Cloud Storage Security Help Docs
Release Notes
  • Introduction
  • Getting Started
    • How to Subscribe
      • Pay-As-You-Go (PAYG)
      • Bring Your Own License/GovCloud (BYOL)
      • AWS Transfer Family
    • How to Deploy
      • Steps to Deploy
      • Advanced Deployment Considerations
      • AWS Transfer Family
    • How to Configure
  • Console Overview
    • Dashboard
    • Malware Scanning
      • AWS
        • Buckets
        • Amazon EBS Volumes
        • Amazon EFS Volumes
        • Amazon FSx Volumes
        • WorkDocs Connections
      • Azure
        • Blob Containers
      • GCP
        • GCP Buckets
    • See What's Infected
      • Findings
      • Malware History
      • Results
    • Schedules
    • Monitoring
      • Error Logs
      • Bucket Settings
      • Deployment
      • Jobs
      • Notifications
      • Storage Assessment
      • Usage
    • Configuration
      • Classification Rule Sets
      • Classification Custom Rules
      • Scan Settings
      • Console Settings
      • AWS Integrations
      • Job Networking
      • API Agent Settings
      • Proactive Notifications
      • License Management
      • Event Agent Settings
    • Access Management
      • Manage Users
      • Manage Accounts
        • Linking an AWS Account
        • Linking an Azure Account
        • Linking a GCP Account
      • Manage Groups
    • Support
      • Getting Started
      • Stay Connected
      • Contact Us
      • Documentation
  • Product Updates
  • How It Works
    • Scanning Overview
      • Event Driven Scanning for New Files
      • Retro Scanning for Pre-Existing Files
      • API Driven Scanning
    • Architecture Overview
    • Deployment Details
    • Sizing Discussion
    • Integrations
      • AWS Security Hub
      • AWS CloudTrail Lake
      • AWS Transfer Family
      • Amazon GuardDuty
      • Amazon Bedrock
    • Demo Videos
    • Scanning APIs
    • SSO Integrations
      • Entra ID SSO Integration
      • Okta SSO Integration
  • Frequently Asked Questions
    • Getting Started
    • Product Functionality
    • Architecture Related
    • Supported File Types
  • Troubleshooting
    • CloudFormation Stack failures
    • Cross-Region Scanning on with private network
    • API Scanning: Could not connect to SSL/TLS (v7)
    • Password not received after deployment
    • Conflicted buckets
    • Modifying scaling info post-deployment
    • Objects show unscannable with access denied
    • Remote account objects not scanning
    • My scanning agents keep starting up and immediately shutting down
    • I cannot access the management console
    • Linked Account Out of Date
    • Rebooting the Management Console
    • Error when upgrading to the latest major version
    • I Cannot Create/Delete an API Agent
  • Release Notes
    • Latest (v8)
    • v7
    • v6 and older
  • Contact Us & Support
  • Data Processing Agreement
  • Privacy Policy
Powered by GitBook
On this page
  • Linking Accounts
  • Deploying the Cross Account Role
  • Linked Account Role Version Management
  • Role Issues
  1. Console Overview
  2. Access Management
  3. Manage Accounts

Linking an AWS Account

You can link additional AWS accounts in one deployment of your AV console.

PreviousManage AccountsNextLinking an Azure Account

Last updated 5 months ago

Linking Accounts

The Manage Accounts page can look as follows. The deployment account for your Management Console is labeled as Primary by default. Like any account though, that is a nickname and can be replaced if you see fit to be more meaningful.

You may not be using Groups to organize your accounts. There is always one group created by default, the Primary group. In this situation you would specify Primary as the group value.

Deploying the Cross Account Role

After you click the Link Account button, the fields will be replaced with a link to directly launch the CloudFormation Template to create the cross-account role. If you do not wish to launch the stack at this time, you can do so later, but will need the values presented to manually enter into the Stack Launch.

You will now see the newly added account listed in the account list. Note the Primary account reflects a bucket count and ProdAcct shows N/A. Once you run the cross-account CloudFormation Template you can mark the account as active. The Console will attempt to assume the role and you will either get a message indicating the role might still need to be created or the account will be marked as active and a bucket count will be reflected. You will know it worked when you see that number populated.

All actions are taken on individual accounts via the actions menu ellipses. You can launch the stack, change groups, activate the account and delete the account.

After clicking Launch Stack you will be directed to the AWS Console and right into the Stack creation wizard. If you are not already logged into the AWS Console, you will be prompted to login. Provide the credentials to the remote account you are linking. Then, just tick the box and click create.

Once the role is created head back to the Antivirus for Amazon S3 console and mark the account active from the action ellipses button. If you see the bucket count update you can feel confident the role is working appropriately. When you select to activate an account, you will see the button turn into a "spinner" while it is working.

Once complete the account will be shown as active and a bucket count provided.

All active accounts will be reflected throughout the rest of the console. All buckets from all accounts and all scan statuses will be shown. If you later deactivate a remote account (or even the primary) those buckets will not be reflected in the Bucket Protection page, but the data scanned is still counted in metrics and any "problem files" found will be reflected on the Problem Files page. Deactivating will also remove all event configuration from each bucket in the remote account.

Deleting an account will remove the account from the Linked Accounts pages. All data scanned within that account will still be reflected in the metrics and billing.

Linked Account Role Version Management

Simplified Linked Account Role management was introduced starting with Console version 5.08.000 and Linked Account Role version 1.06.000. With both of those versions (or greater) in place, you can simply upgrade a single account, multiple accounts or all accounts to the latest Linked Account Role. This removes the need to go to each and every linked account to do a Stack Update on the CloudFormation stack that initially created the role.

You can tell which account(s) are behind in their linked account role with both the version number in the CFT Version column and the red dot that shows there is an update available. You can upgrade one or multiple or all of the accounts very easily.

For a single account, you can simply click the row's action button and select Update Stack

For a multiple accounts, you can tick multiple checkboxes and select the top level Action menu and click the Update Stacks choice

In addition, we when check for product updates we are also checking for Linked Account Role updates which will now be reflected on the overall Updates Menu. Clicking this option will update all accounts that are available to be updated. If you want to roll updates out, then use the above on the Manage Accounts page.

If you are still on a role version below 1.06, then you will have to upgrade all the linked accounts manually one last time.

We have programmed the Console to look for the default Linked Account Role CloudFormation Stack name, CloudStorageSec-AV-for-S3-Linked-Account, in the same AWS Region the Console is deployed in (but inside the linked account). If you changed the name of the Stack or deployed it in an alternate region, then you will have to update the values on the Manage Accounts page in order for this to work.

Role Issues

If the role is deleted or changed in such a way in the linked account that the console can no longer assume it, the scanning agents will not be able to retrieve the objects and those objects will be reflected as Error files in the Problem Files page. The linked account buckets will still show on the Bucket Protection page and the events will continue to be pushed to the queue, but we will continue to error out in processing those files until the role is fixed.

You can link another AWS account by clicking the Link Another Account button and filling in the Account Number, the Nickname and specifying which the account will belong to. Then click the Link Account button. If you'd like to link more at this same time, click the Link Another Account button within the popup and repeat the process of entering the account number, nickname and group.

If the role cannot be assumed during activation, you will see the following message:

At this time, the will reflect the new buckets found and distinguish them from the primary account by nickname.

functionality can also impact what you see from the linked accounts throughout the console.

group
Bucket Protection page
Initial Linked Accounts
Linked Accounts Popup
Linked Accounts Stack Message
Linked Accounts Multiple
Linked Accounts Action Menu
Linked Accounts Stack Create
Linked Accounts new account
Linked Accounts Bucket Protection
Linked Accounts Role Issue
Linked Accounts No Role
Group