SSM Associations in each AWS Region to automatically deploy the CrowdStrike Distributor Package against SSM-Managed Ec2 Instances. Allowed values include true or false. The default is false
       • Document Version: If EnableSSMDistributor is true: Define the version of the CrowdStrike SSM Automation document. The default is 2. This value should not change unless advised by CrowdStrike.
       • SSM Execution Role: If EnableSSMDistributor is true: Define the name of the SSM Automation Execution Role. The default is crowdstrike-distributor-deploy-role
       • Apply Only At Cron Interval: If EnableSSMDistributor is true: Whether to wait for cron interval to initiate SSM Distributor installation. Allowed values include true or false. The default is false
       • Cron Schedule Expression: If EnableSSMDistributor is true: Define the schedule or rate by which the SSM Automation runs. The default is cron(0 0 */1 * * ? *) (runs every hour)
       • Max Errors Allowed: If EnableSSMDistributor is true: The number or percent of errors that are allowed before the system stops sending requests to run the association on additional targets. The default is 10%
       • Max Concurrency Allowed: If EnableSSMDistributor is true: The maximum number or percent of targets allowed to run the association at the same time. The default is 20%

     • ECR Registry Connections

       • Enable ECR Connections for Image Assessment: Whether to set up ECR Registry Connections for Image Assessments
       • ECR Execution Role Name: The name of the role that will be used for Lambda execution.
       • ECR Lambda Function Name: The name of the lambda function used to register ECR registry connections.

     • Important

     • Advanced Configuration Properties

       • Source S3 Bucket Name: Name of the S3 Bucket you used to upload the contents.
       • S3 Bucket Region: Region in which this S3 Bucket resides. ie. us-gov-west-1 or us-gov-east-1
       • Source S3 Bucket Name Prefix: Prefix of the S3 Bucket for sourcing files. Do not change the defult value.
       • Create Additional Organization CloudTrail (To enable ReadOnly IOAs): Whether you plan to create an additional CloudTrail to enable ReadOnly IOAs. If true the CrowdStrike Bucket name (target for your CloudTrail) will be in the outputs and exports of this stack. Allowed values include true or false. The default is false

     • Create Organization CloudTrail

       • Create Default Organization CloudTrail: Create org-wide trail, bucket, and bucket policy to enable EventBridge event collection. If you already have either an Organization CloudTrail or CloudTrails enabled in each account, please leave this parameter false.
       • Control Tower: If Create Default Org Trail = true: Indicates whether AWS Control Tower is deployed and being used for this AWS environment.
       • Governed Regions: If Create Default Org Trail = true: for AWS Control Tower, set to ct-regions (default). If not using AWS Control Tower, specify comma separated list of regions (e.g. us-west-2,us-east-1,ap-south-1) in lower case.
       • Security Account Id: If Create Default Org Trail = true: AWS Account ID of the Security Tooling account (ignored for AWS Control Tower environments).
       • Log Archive Account Id: If Create Default Org Trail = true: AWS Account ID of the Log Archive account (ignored for AWS Control Tower environments).
       • SRA Repo URL: AWS Security Reference Architecture examples repository URL
       • SRA Repo Branch: SRA version to tag

     • EKS Protection Skip, this is not supported in GovCloud yet

       • EKSProtection: Enable CrowdStrike EKS Protection to automatically deploy Falcon Sensor against EKS Clusters. Allowed values include true or false. Default is false
       • FalconCID: Your CrowdStrike Falcon CID with checksum. (eg. ********************************-ab)
       • DockerAPIToken: Your Falcon Docker API Token
       • OrganizationId: Your AWS Organization ID (eg. o-********)
       • EventBusName: Name of the centralized EventBus. Default is crowdstrike-eks-eventbus
       • EventBridgeRoleName: Name of the EventBridge IAM role. Default is crowdstrike-eks-eventbridge-role
       • EKSExecutionRoleName: Name of the Target Execution IAM role. Default is crowdstrike-eks-execution-role
       • CodeBuildRoleName: Name of the CodeBuild IAM role. Default is crowdstrike-eks-codebuild-role
       • CodeBuildProjectName: Name of the CodeBuild Project. Default is crowdstrike-eks-codebuild
       • KubernetesUserName: Name of the Kubernetes UserName. Default is crowdstrike-eks
       • Registry: Source Falcon Image from CrowdStrike or mirror to ECR. Allowed values are crowdstrike or ecr. Default is crowdstrike
       • Backend: kernel or bpf for Daemonset Sensor. Allowed Values are kernel or bpf. Default is kernel
       • EnableKAC: Deploy Kubernetes Admission Controller (KAC). For more info see https://falcon.crowdstrike.com/documentation/page/aa4fccee/container-security#s41cbec3

2. Select both of the following capabilities and choose Submit to launch the stack.

   [] I acknowledge that AWS CloudFormation might create IAM resources with custom names.

   [] I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND

Wait for the CloudFormation status to change to CREATE_COMPLETE state.

Next: Choose Post deployment options.

Postdeployment options

Verifying the solution functionality

Verify account activation in CrowdStrike Falcon console

1. Sign in to the CrowdStrike Falcon console.
2. Navigate to Cloud-Security > Registration.
3. Verify that each AWS account ID is active in the Configuration (IOM), Behavior (IOA) and 1-click sensor deployment columns.
4. After waiting several minutes, choose Refresh to retrieve the latest account status.

Verify SSM Distributor Package deployments in CrowdStrike Falcon console

1. Sign in to the CrowdStrike Falcon console.
2. Navigate to Host setup and management > Host management.
3. Verify that your AWS Instances begin to appear in the host management list with a Host status of “Online”.
4. After waiting several minutes, choose Refresh to retrieve the latest host status.

Update the IAM Role with Latest IOM Permissions

Update the IAM Role in the master account.

1. Download the latest main template here.
2. Sign in to the AWS Account in which you deployed the main stack for this solution.
3. Navigate to CloudFormation > Stacks
4. Select the main stack for this solution.
5. Click Stack Actions > create change set
6. Select Replace existing template and Upload a template file.
7. Upload the latest template you downloaded in step 1.
8. Click next.
9. Leave all parameters the same and click next.
10. Check the boxes under Capabilities and click next.
11. Click submit.
12. Once the change set is generated, click Execute.

Update the IAM Role in the member accounts.

1. Sign in to the AWS Account in which you deployed the main stack for this solution.
2. Navigate to CloudFormation > StackSets > CrowdStrike-Cloud-Security-Stackset
3. Click Actions > Edit StackSet details
4. Select Replace Current Template and paste the S3 url: https://aws-abi.s3.us-east-1.amazonaws.com/cfn-abi-crowdstrike-fcs/templates/aws_cspm_cloudformation_v2.json
5. Click Next
6. Leave all parameters the same and click next.
7. Check the box under Capabilities and click next.
8. Enter your AWS OU Id to define the scope (this should match the scope of your deployment, ie. if you deployed to the root ou r-******, enter that same value here).
9. Select the region (there should only be one).
10. Click Next and Click Submit.

Create change set for bug fixes and other updates

1. Download the latest main template here.
2. Sign in to the AWS Account in which you deployed the main stack for this solution.
3. Navigate to CloudFormation > Stacks
4. Select the main stack for this solution.
5. Click Stack Actions > create change set
6. Select Replace existing template and Upload a template file.
7. Upload the latest template you downloaded in step 1.
8. Click next.
9. Leave all parameters the same and click next.
10. Check the boxes under Capabilities and click next.
11. Click submit.
12. Once the change set is generated, click Execute.

Next: Choose Test the deployment.

Test the deployment

Test Cloud Security

To test the functionality of CrowdStrike Falcon Cloud Security, you may generate findings by intentionally violating a policy of your choice. Note: CrowdStrike does not recommend running these steps against any accounts and/or workloads with sensitive data.

Step 1: Review policies.

1. Log in to the CrowdStrike Falcon console.
2. Navigate to Cloud Security > Cloud Security Posture > Policies.
3. Filter by AWS and choose a service.
4. Review Configuration and Behavioral policies.

Step 2: Execute Policy Violation

1. Choose a policy to test, for example, VPC Flow Logs Disabled.
2. Make the relevant change in your AWS account.

Step 3

1. Navigate to Cloud Security > Cloud Security Posture > Assessment, and review your assessment findings.
2. If the policy is Behavioral, wait a few minutes for the finding to appear.
3. If the policy is Configuration, wait for the next assessment scan for the finding to appear. Two hours is the default interval, but you can change this setting by navigating to Cloud Security > Cloud Security Posture > Settings.

Test Sensor Management

To test the functionality of CrowdStrike Sensor Management, you may discover unmanaged hosts and deploy the sensor. Note: AWS SSM Inventory must be configured in the AWS accounts where you want to enable 1-click sensor deployment. See the AWS article https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-ec2.html

Step 1: Discover Unmanaged Hosts

1. In the Falcon console, navigate to Cloud security > Deployment dashboard.
2. If the registered cloud accounts contain workloads that don’t have a sensor installed, a banner is displayed, stating the number of unprotected hosts. In the banner, click Take action.
3. This takes you to the Deploy sensors on unmanaged hosts page.

Step 2: Deploy Sensors

1. In the Choose deployment method section, select Automated.
2. In the Select hosts section, use the filters to find the hosts where you want to deploy a sensor and select the checkboxes for all hosts where you want to deploy a sensor.
3. Click Deploy. A message appears, stating that the sensor is being deployed to hosts. Note: When Automated is selected, this section displays hosts that are part of the SSM inventory and are valid for 1-click sensor deployment. This number may be different from the total number of unmanaged hosts. For the hosts that aren’t part of the SSM inventory, use the manual deployment method. For info, see Deploy Sensors Using Ansible. Note: It may take some time for the sensor deployment to complete.

Step 3: Check Deployment Status

1. In the Falcon console, navigate to Cloud security > Deployment dashboard.
2. Click Activity, next to the dashboard filters.
3. To see a detailed list that you can filter and export, click View all. The Deployment activity page displays information about deployments from the past year.

Next: Choose Additional Resources to get started.

Additional resources

Partner documentation

• In the CrowdStrike Falcon console, navigate to Documentation > Cloud Security.
• CrowdStrike Falcon SSM Distributor

AWS services

• Working with AWS CloudFormation StackSets
• What is AWS Lambda?
• IAM roles
• What is Amazon EventBridge?
• What is AWS Secrets Manager?
• Systems Manager

Frequently asked questions (FAQs)

Other documentation

• AWS Security Reference Architecture (AWS SRA)
• Code repository for AWS SRA examples

Next: Choose Troubleshooting.

Troubleshooting

General Troubleshooting

For troubleshooting issues with Falcon Cloud Security, submit a ticket on the CrowdStrike support portal.

For troubleshooting common ABI issues, refer to the ABI Reference Guide and Troubleshooting CloudFormation.

Accounts appear in Falcon Cloud Accounts Registration but are still Inactive

1. Verify the following stacksets completed in each account with no errors
   • CrowdStrike-Cloud-Security-Stackset
   • CrowdStrike-Cloud-Security-Root-EB-Stackset
   • CrowdStrike-Cloud-Security-EB-Stackset
2. For each stackset, review the stack instances for errors.

Redeployment Errors

1. After deleting the stack and recreating, the stack fails with S3Bucket or LogGroup already exists.
   • Delete the failed stack and please follow the steps in Cleanup Instructions.
   • Retry creating stack.

SSM Distributor

1. Check the execution logs for the SSM State Manager Association. See SSM Documentation.

EKS Protection

1. Check the Lambda logs in CloudWatch Logs for crowdstrike-abi-eks-init-function and crowdstrike-abi-eks-events-function.
2. Check the CodeBuild Execution logs for crowdstrike-eks-codebuild.
3. Check the Falcon Operator logs on the cluster. See Operator Troubleshooting.

ECR Registry Connections

See falcon documentation for detailed troubleshooting information here.

Next: Choose Feedback.

Feedback

To submit feature ideas and report bugs, use the Issues section of the [GitHub repository. To submit code, refer to the AWS Built-in Reference Guide. To submit documentation feedback, use the following GitHub links:

• Grammar or spelling
• Broken link
• Inaccurate content
• Display or design issues

Next: Choose Notices.

Cleanup instructions

Remove Falcon Sensors deployed by SSM Distributor

1. Before deleting any stacks, first update the main template with the following change:

# Create SSM Distributor Associations
  AssociationStackSet:
    Type: 'AWS::CloudFormation::StackSet'
    Condition: CreateSSMAssociations
    Properties:
      StackSetName: CrowdStrike-Cloud-SSM-Associations-Stackset
      Description: Create SSM State Manager Association to automatically manage Falcon Sensor installation across SSM Managed Instances
      PermissionModel: SERVICE_MANAGED
      CallAs: !If [ IsDelegatedAdmin, 'DELEGATED_ADMIN', 'SELF' ]
      ManagedExecution:
        Active: true
      Parameters:
        - ParameterKey: DocumentVersion
          ParameterValue: !Ref DocumentVersion
        - ParameterKey: SecretsManagerSecretName
          ParameterValue: !Ref SecretsManagerSecretName
        - ParameterKey: SecretStorageMethod
          ParameterValue: 'SecretsManager'
        - ParameterKey: Action
          ParameterValue: 'Install'  <<Change to 'Uninstall'

2. Update the main stack, uploading the new version of the template.
3. This will update the ‘action’ on all State Manager Associations to ‘Uninstall’ and execute.
4. Wait until all associations have completed their Uninstall executions.

Remove Falcon Sensor deployed by EKS Protection

EKS Protection leverages the Falcon Operator, as such to remove any sensors deployed via this method please follow the uninstall steps for each cluster here.

Cleanup instructions

The following must be completed before attempting to redeploy.

1. Delete CloudFormation Stack:
   • Stack name: template-crowdstrike-enable-integrations
2. Empty and Delete S3 Bucket
   • S3 Bucket Name: aws-abi-${AWS::AccountId}-${AWS::Region}

Notices

This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the “License”). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying “license” file. This code is distributed on an “as is” basis, without warranties or conditions of any kind, either expressed or implied. Refer to the License for specific language governing permissions and limitations.

FAQs

How frequently will CrowdStrike Cloud Security scan my environment for Configuration (IOM) assessment?

You can configure your settings to determine the frequency of assessments. The default rate is two hours after the last successful assessment. Optional intervals are six, 12, and 24 hours.

How frequently will CrowdStrike Cloud Security scan my environment for Behavioral (IOA) assessment?

Indicator of Attack (IOA) findings are not generated by scheduled scans, but instead are forwarded to CrowdStrike at the time of the event via EventBridge. IOA findings will appear in your Falcon console in near real time.

Can I create custom policies with CrowdStrike Falcon Cloud Security?

You can create custom policies for misconfiguration detections in your cloud accounts in the Falcon console. By defining your own rules, you get more coverage with fine-tuned policies that meet your own security and compliance requirements.

When should I use the Sensor Management option?

We recommend this method for deploying the Falcon sensor in AWS environments where AWS Systems Manager (SSM) is in use. After enabling and adding EC2 hosts to the SSM inventory on your registered AWS accounts, you can deploy the Falcon sensor into your EC2 instances from the Falcon console with just one click.

Can I contribute to this repository?

You can submit a GitHub issue if you encounter a problem or want to suggest improvements. To build and contribute a fix or enhancement, submit a GitHub pull request with your changes.

All pull requests go through automatic validations and human reviews before being merged.