This Terraform module enables registration and configuration of AWS accounts with CrowdStrike's Falcon Cloud Security.
Key features:
- Asset Inventory
- Real-time Visibility and Detection
- Identity Protection (IDP)
- Sensor Management
- Agentless Scanning:
- Data Security Posture Management (DSPM)
- Vulnerability Scanning
Note
For multi-region deployments, this module needs to be instantiated separately for each region where FCS components are required.
CrowdStrike API keys are required to use this module. It is highly recommended that you create a dedicated API client with only the required scopes.
- In the CrowdStrike console, navigate to Support and resources > API Clients & Keys. Click Add new API Client.
- Add the required scopes for your deployment:
| Option | Scope Name | Permission |
|---|---|---|
| Automated account registration | CSPM registration | Read and Write |
| Cloud security AWS registration | Read and Write | |
| 1-click sensor management | CSPM sensor management | Read and Write |
| Installation tokens | Read | |
| Sensor download | Read | |
| DSPM | DSPM Data scanner | Read and Write |
-
Click Add to create the API client. The next screen will display the API CLIENT ID, SECRET, and BASE URL. You will need all three for the next step.
picture
Note
This page is only shown once. Make sure you copy CLIENT ID, SECRET, and BASE URL to a secure location.
terraform {
required_version = ">= 1.5.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0.0"
}
crowdstrike = {
source = "CrowdStrike/crowdstrike"
version = ">= 0.0.44"
}
}
}
variable "falcon_client_id" {
type = string
sensitive = true
description = "Falcon API Client ID"
}
variable "falcon_client_secret" {
type = string
sensitive = true
description = "Falcon API Client Secret"
}
variable "account_id" {
type = string
default = ""
description = "The AWS 12 digit account ID"
validation {
condition = length(var.account_id) == 0 || can(regex("^[0-9]{12}$", var.account_id))
error_message = "account_id must be either empty or the 12-digit AWS account ID"
}
}
locals {
enable_realtime_visibility = true
primary_region = "us-east-1"
enable_idp = true
enable_sensor_management = true
enable_dspm = true
enable_vulnerability_scanning = true
agentless_scanning_regions = ["us-east-1", "us-east-2"]
use_existing_cloudtrail = true
}
provider "crowdstrike" {
client_id = var.falcon_client_id
client_secret = var.falcon_client_secret
}
provider "aws" {
region = "us-east-1"
alias = "us-east-1"
}
provider "aws" {
region = "us-east-2"
alias = "us-east-2"
}
# Provision AWS account in Falcon.
resource "crowdstrike_cloud_aws_account" "this" {
account_id = local.account_id
asset_inventory = {
enabled = true
}
realtime_visibility = {
enabled = local.enable_realtime_visibility
cloudtrail_region = local.primary_region
use_existing_cloudtrail = local.use_existing_cloudtrail
}
idp = {
enabled = local.enable_idp
}
sensor_management = {
enabled = local.enable_sensor_management
}
dspm = {
enabled = local.enable_dspm
}
vulnerability_scanning = {
enabled = local.enable_vulnerability_scanning
}
}
module "fcs_account_onboarding" {
source = "CrowdStrike/cloud-registration/aws"
falcon_client_id = var.falcon_client_id
falcon_client_secret = var.falcon_client_secret
account_id = var.account_id
primary_region = local.primary_region
enable_sensor_management = local.enable_sensor_management
enable_realtime_visibility = local.enable_realtime_visibility
enable_idp = local.enable_idp
use_existing_cloudtrail = local.use_existing_cloudtrail
enable_dspm = local.enable_dspm && contains(local.agentless_scanning_regions, "us-east-1")
enable_vulnerability_scanning = local.enable_vulnerability_scanning && contains(local.agentless_scanning_regions, "us-east-1")
agentless_scanning_regions = local.agentless_scanning_regions
iam_role_name = crowdstrike_cloud_aws_account.this.iam_role_name
external_id = crowdstrike_cloud_aws_account.this.external_id
intermediate_role_arn = crowdstrike_cloud_aws_account.this.intermediate_role_arn
eventbus_arn = crowdstrike_cloud_aws_account.this.eventbus_arn
agentless_scanning_role_name = crowdstrike_cloud_aws_account.this.agentless_scanning_role_name
cloudtrail_bucket_name = crowdstrike_cloud_aws_account.this.cloudtrail_bucket_name
providers = {
aws = aws.us-east-1
crowdstrike = crowdstrike
}
}
# For each region where you want to onboard DSPM features or Vulnerability Scanning features
# - duplicate this module
# - update the provider with region specific one
# If you want to onboard Real-time Visibility with 'eventbridge' as the log_ingestion_method, for each region you want to onboard Real-Time Visibility features
# - duplicate this module
# - update the provider with region specific one
# If you want to onboard Real-time Visibility with 's3' as the log_ingestion_method, for the region that your SNS topic is in
# - duplicate this module
# - update the provider with region specific one
module "fcs_account_us_east_2" {
source = "CrowdStrike/cloud-registration/aws"
falcon_client_id = var.falcon_client_id
falcon_client_secret = var.falcon_client_secret
account_id = var.account_id
primary_region = local.primary_region
enable_sensor_management = local.enable_sensor_management
enable_realtime_visibility = local.enable_realtime_visibility
enable_idp = local.enable_idp
use_existing_cloudtrail = local.use_existing_cloudtrail
enable_dspm = local.enable_dspm && contains(local.agentless_scanning_regions, "us-east-2")
enable_vulnerability_scanning = local.enable_vulnerability_scanning && contains(local.agentless_scanning_regions, "us-east-2")
agentless_scanning_regions = local.agentless_scanning_regions
iam_role_name = crowdstrike_cloud_aws_account.this.iam_role_name
external_id = crowdstrike_cloud_aws_account.this.external_id
intermediate_role_arn = crowdstrike_cloud_aws_account.this.intermediate_role_arn
eventbus_arn = crowdstrike_cloud_aws_account.this.eventbus_arn
agentless_scanning_role_name = crowdstrike_cloud_aws_account.this.agentless_scanning_role_name
cloudtrail_bucket_name = crowdstrike_cloud_aws_account.this.cloudtrail_bucket_name
agentless_scanning_integration_role_unique_id = module.fcs_account_onboarding.integration_role_unique_id
agentless_scanning_scanner_role_unique_id = module.fcs_account_onboarding.scanner_role_unique_id
providers = {
aws = aws.us-east-2
crowdstrike = crowdstrike
}
}| Name | Version |
|---|---|
| aws | >= 5.0.0 |
| crowdstrike | >= 0.0.44 |
| Name | Type |
|---|---|
| aws_caller_identity.current | data source |
| aws_region.current | data source |
| crowdstrike_cloud_aws_account.target | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_id | The AWS 12 digit account ID | string |
"" |
no |
| account_type | Account type can be either 'commercial' or 'gov' | string |
"commercial" |
no |
| agentless_scanning_create_nat_gateway | Set to true to create a NAT Gateway for agentless scanning environments | bool |
true |
no |
| agentless_scanning_custom_vpc_resources_map | Map of regions to custom VPC resources for Agentless Scanning deployment. Each region can specify existing VPC resources to use instead of creating new ones. Example: { "us-east-1" = { vpc = "vpc-0123456789abcdef0" scanner_subnet = "subnet-0123456789abcdef0" scanner_sg = "sg-0123456789abcdef0" db_subnet_a = "subnet-1123456789abcdef0" db_subnet_b = "subnet-2123456789abcdef0" db_sg = "sg-1123456789abcdef0" } } All resource IDs must exist in the specified region. |
map(object({ |
{} |
no |
| agentless_scanning_host_account_id | The AWS account ID where agentless scanning host resources are deployed | string |
"" |
no |
| agentless_scanning_host_role_name | Name of agentless scanning integration role in host account | string |
"CrowdStrikeAgentlessScanningIntegrationRole" |
no |
| agentless_scanning_host_scanner_role_name | Name of agentless scanning scanner role in host account | string |
"CrowdStrikeAgentlessScanningScannerRole" |
no |
| agentless_scanning_integration_role_unique_id | The unique ID of the Agentless scanning integration role | string |
"" |
no |
| agentless_scanning_regions | List of regions where agentless scanning will be deployed | list(string) |
[ |
no |
| agentless_scanning_role_name | The unique name of the IAM role that Agentless scanning will be assuming | string |
"CrowdStrikeAgentlessScanningIntegrationRole" |
no |
| agentless_scanning_scanner_role_name | The unique name of the IAM role that Agentless scanning scanner will be assuming | string |
"CrowdStrikeAgentlessScanningScannerRole" |
no |
| agentless_scanning_scanner_role_unique_id | The unique ID of the Agentless scanning scanner role | string |
"" |
no |
| agentless_scanning_use_custom_vpc | Use existing custom VPC resources for ALL deployment regions (requires agentless_scanning_custom_vpc_resources_map with all regions) | bool |
false |
no |
| cloudtrail_bucket_name | Name of the S3 bucket for CloudTrail logs | string |
"" |
no |
| create_rtvd_rules | Set to false if you don't want to enable monitoring in this region | bool |
true |
no |
| dspm_create_nat_gateway | DEPRECATED: Use agentless_scanning_create_nat_gateway instead. Set to true to create a NAT Gateway for DSPM scanning environments | bool |
true |
no |
| dspm_dynamodb_access | Apply permissions for DynamoDB table scanning | bool |
true |
no |
| dspm_integration_role_unique_id | DEPRECATED: Use agentless_scanning_integration_role_unique_id instead. The unique ID of the DSPM integration role | string |
"" |
no |
| dspm_rds_access | Apply permissions for RDS instance scanning | bool |
true |
no |
| dspm_redshift_access | Apply permissions for Redshift cluster scanning | bool |
true |
no |
| dspm_regions | DEPRECATED: Use agentless_scanning_regions instead. List of regions where DSPM scanning will be deployed | list(string) |
[] |
no |
| dspm_role_name | DEPRECATED: Use agentless_scanning_role_name instead. The unique name of the IAM role that DSPM will be assuming | string |
"" |
no |
| dspm_s3_access | Apply permissions for S3 bucket scanning | bool |
true |
no |
| dspm_scanner_role_name | DEPRECATED: Use agentless_scanning_scanner_role_name instead. The unique name of the IAM role that CrowdStrike Scanner will be assuming | string |
"" |
no |
| dspm_scanner_role_unique_id | DEPRECATED: Use agentless_scanning_scanner_role_unique_id instead. The unique ID of the DSPM scanner role | string |
"" |
no |
| enable_dspm | Set to true to enable Data Security Posture Managment | bool |
false |
no |
| enable_idp | Set to true to install Identity Protection resources | bool |
false |
no |
| enable_realtime_visibility | Set to true to install realtime visibility resources | bool |
false |
no |
| enable_sensor_management | Set to true to install 1Click Sensor Management resources | bool |
n/a | yes |
| enable_vulnerability_scanning | Set to true to enable Vulnerability Scanning | bool |
false |
no |
| eventbridge_role_name | The eventbridge role name | string |
"CrowdStrikeCSPMEventBridge" |
no |
| eventbus_arn | Eventbus ARN to send events to | string |
"" |
no |
| external_id | The external ID used to assume the AWS reader role | string |
"" |
no |
| falcon_client_id | Falcon API Client ID | string |
n/a | yes |
| falcon_client_secret | Falcon API Client Secret | string |
n/a | yes |
| iam_role_name | The name of the reader role | string |
"" |
no |
| intermediate_role_arn | The intermediate role that is allowed to assume the reader role | string |
"" |
no |
| is_gov | Set to true if you are deploying in gov Falcon | bool |
false |
no |
| log_ingestion_kms_key_arn | Optional KMS key ARN for decrypting S3 objects (when log_ingestion_method=s3) | string |
"" |
no |
| log_ingestion_method | Choose the method for ingesting CloudTrail logs - eventbridge (default) or s3 | string |
"eventbridge" |
no |
| log_ingestion_s3_bucket_name | S3 bucket name containing CloudTrail logs (required when log_ingestion_method=s3) | string |
"" |
no |
| log_ingestion_s3_bucket_prefix | Optional S3 bucket prefix/path for CloudTrail logs (when log_ingestion_method=s3) | string |
"" |
no |
| log_ingestion_sns_topic_arn | SNS topic ARN that publishes S3 object creation events (required when log_ingestion_method=s3) | string |
"" |
no |
| organization_id | The AWS Organization ID. Leave blank if when onboarding single account | string |
"" |
no |
| permissions_boundary | The name of the policy used to set the permissions boundary for IAM roles | string |
"" |
no |
| primary_region | Region for deploying global AWS resources (IAM roles, policies, etc.) that are account-wide and only need to be created once. Distinct from agentless_scanning_regions which controls region-specific resource deployment. | string |
n/a | yes |
| resource_prefix | The prefix to be added to all resource names | string |
"CrowdStrike" |
no |
| resource_suffix | The suffix to be added to all resource names | string |
"" |
no |
| tags | A map of tags to add to all resources that support tagging | map(string) |
{} |
no |
| use_existing_cloudtrail | Set to true if you already have a cloudtrail | bool |
false |
no |
| use_existing_iam_reader_role | Set to true if you want to use an existing IAM role for asset inventory | bool |
false |
no |
| vpc_cidr_block | VPC CIDR block | string |
"10.0.0.0/16" |
no |
| Name | Description |
|---|---|
| integration_role_unique_id | The unique ID of the DSPM integration role |
| scanner_role_unique_id | The unique ID of the DSPM scanner role |