Skip to content

Cloud Connect AWS

Joshua Hiller edited this page Sep 16, 2023 · 19 revisions

CrowdStrike Falcon CrowdStrike Subreddit

Using the Cloud Connect AWS service collection

Uber class support Service class support Documentation Version Page Updated Samples Available

This service collection has code examples posted to the repository.

DEPRECATED

This service collection has been superseded by the CSPMRegistration service collection and is now deprecated. Developers should move code over to use the new operations available within the updated collection.

Table of Contents

Operation ID Description
QueryAWSAccounts
PEP 8 query_aws_accounts
DEPRECATED
Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS accounts which match the filter criteria
GetAWSSettings
PEP 8 get_aws_settings
DEPRECATED
Retrieve a set of Global Settings which are applicable to all provisioned AWS accounts
GetAWSAccounts
PEP 8 get_aws_accounts
DEPRECATED
Retrieve a set of AWS Accounts by specifying their IDs
ProvisionAWSAccounts
PEP 8 provision_aws_accounts
DEPRECATED
Provision AWS Accounts by specifying details about the accounts to provision
DeleteAWSAccounts
PEP 8 delete_aws_accounts
DEPRECATED
Delete a set of AWS Accounts by specifying their IDs
UpdateAWSAccounts
PEP 8 update_aws_accounts
DEPRECATED
Update AWS Accounts by specifying the ID of the account and details to update
CreateOrUpdateAWSSettings
PEP 8 create_or_update_aws_settings
DEPRECATED
Create or update Global Settings which are applicable to all provisioned AWS accounts
VerifyAWSAccountAccess
PEP 8 verify_aws_account_access
DEPRECATED
Performs an Access Verification check on the specified AWS Account IDs
QueryAWSAccountsForIDs
PEP 8 query_aws_accounts_for_ids
Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS account IDs which match the filter criteria

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

QueryAWSAccounts

Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS accounts which match the filter criteria

Deprecated operation

This operation has been superseded by the GetCSPMAwsAccount operation and is now deprecated. Developers should move code over to this new operation as soon as time permits.

PEP8 method name

query_aws_accounts

Endpoint

Method Route
GET /cloud-connect-aws/combined/accounts/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
limit
Service Class Support

Uber Class Support
query integer The maximum records to return. [1-5000]. Defaults to 100.
offset
Service Class Support

Uber Class Support
query integer The offset to start retrieving records from.
sort
Service Class Support

Uber Class Support
query string The property to sort by (e.g. alias.desc or state.asc).
filter
Service Class Support

Uber Class Support
query string The filter expression that should be used to limit the results.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import CloudConnectAWS

# Do not hardcode API credentials!
falcon = CloudConnectAWS(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.query_aws_accounts(limit=integer,
                                     offset=integer,
                                     sort="string",
                                     filter="string"
                                     )
print(response)
Service class example (Operation ID syntax)
from falconpy import CloudConnectAWS

# Do not hardcode API credentials!
falcon = CloudConnectAWS(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.QueryAWSAccounts(limit=integer,
                                   offset=integer,
                                   sort="string",
                                   filter="string"
                                   )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryAWSAccounts",
                          limit=integer,
                          offset=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

GetAWSSettings

Retrieve a set of Global Settings which are applicable to all provisioned AWS accounts

Deprecated operation

This operation has been deprecated and will be removed from the SDK when this endpoint is decommissioned.

PEP8 method name

get_aws_settings

Endpoint

Method Route
GET /cloud-connect-aws/combined/settings/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

No keywords or arguments accepted.

Usage

Service class example (PEP8 syntax)
from falconpy import CloudConnectAWS

# Do not hardcode API credentials!
falcon = CloudConnectAWS(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.get_aws_settings()
print(response)
Service class example (Operation ID syntax)
from falconpy import CloudConnectAWS

# Do not hardcode API credentials!
falcon = CloudConnectAWS(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.GetAWSSettings()
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("GetAWSSettings")
print(response)

GetAWSAccounts

Retrieve a set of AWS Accounts by specifying their IDs

Deprecated operation

This operation has been superseded by the GetCSPMAwsAccount operation and is now deprecated. Developers should move code over to this new operation as soon as time permits.

PEP8 method name

get_aws_accounts

Endpoint

Method Route
GET /cloud-connect-aws/entities/accounts/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings IDs of accounts to retrieve details.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import CloudConnectAWS

# Do not hardcode API credentials!
falcon = CloudConnectAWS(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_aws_accounts(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import CloudConnectAWS

# Do not hardcode API credentials!
falcon = CloudConnectAWS(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetAWSAccounts(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetAWSAccounts", ids=id_list)
print(response)

ProvisionAWSAccounts

Provision AWS Accounts by specifying details about the accounts to provision

Deprecated operation

This operation has been superseded by the CreateCSPMAwsAccount operation and is now deprecated. Developers should move code over to this new operation as soon as time permits.

PEP8 method name

provision_aws_accounts

Endpoint

Method Route
POST /cloud-connect-aws/entities/accounts/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full BODY payload in JSON format.
cloudtrail_bucket_owner_id
Service Class Support

Uber Class Support
body string AWS IAM IAD for Cloudtrail bucket owner. (ARN format)
cloudtrail_bucket_region
Service Class Support

Uber Class Support
body string AWS region for Cloudtrail bucket.
external_id
Service Class Support

Uber Class Support
body string Shared external ID to use for AWS cross-account role.
iam_role_arn
Service Class Support

Uber Class Support
body string ARN for the IAM role to use as the cross-account role.
id
Service Class Support

Uber Class Support
body string AWS account ID to provision.
mode
Service Class Support

Uber Class Support
query string Mode for provisioning. Allowed values are manual or cloudformation. Defaults to manual if not defined.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
rate_limit_req
Service Class Support

Uber Class Support
body integer Rate limit count.
rate_limit_time
Service Class Support

Uber Class Support
body integer Rate limit timestamp.

Usage

Service class example (PEP8 syntax)
from falconpy import CloudConnectAWS

# Do not hardcode API credentials!
falcon = CloudConnectAWS(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.provision_aws_accounts(cloudtrail_bucket_owner_id="string",
                                         cloudtrail_bucket_region="string",
                                         external_id="string",
                                         iam_role_arn="string",
                                         id="string",
                                         rate_limit_req=integer,
                                         rate_limit_time=integer
                                         )
print(response)
Service class example (Operation ID syntax)
from falconpy import CloudConnectAWS

# Do not hardcode API credentials!
falcon = CloudConnectAWS(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.ProvisionAWSAccounts(cloudtrail_bucket_owner_id="string",
                                       cloudtrail_bucket_region="string",
                                       external_id="string",
                                       iam_role_arn="string",
                                       id="string",
                                       rate_limit_req=integer,
                                       rate_limit_time=integer
                                       )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "resources": [
            {
                "cloudtrail_bucket_owner_id": "string",
                "cloudtrail_bucket_region": "string",
                "external_id": "string",
                "iam_role_arn": "string",
                "id": "string",
                "rate_limit_reqs": integer,
                "rate_limit_time": integer
            }
        ]
}

response = falcon.command("ProvisionAWSAccounts", mode="string", body=BODY)
print(response)

DeleteAWSAccounts

Delete a set of AWS Accounts by specifying their IDs

Deprecated operation

This operation has been superseded by the DeleteCSPMAwsAccount operation and is now deprecated. Developers should move code over to this new operation as soon as time permits.

PEP8 method name

delete_aws_accounts

Endpoint

Method Route
DELETE /cloud-connect-aws/entities/accounts/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings IDs of accounts to remove
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import CloudConnectAWS

# Do not hardcode API credentials!
falcon = CloudConnectAWS(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_aws_accounts(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import CloudConnectAWS

# Do not hardcode API credentials!
falcon = CloudConnectAWS(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.DeleteAWSAccounts(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("DeleteAWSAccounts", ids=id_list)
print(response)

UpdateAWSAccounts

Update AWS Accounts by specifying the ID of the account and details to update

Deprecated operation

This operation has been superseded by the PatchCSPMAwsAccount operation and is now deprecated. Developers should move code over to this new operation as soon as time permits.

PEP8 method name

update_aws_accounts

Endpoint

Method Route
PATCH /cloud-connect-aws/entities/accounts/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full BODY payload in JSON format.
cloudtrail_bucket_owner_id
Service Class Support

Uber Class Support
body string AWS IAM IAD for Cloudtrail bucket owner. (ARN format)
cloudtrail_bucket_region
Service Class Support

Uber Class Support
body string AWS region for Cloudtrail bucket.
external_id
Service Class Support

Uber Class Support
body string Shared external ID to use for AWS cross-account role.
iam_role_arn
Service Class Support

Uber Class Support
body string ARN for the IAM role to use as the cross-account role.
id
Service Class Support

Uber Class Support
body string AWS account ID to provision.
rate_limit_req
Service Class Support

Uber Class Support
body integer Rate limit count.
rate_limit_time
Service Class Support

Uber Class Support
body integer Rate limit timestamp.

Usage

Service class example (PEP8 syntax)
from falconpy import CloudConnectAWS

# Do not hardcode API credentials!
falcon = CloudConnectAWS(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.update_aws_accounts(cloudtrail_bucket_owner_id="string",
                                      cloudtrail_bucket_region="string",
                                      external_id="string",
                                      iam_role_arn="string",
                                      id="string",
                                      rate_limit_req=integer,
                                      rate_limit_time=integer
                                      )
print(response)
Service class example (Operation ID syntax)
from falconpy import CloudConnectAWS

# Do not hardcode API credentials!
falcon = CloudConnectAWS(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.UpdateAWSAccounts(cloudtrail_bucket_owner_id="string",
                                    cloudtrail_bucket_region="string",
                                    external_id="string",
                                    iam_role_arn="string",
                                    id="string",
                                    rate_limit_req=integer,
                                    rate_limit_time=integer
                                    )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "resources": [
            {
                "cloudtrail_bucket_owner_id": "string",
                "cloudtrail_bucket_region": "string",
                "external_id": "string",
                "iam_role_arn": "string",
                "id": "string",
                "rate_limit_reqs": integer,
                "rate_limit_time": integer
            }
    ]
}

response = falcon.command("UpdateAWSAccounts", body=BODY)
print(response)

CreateOrUpdateAWSSettings

Create or update Global Settings which are applicable to all provisioned AWS accounts

Deprecated operation

This operation has been deprecated and will be removed from the SDK when this endpoint is decommissioned.

PEP8 method name

create_or_update_aws_settings

Endpoint

Method Route
POST /cloud-connect-aws/entities/settings/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full BODY payload in JSON format.
cloudtrail_bucket_owner_id
Service Class Support

Uber Class Support
body string AWS IAM IAD for Cloudtrail bucket owner. (ARN format)
static_external_id
Service Class Support

Uber Class Support
body string New external ID to use for the AWS cross-account role.

Usage

Service class example (PEP8 syntax)
from falconpy import CloudConnectAWS

# Do not hardcode API credentials!
falcon = CloudConnectAWS(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.create_or_update_aws_settings(cloudtrail_bucket_owner_id="string"
                                                static_external_id="string"
                                                )
print(response)
Service class example (Operation ID syntax)
from falconpy import CloudConnectAWS

# Do not hardcode API credentials!
falcon = CloudConnectAWS(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.CreateOrUpdateAWSSettings(cloudtrail_bucket_owner_id="string"
                                            static_external_id="string"
                                            )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "resources": [
        {
            "cloudtrail_bucket_owner_id": "string",
            "static_external_id": "string"
        }
    ]
}

response = falcon.command("CreateOrUpdateAWSSettings", body=BODY)
print(response)

VerifyAWSAccountAccess

Performs an Access Verification check on the specified AWS Account IDs

Deprecated operation

This operation has been deprecated and will be removed from the SDK when this endpoint is decommissioned.

PEP8 method name

verify_aws_account_access

Endpoint

Method Route
POST /cloud-connect-aws/entities/verify-account-access/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings IDs of accounts to verify access on.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import CloudConnectAWS

# Do not hardcode API credentials!
falcon = CloudConnectAWS(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.verify_aws_account_access(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import CloudConnectAWS

# Do not hardcode API credentials!
falcon = CloudConnectAWS(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.VerifyAWSAccountAccess(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("VerifyAWSAccountAccess", ids=id_list)
print(response)

QueryAWSAccountsForIDs

Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS account IDs which match the filter criteria

PEP8 method name

query_aws_accounts_for_ids

Endpoint

Method Route
GET /cloud-connect-aws/queries/accounts/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
limit
Service Class Support

Uber Class Support
query integer The maximum records to return. [1-5000]. Defaults to 100.
offset
Service Class Support

Uber Class Support
query integer The offset to start retrieving records from.
sort
Service Class Support

Uber Class Support
query string The property to sort by (e.g. alias.desc or state.asc).
filter
Service Class Support

Uber Class Support
query string The filter expression that should be used to limit the results.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import CloudConnectAWS

# Do not hardcode API credentials!
falcon = CloudConnectAWS(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.query_aws_accounts_for_ids(limit=integer,
                                             offset=integer,
                                             sort="string",
                                             filter="string"
                                             )
print(response)
Service class example (Operation ID syntax)
from falconpy import CloudConnectAWS

# Do not hardcode API credentials!
falcon = CloudConnectAWS(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.QueryAWSAccountsForIDs(limit=integer,
                                         offset=integer,
                                         sort="string",
                                         filter="string"
                                         )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryAWSAccountsForIDs",
                          limit=integer,
                          offset=integer,
                          sort="string",
                          filter="string"
                          )
print(response)

CrowdStrike Falcon

Clone this wiki locally