FAQ: How do I integrate with an AWS Organization?

When integrating F5 Distributed Cloud App Infrastructure Protection (AIP) with an Amazon Web Services (AWS) Organization, the most important consideration is in which account(s) you have each AWS resource located. See the following examples for information about setting up cross-account authentication.

AWS Organizations

Generally, this configuration is required if resources at the initial configuration of CloudTrail divide the CloudTrail resources across multiple AWS accounts. See an example of an environment that requires this configuration and the resulting infrastructure change below.

Example Environment

Below is an example of environmental configurations that are representative of the type of structure required for successful integration. Please note where the SNS, IAM, and SQS have deployed.

  Before After

Root Account

  • AWS Resources
    • CloudTrail Org Trail
    • KMS - Modified
    • Regions: US West 2
  • Resources:
    • CloudTrail Org Trail
    • KMS - Modify Policy
    • SNS Topic - CREATE
    • Regions: US West 2
Audit Account
  • AWS Resources
    • S3
    • Regions: US West 2
  • AWS Resources:
    • S3
    • IAM - CREATE
    • SQS - CREATE
    • Regions: US West 2

 

If you choose to encrypt with AWS Key Management Service (KMS), you need to provide the IAM role access to use the key. See an example policy in AWS's documentation.

Contact AIP Support (aipsupport@f5.com) with any questions.

Was this article helpful?
0 out of 0 found this helpful