Complete step-by-step deployment instructions for the CrowdStrike Cloud Security Posture Management (CSPM) auto-onboarding system with AWS Secrets Manager integration.
📋 Quick Start: Use the provided config/example_mapping.json template to create your production configuration with your specific CrowdStrike CIDs, AWS OU IDs, and cloud regions.
- AWS CLI configured with appropriate permissions
- Python 3.7+ installed
- Access to CrowdStrike API credentials
- AWS Organizations administrative access
- CloudFormation deployment permissions
- S3 bucket for storing templates and configuration
- Your CrowdStrike CID IDs and AWS Organizational Unit IDs
This deployment includes several security and functionality enhancements:
- ✅ Enhanced CSPM Template: 153+ additional AWS service permissions across 38+ services
- ✅ Secrets Manager Integration: Secure credential storage (no hardcoded credentials)
- ✅ Multi-Cloud Support: Automatic API endpoint and account type selection based on cloud region
- ✅ Least Privilege Lambda: Minimal required permissions for maximum security
- ✅ Multiple IAM Roles: CSPM Reader, DSPM Scanner, DSPM Integration, Sensor Management
- ✅ Event-Driven Automation: Real-time OU change processing
- ✅ S3-Based Configuration: Centralized configuration management
# Verify AWS CLI is configured
aws sts get-caller-identity
# Verify you're in the correct directory
pwd
# Should be: /path/to/your/event-driven-auto-onboarding
# Verify Python 3 is available
python3 --version
# Check required files exist
ls -la config/example_mapping.json # Example template
ls -la setup_secrets.py
ls -la secure_deployment.py
ls -la crowdstrike-stackset-template.yamlCreate your production configuration using the provided example template:
# Copy the example configuration to create your production config
cp config/example_mapping.json config/example_mapping.json
# Edit the configuration file with your specific details
nano config/example_mapping.jsonUpdate the following in example_mapping.json:
- Replace
YOUR-CID-ID-HERE-*with your actual CrowdStrike CID IDs - Replace
ou-xxxxx-xxxxxxxxwith your AWS Organizational Unit IDs - Update
secret_namepaths to match your AWS Secrets Manager setup - Set correct
cloudregion (us-1, us-2, eu-1, or us-gov-1) - Update
cspm_template_urlwith your S3 bucket name:https://YOUR-BUCKET-NAME.s3.amazonaws.com/crowdstrike-stackset-template.yaml
Expected Output:
- Configuration file created:
config/example_mapping.json - All placeholder values replaced with your actual data
Store CrowdStrike API credentials securely in AWS Secrets Manager using the CLI tool:
Option A: Interactive Mode (Recommended - More Secure)
# Interactive mode - prompts for credentials (credentials not visible in shell history)
# Replace with your actual CrowdStrike CID names and secret paths
python3 setup_secrets.py --secret-name crowdstrike/production-cid-1/credentials --description "Production CrowdStrike CID 1 credentials"
# For additional CIDs (repeat as needed)
python3 setup_secrets.py --secret-name crowdstrike/production-cid-2/credentials --description "Production CrowdStrike CID 2 credentials"
# Example with custom naming convention
python3 setup_secrets.py --secret-name mycompany/crowdstrike/main-tenant --description "Main tenant CrowdStrike credentials"Option B: Command Line Mode (Less Secure)
# Command line mode - credentials will be visible in shell history
python3 setup_secrets.py \
--secret-name crowdstrike/production-cid-1/credentials \
--client-id YOUR_CLIENT_ID_HERE \
--client-secret YOUR_CLIENT_SECRET_HERE \
--cid YOUR_CID_HERE \
--description "Production CrowdStrike CID 1 credentials"Option C: Custom Region/Names
# Use custom region and secret names
python3 setup_secrets.py \
--secret-name my-company/crowdstrike/prod \
--region us-west-2 \
--description "Production CrowdStrike credentials"Expected Output:
- AWS identity verification
- Interactive credential input (if using interactive mode)
- Secret creation/update confirmation
- Verification of secret retrieval
- Next steps guidance
💡 Secret Naming Best Practices:
- Use a consistent naming convention:
crowdstrike/{environment}-{identifier}/credentials - Examples:
crowdstrike/prod-main/credentials,crowdstrike/dev-test/credentials - Remember to update your
config/example_mapping.jsonto reference these secret names
Upload the enhanced CrowdStrike CSPM template with 153+ additional AWS service permissions:
# Upload the enhanced template to S3 (replace with your bucket name)
aws s3 cp crowdstrike-stackset-template.yaml \
s3://YOUR-BUCKET-NAME/crowdstrike-stackset-template.yaml
# Upload the production configuration
aws s3 cp config/example_mapping.json \
s3://YOUR-BUCKET-NAME/config/example_mapping.jsonExpected Output:
- Template uploaded successfully to S3
- Configuration file uploaded for Lambda access
Validate your production configuration file structure:
# Validate the production configuration file
python3 config_utility.py
# Alternative: Manual validation
python3 -c "
import json
try:
with open('config/example_mapping.json') as f:
config = json.load(f)
print('✅ Configuration file is valid JSON')
print(f'📋 CIDs configured: {len(config.get(\"cids\", {}))}')
for cid_id, cid_data in config.get('cids', {}).items():
print(f' - {cid_data.get(\"description\", \"Unknown\")}: {len(cid_data.get(\"organizational_units\", []))} OUs')
print(f' Cloud: {cid_data.get(\"cloud\", \"not-set\")}')
print(f' Secret: {cid_data.get(\"secret_name\", \"not-set\")}')
print(f'📋 Cloud endpoints configured: {len(config.get(\"crowdstrike\", {}).get(\"cloud_endpoints\", {}))}')
except Exception as e:
print(f'❌ Configuration error: {e}')
print('💡 Tip: Check config/example_mapping.json for correct format')
"Expected Output:
- Configuration validation passes
- Shows your CIDs configured (not placeholder values)
- Lists organizational units for each CID
- Displays correct cloud regions and endpoints
- No JSON syntax errors
Configure CrowdStrike cloud regions for automatic API endpoint and account type selection:
# View current cloud configuration
python3 -c "
import json
with open('config/example_mapping.json') as f:
config = json.load(f)
print('📋 Current Cloud Configuration:')
for cid_id, cid_data in config['cids'].items():
cloud_region = cid_data.get('cloud', 'us-gov-1')
endpoint = config['crowdstrike']['cloud_endpoints'].get(cloud_region, 'Unknown')
account_type = 'government' if cloud_region == 'us-gov-1' else 'commercial'
print(f' - {cid_data[\"description\"]}: {cloud_region} → {endpoint} ({account_type})')
"Supported Cloud Regions:
us-1: https://api.crowdstrike.com (commercial)us-2: https://api.us-2.crowdstrike.com (commercial)eu-1: https://api.eu-1.crowdstrike.com (commercial)us-gov-1: https://api.laggar.gcw.crowdstrike.com (government)
To change cloud regions, edit config/example_mapping.json and update the cloud field for each CID:
{
"cids": {
"YOUR-CID-HERE": {
"description": "Your CID Description",
"cloud": "us-1", // Change this to desired region
"secret_name": "crowdstrike/your-cid/credentials",
"organizational_units": ["ou-xxxxx-xxxxxxxx"]
}
}
}Expected Output:
- Shows current cloud region for each CID
- Displays correct API endpoint and account type mapping
- Confirms multi-cloud configuration is ready
Secure Deployment with Enhanced Permissions (Recommended)
# Uses enhanced template from S3 with 153+ additional AWS service permissions
# Includes Secrets Manager integration + full CSPM coverage (DSPM, sensor management, etc.)
# Automatic cloud region detection and API endpoint selection
python3 secure_deployment.pyAlternative Deployment Method
# Alternative deployment method (if above fails)
python3 complete_fresh_deployment.pyExpected Output:
- CrowdStrike API authentication successful (with correct cloud endpoint)
- Account registration for each configured OU with proper account type (commercial/government)
- StackSet deployment with enhanced template from S3
- Multiple IAM roles created: CSMP Reader, DSPM Scanner, DSPM Integration, Sensor Management
- Enhanced permissions applied: 153+ additional AWS service permissions
- All managed policies: SecurityAudit
- Custom policies: CrowdStrikeCSPMPolicy + CrowdStrikeCSPMExtendedPolicy
- Cloud region detection: Automatic API endpoint and account type selection
- No External ID mismatch errors
Deploy CloudFormation infrastructure with least privilege Lambda role:
# Deploy the enhanced infrastructure with least privilege permissions
aws cloudformation deploy \
--template-file infrastructure/auto-onboarding-infrastructure.yaml \
--stack-name crowdstrike-auto-onboarding-infrastructure \
--capabilities CAPABILITY_NAMED_IAM \
--parameter-overrides \
LambdaCodeBucket=YOUR-BUCKET-NAME \
CSPMTemplateURL=https://YOUR-BUCKET-NAME.s3.amazonaws.com/crowdstrike-stackset-template.yamlExpected Output:
- CloudFormation stack deployment successful
- EventBridge rules created for OU changes
- Lambda role created with least privilege permissions
- Lambda function placeholder created
Deploy the Lambda function that handles real-time OU changes:
# Navigate to Lambda directory
cd ou-change-handler
# Deploy the secure Lambda function with Secrets Manager (replace with your bucket name)
bash ../deploy_secure_lambda.sh YOUR-BUCKET-NAME
# Return to root directory
cd ..Expected Output:
- Lambda deployment package created
- Function code updated successfully
- Environment variables configured for S3 config source
- IAM roles and policies created
- Lambda function permissions configured
Comprehensive deployment verification:
# Check Lambda function status
aws lambda get-function --function-name "CrowdStrike-OU-Event-Handler-Secure"
# Check CloudFormation stack status
aws cloudformation describe-stacks --stack-name crowdstrike-auto-onboarding-infrastructure
# Verify secrets are created
aws secretsmanager list-secrets --query "SecretList[?contains(Name, 'crowdstrike')]"
# Test configuration loading
python3 -c "
import json
with open('config/example_mapping.json') as f:
config = json.load(f)
print(f'✅ Configuration loaded: {len(config[\"cids\"])} CIDs configured')
for cid_id, cid_data in config['cids'].items():
print(f' - {cid_data[\"description\"]}: {len(cid_data[\"organizational_units\"])} OUs')
"Test CrowdStrike API connectivity and authentication:
# Test CrowdStrike API connectivity (with your test account)
python3 -c "
from secure_deployment import SecureCrowdStrikeDeployment
import json
# Load config to get first CID
with open('config/example_mapping.json') as f:
config = json.load(f)
# Test first CID
first_cid = list(config['cids'].keys())[0]
cid_data = config['cids'][first_cid]
print(f'Testing CID: {first_cid}')
print(f'Secret: {cid_data[\"secret_name\"]}')
# Initialize secure deployment
deployment = SecureCrowdStrikeDeployment(first_cid, cid_data['secret_name'])
# Test token retrieval
if deployment.get_token():
print('✅ CrowdStrike API authentication successful')
else:
print('❌ CrowdStrike API authentication failed')
"Set up monitoring and check logs:
# Check CloudWatch logs for Lambda function
aws logs describe-log-groups --log-group-name-prefix "/aws/lambda/CrowdStrike-OU-Event-Handler"
# View recent Lambda invocations
aws logs filter-log-events \
--log-group-name "/aws/lambda/CrowdStrike-OU-Event-Handler-Secure" \
--start-time $(date -d '1 hour ago' +%s)000Test registering a specific account to a CID:
# Test with a specific AWS account ID
python3 -c "
from secure_deployment import SecureCrowdStrikeDeployment
import json
# Load configuration
with open('config/example_mapping.json') as f:
config = json.load(f)
# Replace with your test account ID
test_account_id = '123456789012'
first_cid = list(config['cids'].keys())[0]
cid_data = config['cids'][first_cid]
print(f'Testing account registration for: {test_account_id}')
print(f'Target CID: {first_cid}')
"Simulate moving an account between OUs (triggers Lambda):
# Move account between OUs - this will trigger the event-driven system
aws organizations move-account \
--account-id 123456789012 \
--source-parent-id ou-xxxxx-source123 \
--destination-parent-id ou-xxxxx-dest456
# Monitor Lambda logs for the event processing
aws logs filter-log-events \
--log-group-name "/aws/lambda/CrowdStrike-OU-Event-Handler-Secure" \
--start-time $(date -d '5 minutes ago' +%s)000Validate all components are properly configured:
# Run comprehensive validation
python3 config_utility.py --validate-allDeployment Should Show:
- ✅ AWS Secrets created:
crowdstrike/production-cid-1/credentialsandcrowdstrike/production-cid-2/credentials - ✅ Lambda function deployed:
CrowdStrike-OU-Event-Handler-Secure - ✅ CloudFormation stack:
crowdstrike-auto-onboarding-infrastructure(CREATE_COMPLETE) - ✅ Configuration loaded with 2 CIDs and 8 total OUs
- ✅ CrowdStrike API authentication successful
- ✅ No External ID mismatch errors
# Check if configuration file exists and is valid JSON
ls -la config/example_mapping.json
# Validate JSON syntax
python3 -c "import json; print('✅ Valid JSON') if json.load(open('config/example_mapping.json')) else None"
# Compare with example template
diff config/example_mapping.json config/example_mapping.json
# Reset from example if corrupted
cp config/example_mapping.json config/example_mapping.json# Check current AWS identity
aws sts get-caller-identity
# Verify required permissions
aws iam simulate-principal-policy \
--policy-source-arn $(aws sts get-caller-identity --query Arn --output text) \
--action-names secretsmanager:CreateSecret organizations:ListAccounts cloudformation:CreateStack# Check if secrets were created correctly (replace with your secret names)
aws secretsmanager get-secret-value --secret-id crowdstrike/production-cid-1/credentials
aws secretsmanager get-secret-value --secret-id crowdstrike/production-cid-2/credentials
# Verify secret with CLI tool (replace with your secret name)
python3 setup_secrets.py --secret-name crowdstrike/production-cid-1/credentials --verify-only
# View CLI tool help
python3 setup_secrets.py --help# Verify enhanced template is deployed correctly
aws iam get-role-policy \
--role-name "CrowdStrikeCSPMReader-SECURE-XX-ACCOUNT_ID" \
--policy-name "CrowdStrikeCSPMExtendedPolicy"
# Check all policies on the role
aws iam list-role-policies \
--role-name "CrowdStrikeCSPMReader-SECURE-XX-ACCOUNT_ID"
# Verify managed policies are attached
aws iam list-attached-role-policies \
--role-name "CrowdStrikeCSPMReader-SECURE-XX-ACCOUNT_ID"
# Should show:
# - SecurityAudit (managed policy)
# - CrowdStrikeCSPMPolicy (inline policy)
# - CrowdStrikeCSPMExtendedPolicy (inline policy with 153+ permissions)# Check Lambda function logs for errors
aws logs filter-log-events \
--log-group-name "/aws/lambda/CrowdStrike-OU-Event-Handler-Secure" \
--filter-pattern "ERROR"# Test CrowdStrike API endpoint connectivity
curl -I https://api.laggar.gcw.crowdstrike.com/oauth2/token# Check current cloud region configuration
python3 -c "
import json
with open('config/example_mapping.json') as f:
config = json.load(f)
print('📋 Cloud Region Configuration:')
for cid_id, cid_data in config['cids'].items():
cloud_region = cid_data.get('cloud', 'us-gov-1')
endpoint = config['crowdstrike']['cloud_endpoints'].get(cloud_region)
account_type = 'government' if cloud_region == 'us-gov-1' else 'commercial'
print(f' - CID {cid_id.split(\"-\")[-1]}: {cloud_region} → {endpoint} ({account_type})')
"
# Test specific cloud endpoint
curl -I https://api.crowdstrike.com/oauth2/token # Commercial US-1
curl -I https://api.us-2.crowdstrike.com/oauth2/token # Commercial US-2
curl -I https://api.eu-1.crowdstrike.com/oauth2/token # Commercial EU-1
curl -I https://api.laggar.gcw.crowdstrike.com/oauth2/token # Government US-GOV-1- Main Deployment:
secure_deployment.py - Secrets Setup:
setup_secrets.py - Enhanced Template:
crowdstrike-stackset-template.yaml - Configuration Template:
config/example_mapping.json - Production Configuration:
config/example_mapping.json - Lambda Function:
ou-change-handler/secure_lambda_s3_config.py - Infrastructure:
infrastructure/auto-onboarding-infrastructure.yaml - Lambda Deploy:
deploy_secure_lambda.sh
Fixed Process Flow:
AWS Organizations → CrowdStrike API → Get External ID → Deploy StackSet with Exact ID
Event-Driven Flow:
AWS Organizations → CloudTrail → EventBridge → Lambda → Auto-Deploy to Correct CID
Current Configuration:
- Production CID 1: 4 organizational units
- Production CID 2: 4 organizational units
- Security: AWS Secrets Manager integration
- Multi-Cloud: Supports commercial and government CrowdStrike clouds
- Architecture: Fixed External ID process (no mismatches)
- API Endpoints: Automatic selection based on cloud region configuration
🎯 This deployment guide covers the complete end-to-end setup of the CrowdStrike CSPM auto-onboarding system with secure credential management and event-driven automation.