These docs are for v4.3. Click to read the latest docs for v4.5.

Frequently Asked Questions

Review some of the most commonly asked questions about CoreStack.


AWS

1. What clouds are supported?

We support AWS, Azure and GCP (in the Pipeline)

2. What account types do you support?

We support AWS Master Account (also known as Management Account) & Linked Account (also known as Member Account)

3. What is the minimum requirement to connect System with cloud account?

Minimum requirement to connect cloud account with System will vary depending on type of access - Assessment Access (READ Only) or Assessment + Governance (READ-WRITE).
Refer to our documentation link for more details

4. Do I incur additional cost by using System?

  1. Configuring minimum requirements to onboard cloud account
    1. There will be cost involved for storage of Cost & Usage Report (CUR) in a S3 bucket. Size of a report varies from KiloBytes (Kb) to MegaBytes (Mb) depending on the number of resources that exists in an AWS Account. In case of Master account, consolidated usage of all linked accounts will be available in the Cost & Usage Report. Refer to S3 pricing page for charges on S3 storage
  2. After onboarding, any resources provisioned or AWS services configured through System will incur additional cost - like launching new EC2 Instances or configuring AWS GuardDuty Services through System

5. How do I connect my cloud account to System?

System offers various types of authentication protocol to connect to your cloud account

  1. Assume Role based - Secure & Recommended mechanism to connect to an AWS account. It provides delegated and temporary access using AWS Secure Token Service (STS) Assume Role Operation
  2. Access Key based - Works by creating Access Key & Secret Key to an IAM user in AWS console. Keys will have the same roles & permissions as assigned to the IAM user

6. Where can I download the CFN template used for providing required permissions to a role?

You can download the following CFN templates that must be used for providing required permissions to a role.

  1. Read-only access: Click here
  2. Read-Write access: Click here

7. Can I connect multiple cloud accounts?

Yes, you can connect multiple cloud accounts. There is no restriction to the number of cloud accounts.

8. What does S3 Bucket Name mean?

The name of the S3 bucket configured for the delivery of Cost Usage Reports (CUR) in AWS. Check our quick help video if Cost Usage Reports is not configured yet in the account being onboarded

9. What does Custom Billing Type mean?

For billing, AWS sends Cost Usage Reports (CUR) to S3 bucket in CSV format by default. In addition to CSV, CUR can also be integrated with Athena/Redshift/QuickSight for more flexibility & convenience. Choose the type in which the CUR is configured that System can access. As of now, System supports CSV & Athena (Parquet) integration formats for billing.

10. What does Preferred Region mean?

Within the Cloud account, multiple regions (US EAST, US WEST & so on) can be used to provision and manage resources. “Preferred Region” refers to the list of regions that System should have access to. All Regions or a subset of the regions can be selected to do the assessment & governance. Any activities in the regions other than the preferred region will be considered as a resource placement violation as part of 'Resource Governance'

11. What does Name mean?

A friendly name to easily identify an onboarded Cloud account in System. It has no impact in the actual account. By default, System generates a name with the combination of "Cloud" & "Account ID". For example, if the Account ID is 1234567890 then auto-generated name will be AWS_1234567890

12. How long does it take to complete the cloud account onboarding?

It takes 1-2 minutes to complete the onboarding. Immediately after the onboarding, you can orchestrate with cloud platform using automation templates, scripts & policies.
There are some background processes after onboarding,

  1. Inventory sync-up takes time depending on the preferred regions selected during onboarding and the number of resources that exists in those regions
  2. Cost data sync-up takes time based on the availability of the Cost & Usage Report (CUR) from AWS

13. Do we get notification when onboarding is completed?

The progress of onboarding can be checked in the Account dashboard and you will be notified the progress of onboarding via email as well.

14. What does Scope mean?

"Scope" provides the option to share the cloud account with other users in the System account or tenant.

  1. Choose Private scope if you don’t want to share the access of this account with other users
  2. Choose Tenant scope if you would like to share the access with other users in the same tenant as the account is onboarded
  3. Choose Account scope if you would like to share the access with other users across all the tenants within CoreStack Account



Azure

1. What clouds are supported?

We support AWS, Azure and GCP (in the Pipeline)

2. What subscription types do you support?

We support Pay-as-you-go, EA (Enterprise Agreement), CSP-Direct, Azure Gov & Azure China

3. What is the minimum requirement to connect System with cloud subscription?

Minimum requirement to connect cloud subscription with System will vary depending on type of access - Assessment Access (READ Only) or Assessment + Governance (READ-WRITE).
Refer to our documentation link for more details

4. Do I incur additional cost by using System?

  1. No additional cost is incurred for configuring the minimum requirements to onboard the cloud account
  2. After onboarding, any resources provisioned or Azure services configured through System will incur additional cost - like launching new Azure VM or configuring Azure Security Center Standard Pricing Tier through System

5. How do I connect my cloud subscription to System?

System uses Azure AD application and service principal to access resources in the cloud account. Refer to our documentation link for more details

6. Can I connect multiple cloud subscriptions?

Yes, you can connect multiple cloud subscriptions. There is no restriction to the number of cloud subscriptions.

7. What does Preferred Region mean?

Within the Cloud subscription, multiple regions (US EAST, US WEST & so on) can be used to provision and manage resources. “Preferred Region” refers to the list of regions that System should have access to. All Regions or a subset of the regions can be selected to do the assessment & governance. Any activities in the regions other than the preferred region will be considered as a resource placement violation as part of 'Resource Governance'

8. What does Name mean?

A friendly name to easily identify an onboarded Cloud subscription in System. It has no impact in the actual subscription. By default, System generates a name with the combination of "Cloud" & "Subscription Name". For example, if the subscription name is ACMEDEMO then auto-generated name will be "Azure_ACMEDEMO"

9. How long does it take to complete the cloud subscription onboarding?

It takes 1-2 minutes to complete the onboarding. Immediately after the onboarding, you can orchestrate with cloud platform using automation templates, scripts & policies.
There are some background processes after onboarding,

  1. Inventory sync-up takes time depending on the preferred regions selected during onboarding and the number of resources that exists in those regions
  2. Cost data sync-up takes time based on the consumption & usage

10. Do we get notification when onboarding is completed?

The progress of onboarding can be checked in the Account dashboard and you will be notified the progress of onboarding via email as well.

11. What does Scope mean?

"Scope" provides the option to share the cloud subscription with other users in the System account or tenant.

  1. Choose Private scope if you don’t want to share the access of this account with other users
  2. Choose Tenant scope if you would like to share the access with other users in the same tenant as the subscription is onboarded
  3. Choose Account scope if you would like to share the access with other users across all the tenants within CoreStack Account



Azure CSP

1. What clouds are supported?

We support AWS, Azure and GCP (in the Pipeline)

2. What is Azure CSP Subscription?

Azure CSP subscription is provided by partners to their customers with an end-to-end ownership of the customer lifecycle and relationship for Microsoft Azure. It enables partners to directly manage their customers' entire Azure lifecycle by utilizing dedicated in-product tools to directly provision, manage, and support their customer subscriptions.

3. How do I authenticate my Azure CSP account?

We provide multiple authentication mechanisms to authenticate your Azure CSP account.

  • App-Only: An Azure AD application can used for authentication. Note: When App-only authentication is used, some of the cloud operations are not supported.
  • Authorization Code: An authorization code must be generated for the Azure App in your Azure CSP console.

4. What subscription types do you support for Azure CSP?

We support Azure CSP Direct subscription currently.

5. Can I connect multiple cloud accounts/subscriptions?

Yes, you can connect multiple cloud accounts/subscriptions. There is no restriction to the number of cloud accounts/subscriptions.

6. What does Preferred Region mean?

Within the Cloud account/subscription, multiple regions (US EAST, US WEST & so on) can be used to provision and manage resources. “Preferred Region” refers to the list of regions that System should have access to. All Regions or a subset of the regions can be selected to do the assessment & governance. Any activities in the regions other than the preferred region will be considered as a resource placement violation as part of 'Resource Governance'

7. Do we get notification when onboarding is completed?

The progress of onboarding can be checked in the Account dashboard and you will be notified the progress of onboarding via email as well.

8. What does Scope mean?

"Scope" provides the option to share the cloud account/subscription with other users in the System account or tenant.

  1. Choose Private scope if you don’t want to share the access of this account with other users
  2. Choose Tenant scope if you would like to share the access with other users in the same tenant as the subscription is onboarded
  3. Choose Account scope if you would like to share the access with other users across all the tenants within CoreStack Account



Azure EA

1. What clouds are supported?

We support AWS, Azure and GCP (in the Pipeline)

2. Can I connect multiple cloud subscriptions?

Yes, you can connect multiple subscriptions. There is no restriction to the number of cloud subscription.

3. What does Preferred Region mean?

Within the Cloud subscription, multiple regions (US EAST, US WEST & so on) can be used to provision and manage resources. “Preferred Region” refers to the list of regions that System should have access to. All Regions or a subset of the regions can be selected to do the assessment & governance. Any activities in the regions other than the preferred region will be considered as a resource placement violation as part of 'Resource Governance'

4. Do we get notification when onboarding is completed?

The progress of onboarding can be checked in the Account dashboard and you will be notified the progress of onboarding via email as well.

5. What does Scope mean?

"Scope" provides the option to share the cloud subscription with other users in the System account or tenant.

  1. Choose Private scope if you don’t want to share the access of this account with other users
  2. Choose Tenant scope if you would like to share the access with other users in the same tenant as the subscription is onboarded
  3. Choose Account scope if you would like to share the access with other users across all the tenants within CoreStack Account



GCP

1. What clouds are supported?

We support AWS, Azure and GCP (in the Pipeline)

2. Can I connect multiple cloud accounts/subscriptions?

Yes, you can connect multiple cloud accounts/subscriptions. There is no restriction to the number of cloud account/subscription.

3. What does Preferred Region mean?

Within the Cloud account/subscription, multiple regions (US EAST, US WEST & so on) can be used to provision and manage resources. “Preferred Region” refers to the list of regions that System should have access to. All Regions or a subset of the regions can be selected to do the assessment & governance. Any activities in the regions other than the preferred region will be considered as a resource placement violation as part of 'Resource Governance'

4. Do we get notification when onboarding is completed?

The progress of onboarding can be checked in the Account dashboard and you will be notified the progress of onboarding via email as well.

5. What does Scope mean?

"Scope" provides the option to share the cloud account/subscription with other users in the System account or tenant.

  1. Choose Private scope if you don’t want to share the access of this account with other users
  2. Choose Tenant scope if you would like to share the access with other users in the same tenant as the account/subscription is onboarded
  3. Choose Account scope if you would like to share the access with other users across all the tenants within CoreStack Account