After you connectSecurity Command Center to Amazon Web Services (AWS)for configuration and resource data collection, you can modify the connectionsettings.

Before you begin

Complete these tasks before you complete the remaining tasks on this page.

Set up permissions in Google Cloud

To get the permissions that you need to use the AWS connector, ask your administrator to grant you theCloud Asset Owner (roles/cloudasset.owner) IAM role. For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Create AWS accounts

Ensure that you have the following AWS resources:

• AnAWS IAM userwithAWS IAM accessfor the delegated and collector AWS account consoles.

• TheAWS account IDfor an AWS account that you can use as the delegated account.The delegated account must meet the following requirements:

  • The delegated account must be attached to anAWS organization.To attached an account to an AWS organization do the following:

    1. Createor identify an organization where you will attach the delegated account.
    2. Invite the delegated account tojoin the organization.

  • The delegated account must be one of the following:

    • AnAWS management account.
    • AnAWS delegated administrator.
    • An AWS account with aresource-based delegation policythat provides theorganizations:ListAccounts permission. For an examplepolicy, seeCreate a resource-based delegation policy with AWS Organizations in the AWS documentation.

Modify the AWS connection

Modify an existing AWS connection when your AWS environment configurationchanges. For example, you want to monitor different AWS regions, or change thelist of AWS accounts that Security Command Center uses. You can't modify the names ofthe delegated role and the collector role. If you need to change these rolenames, you must delete your AWS connector and set up a new connection.

1. In the Google Cloud console, go to the Security Command Center page.

   Go to Security Command Center

2. Select the organization that you activated Security Command Center Enterprise on.

3. Clicksettings Settings.

4. Click theConnectors tab.

5. ClickEdit beside the connection that you want to update.

6. In theEdit Amazon Web Services connector page, make your changes. Thefollowing table describes the options.

   Option	Description
   Add AWS connector accounts	Select an option, depending on your preference: Add accounts automatically (recommended): Select this option to let Security Command Center discover the AWS accounts automatically. Add accounts individually: Select this option to manually add AWS accounts yourself.
   Exclude AWS connector accounts	If you selectedAdd accounts automatically under theAdd AWS connector accounts section, provide a list of AWS accounts that Security Command Center should not use to find resources.
   Enter AWS connector accounts	If you selectedAdd accounts individually under theAdd AWS connector accounts section, provide a list of AWS accounts that Security Command Center can use to find resources.
   Select regions to collect data	Select one or more AWS regions for Security Command Center to collect data from. Leave theAWS regions field empty to collect data from all regions.
   Maximum queries per second (QPS) for AWS services	You can change the QPS to control the quota limit for Security Command Center. Set the override to a value that is less than the default value for that service, and greater than or equal to1. The default value is the maximum value. If you do change the QPS, Security Command Center might encounter issues fetching data. Therefore, we don't recommend changing this value.
   Endpoint for AWS Security Token Service	You can specify a specific endpoint for the AWS Security Token Service (for example,https://sts.us-east-2.amazonaws.com). Leave theAWS Security Token Service field empty to use the default global endpoint (https://sts.amazonaws.com).

7. If you changed the delegated account ID or the list of AWS accounts toinclude or exclude, you must update your AWS environment. A change to thedelegated account ID requires that you set up your AWS configuration again. Achange to the list of AWS accounts requires that you add or remove collectorroles. Removing AWS accounts from the exclude list, because you want toinclude them, requires you to add the collector roles to those accounts.Complete the following:

   1. ClickContinue.

   2. In theCreate connection with AWS page, complete one of thefollowing:

      • Download the CloudFormation templates for the delegated role and thecollector role. For instructions on using the templates, seeUse CloudFormation templates to set up your AWS environment.

      • If you want to change the AWS configuration manually, selectUse the AWS console. Copy the service agent ID, delegated rolename, and the collector role name. For instructions on updating AWSmanually, seeConfigure AWS accounts manually.

8. If you added an AWS account to the list of AWS accounts to exclude, werecommend that you remove the collector role from the account.

9. ClickTest connector to verify that Security Command Center can connect toyour AWS environment. If the connection is successful, the Google Cloudservice agent can assume the delegated role and the delegated role has allthe required permissions to assume the collector role. If the connectionisn't successful, seeTroubleshooting errors when testing the connection.

10. ClickSave.

What's next

• For troubleshooting information, seeConnect Security Command Center to AWS.