Integrate AWS Control Tower with Red Canary
- 09 Sep 2024
- 1 Minute to read
- PDF
Integrate AWS Control Tower with Red Canary
- Updated on 09 Sep 2024
- 1 Minute to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Red Canary requests access to all regions in your AWS account to scan for resources and ingest Guard Duty region-specific alerts. Red Canary is granted limited, primarily read-only access to a specific set of AWS services within each customer account through an assigned IAM role with restricted privileges.
Control Tower’s Region Deny Setting
When configuring an AWS Control Tower Landing Zone and selecting regions for governance, Control Tower offers two options for configuring region deny at the landing zone and the Organization Unit (OU) level. The region deny setting prevents accounts from enumerating resources or fetching guard duty alerts. The OU level control allows for customization that can be used to grant Red Canary access.
.png?sv=2022-11-02&spr=https&st=2024-09-20T12%3A52%3A03Z&se=2024-09-20T13%3A02%3A03Z&sr=c&sp=r&sig=XejvzVW14AnysrnFjVZE5gXnfvqPvr%2Fs7QsR59GYf3c%3D "image(271).png")
Grant Red Canary access and use Region Deny
You must enable the CT.MULTISERVICE.PV.1 control in Control Tower.
Ensure that it:
Applies to all OUs and accounts in the organization
Allows access for all governed regions
Grants access to the Red Canary IAM role provisioned in each account.
Example: arn:aws:iam::*:role/rc-partner-access-control
.png?sv=2022-11-02&spr=https&st=2024-09-20T12%3A52%3A03Z&se=2024-09-20T13%3A02%3A03Z&sr=c&sp=r&sig=XejvzVW14AnysrnFjVZE5gXnfvqPvr%2Fs7QsR59GYf3c%3D "image(247).png")
Once the CT.MULTISERVICE.PV.1 control is enabled and applies to all accounts; edit the Landing Zone settings and change the region deny setting to Not enabled.
For more information, see Configure the Region deny control.
Was this article helpful?
