Multi connect is an enterprise feature only available in the professional or custom package.
Having to connect many accounts can be very cumbersome using the manual approach. Therefore, we also employ a multi account connector feature that allows to automatically connect an arbitrary amount of accounts simultaneously. This article guides you through the multi connect process.
The multi connector is based on AWS StackSets. This means that after connecting an AWS management account to CodeShield, you will be able to connect accounts from any organizational unit that is registered under the connected AWS management account. The StackSet manages a CloudFormation stack in each child account that employs the usual connection mechanism for CodeShield as in the single connection approach, i.e., a CloudFormation stack with a single IAM::Role that can be assumed by CodeShield to read out metadata from the account.
1. Connecting an AWS management account
To be able to automatically connect arbitrary child accounts, one has to first connect an AWS management account using the manual connector. Therefore, follow the corresponding documentation.
2. Connecting child accounts
- After a management account was connected, CodeShield will show the account in its Connected Accounts. CodeShield automatically detects that the connected account is indeed a management account which is indicated by a tag:
- To automatically connect child accounts to CodeShield, click on the account settings indicated by the gear icon next to your management account.
- You can now select specific accounts or entire organizational units that you want to connect to CodeShield and hit the Deploy Stack Set button:
- The connection can take up to a few minutes depending on the number of accounts that should be connected. You can observe the progress directly in the AWS StackSet console by clicking on the StackSet link that is shown in CodeShield's account settings page.
- After the StackSet was successfully deployed, you can find the connected child accounts in the Connected Accounts as sub-items of their management account:
- To configure a first scan configuration for each account, click on Manage Scans on the corresponding account and follow the usual procedure.
Tip: After setting-up a scan configuration for each account, you can easily rescan all configurations with one click of
Rescan All button.
Also, the Connected Accounts list allows you to sort accounts based on their name, and number of resources/scenarios by clicking the corresponding table header.
3. Deleting child connections
You can easily delete the connection to specific child accounts or even entire organizational units by de-selecting them and updating the corresponding StackSet in the management account settings(Step 3 in the previous section).
If you delete the connection to the management account itself, CodeShield will clean-up the StackSet and all child connections, as well as the CloudFormation stack deployed for the original connection of the management account,