Skip to main content

Syncing multiple AWS accounts across a single Hypersync

Note

Hyperproof connects to many third-party systems that frequently change, including the system interface. Contact your System Administrator or the third-party provider for assistance meeting the requirements to integrate with Hyperproof and collect the proof you need.

To read data from an AWS account, Hyperproof assumes an IAM role with limited permissions in that account. This role must be configured in your AWS organization for each account that you want to read data from.

The steps below walk you through the creation of a Cloud Formation StackSet that automatically deploys the Hyperproof role to a large number of accounts in your AWS organization.

Creating a stack in the Management Account

Signing in to the AWS Console

  • Hyperproof recommends signing in to the AWS Console as an IAM user, or assuming an IAM role. For more information, please refer to this article.

    Tip

    Click your username in the upper-right corner and then select Organization. Make sure that the management account is denoted as the Management Account.

Creating the stack

This stack deploys the contents of the template to the management account, creating an IAM role and inline policy that allows Hyperproof to read data in your AWS organization.

  1. Create a stack in the management account by clicking this link. Enter the parameters listed below:

    • Name - Enter any name or leave the default value

    • External ID - Enter any random UUID

    • HyperproofRoleName - Enter any name or leave the default value

  2. Select the checkbox to acknowledge that CloudFormation may create IAM resources with custom names.

  3. Click Create stack.

Creating a StackSet to deploy the template to Member Accounts

  1. While signed in to the AWS management account, click this link to access the CloudFormation StackSets page.

  2. Click Create StackSet.

Creating the StackSet

  1. In the Specify template section, select the Amazon S3 URL radio button.

  2. Below Amazon S3 URL, enter: https://hypersync-public.s3.us-west-1.amazonaws.com/cloud-template.json.

  3. Click Next.

  4. Below StackSet name, enter a name for the StackSet.

  5. In the Parameters section, enter the same External ID and HyperproofRoleName used when you created the stack.

    Tip

    You can view these parameters at any time by selecting the Parameters tab on the stack’s page in CloudFormation.

  6. Click Next.

  7. In the Tags section, create or select any tags to add to the generated stacks. Note that any tags selected here will only apply to the stacks themselves and not the accounts the stacks apply to.

  8. Click Next.

  9. In the Deployment targets section, select the Deploy to organization radio button. This deploys a stack to every account in the organization.

    Note

    The accounts selected as deployment targets here are not necessarily the same set of accounts the Hypersync pulls data from. You can configure the Hypersync to target a smaller set of accounts in a later step.

  10. In the Auto-deployment options section, select the Enabled radio button. Enabling automatic deployment is recommended so that the Hyperproof IAM is deployed to every new account in the AWS organization. Disabling this option requires you to manually manage stack deployments in the OU after the initial deployment.

    Tip

    Below Account removal behavior, select the Delete stacks radio button to ensure that when an account is removed, the Hyperproof IAM role is also removed when the account is no longer a deployment target.

  11. In the Specify regions section, select a single region, e.g. US East (N.Virginia).

    Important

    IAM resources are not bound by region, and selecting more than one region causes the stack to deploy the same role to an account multiple times.

  12. In the Deployment options section, below Maximum concurrent accounts, click the drop-down menu and then select Percentage. Enter 100 for accounts to deploy as quickly as possible.

  13. Click Next.

    Tip

    You can select accounts in Hyperproof using one or more tags. To tag multiple accounts quickly, use the Resource Groups Tag Editor.

Connecting to AWS and creating a Hypersync in Hyperproof

Please refer to the article, AWS proof types and permissions for steps on how to connect to AWS via Hyperproof.

Note

If any errors are encountered during the syncing process, the final proof document will contain the list of resources that could not be synced (at the bottom of the document). The Hypersync and proof will be marked as unhealthy, with the status of Incomplete proof collection.

In this section: