Skip to main content

Overview

Manage AWS account registration, configuration, and monitoring for CrowdStrike Falcon Cloud Security (CSPM). These cmdlets enable you to connect AWS accounts, configure cloud trails, enable behavior assessment, and manage security posture across your AWS infrastructure.

Prerequisites

  • CSPM registration: Read - Required for retrieval operations
  • CSPM registration: Write - Required for account provisioning and modifications

Get-FalconCloudAwsAccount

Search for registered Falcon Cloud Security AWS accounts.
A properly provisioned AWS account will display the status Event_DiscoverAccountStatusOperational.
Get-FalconCloudAwsAccount
Get-FalconCloudAwsAccount [-Id <string[]>] [-OrganizationId <string[]>] [-ScanType <string>] [-Status <string>] [-GroupBy <string>] [-IamRoleArn <string[]>] [-Migrated <boolean>] [-CspmLite <boolean>] [-Limit <int32>] [-Offset <int32>] [-All] [-Total]

Parameters

Id
string[]
AWS account identifier (12-digit format)
OrganizationId
string[]
AWS organization identifier (format: o-[0-9a-z]{10,32})
ScanType
string
Scan type. Valid values: full, dry
Status
string
AWS account status. Valid values: provisioned, operational
GroupBy
string
Field to group by. Valid values: organization
IamRoleArn
string[]
AWS IAM role ARNs
Migrated
boolean
Only return migrated Discover for Cloud accounts
CspmLite
boolean
Only return CSPM Lite accounts
Limit
int32
Maximum number of results per request (1-500)
Offset
int32
Position to begin retrieving results
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results

Example

# Get all operational AWS accounts
Get-FalconCloudAwsAccount -Status operational -All

# Get specific AWS account by ID
Get-FalconCloudAwsAccount -Id 123456789012

# Get accounts by organization
Get-FalconCloudAwsAccount -OrganizationId o-abc123def456

New-FalconCloudAwsAccount

Provision a new Falcon Cloud Security AWS account.
New-FalconCloudAwsAccount
New-FalconCloudAwsAccount -AccountId <string> -CloudtrailRegion <string> [-OrganizationId <string>] [-AccountType <string>] [-IsMaster <boolean>] [-IamRoleArn <string>] [-UseExistingCloudtrail <boolean>] [-BehaviorAssessmentEnabled <boolean>] [-SensorManagementEnabled <boolean>] [-TargetOu <string[]>] [-DspmEnabled <boolean>] [-DspmRole <string>] [-RootStackId <string>] [-DeploymentMethod <string>] [-ClientId <string>]

Parameters

AccountId
string
required
AWS account identifier (12-digit format)
CloudtrailRegion
string
required
AWS region where the account resides
OrganizationId
string
AWS organization identifier (12-digit format)
AccountType
string
AWS account type
IsMaster
boolean
Master account designation
IamRoleArn
string
AWS IAM role ARN
UseExistingCloudtrail
boolean
Use existing CloudTrail log
BehaviorAssessmentEnabled
boolean
Enable behavior assessment for account
SensorManagementEnabled
boolean
Enable sensor management for account
TargetOu
string[]
Target organizational units
DspmEnabled
boolean
Enable DSPM (Data Security Posture Management)
DspmRole
string
DSPM role ARN
RootStackId
string
Root Stack ID
DeploymentMethod
string
Deployment method
ClientId
string
Falcon client ID

Example

# Provision a new AWS account
New-FalconCloudAwsAccount -AccountId 123456789012 -CloudtrailRegion us-east-1 -BehaviorAssessmentEnabled $true

# Provision with organization
New-FalconCloudAwsAccount -AccountId 123456789012 -CloudtrailRegion us-west-2 -OrganizationId 987654321098 -IsMaster $true

Edit-FalconCloudAwsAccount

Modify an existing Falcon Cloud Security AWS account.
Edit-FalconCloudAwsAccount
Edit-FalconCloudAwsAccount -AccountId <string> [-CloudtrailRegion <string>] [-IamRoleArn <string>] [-BehaviorAssessmentEnabled <boolean>] [-SensorManagementEnabled <boolean>] [-RemediationRegion <string>] [-RemediationTouAccepted <string>] [-Environment <string>] [-TargetOu <string[]>] [-DspmEnabled <boolean>] [-DspmRole <string>] [-RootStackId <string>] [-DeploymentMethod <string>] [-ClientId <string>]

Parameters

AccountId
string
required
AWS account identifier (12-digit format)
CloudtrailRegion
string
AWS region where the account resides
IamRoleArn
string
AWS IAM role ARN
BehaviorAssessmentEnabled
boolean
Enable behavior assessment for account
SensorManagementEnabled
boolean
Enable sensor management for account
RemediationRegion
string
Region where remediation occurs
RemediationTouAccepted
string
Remediation terms-of-use acceptance date
Environment
string
Environment designation
TargetOu
string[]
Target organizational units
DspmEnabled
boolean
Enable DSPM
DspmRole
string
DSPM role ARN
RootStackId
string
Root Stack ID
DeploymentMethod
string
Deployment method
ClientId
string
Falcon client ID

Example

# Enable behavior assessment
Edit-FalconCloudAwsAccount -AccountId 123456789012 -BehaviorAssessmentEnabled $true

# Update CloudTrail region
Edit-FalconCloudAwsAccount -AccountId 123456789012 -CloudtrailRegion eu-west-1

Remove-FalconCloudAwsAccount

Remove Falcon Cloud Security AWS accounts.
Remove-FalconCloudAwsAccount
Remove-FalconCloudAwsAccount -Id <string[]>
Remove-FalconCloudAwsAccount -OrganizationId <string[]>

Parameters

Id
string[]
AWS account identifier (12-digit format)
OrganizationId
string[]
AWS organization identifier (format: o-[0-9a-z]{10,32})

Example

# Remove specific AWS account
Remove-FalconCloudAwsAccount -Id 123456789012

# Remove by organization
Remove-FalconCloudAwsAccount -OrganizationId o-abc123def456
Retrieve a URL to grant Falcon Cloud Security access in AWS.
Once logged into the provided link using your AWS administrator credentials, use the Create Stack button to grant access.
Get-FalconCloudAwsLink
Get-FalconCloudAwsLink

Example

# Get AWS registration URL
$Link = Get-FalconCloudAwsLink
Start-Process $Link.url

Receive-FalconCloudAwsScript

Download a Bash script which grants Falcon Cloud Security access using the AWS CLI.
Receive-FalconCloudAwsScript
Receive-FalconCloudAwsScript [-Id <string[]>] [-OrganizationId <string>] [-Template <string>] [-Account <string[]>] [-AccountType <string>] [-AwsProfile <string>] [-CustomRole <string>] [-BehaviorAssessment <boolean>] [-SensorManagement <boolean>] [-ExistingCloudtrail <boolean>] [-DspmEnabled <boolean>] [-DspmRole <string>] [-DspmRegion <string[]>] -Path <string> [-Force]

Parameters

Id
string[]
AWS account identifier (12-digit format)
OrganizationId
string
AWS organization identifier
Template
string
Template to be rendered. Valid values: aws-bash, aws-terraform
Account
string[]
List of AWS accounts to register
AccountType
string
Type of account. Valid values: commercial, gov
AwsProfile
string
AWS profile to use during registration
CustomRole
string
Custom IAM role to be used during registration
BehaviorAssessment
boolean
Enable behavior assessment
SensorManagement
boolean
Enable sensor management
ExistingCloudtrail
boolean
Use existing CloudTrail
DspmEnabled
boolean
Enable DSPM
DspmRole
string
DSPM role ARN
DspmRegion
string[]
DSPM regions
Path
string
required
Destination path for the script (.sh extension)
Force
switch
Overwrite existing file when present

Example

# Download AWS registration script
Receive-FalconCloudAwsScript -Path ./aws-register.sh -Template aws-bash -BehaviorAssessment $true

# Download Terraform template
Receive-FalconCloudAwsScript -Path ./aws-terraform.sh -Template aws-terraform -Account 123456789012

Build docs developers (and LLMs) love

Get started for freeTalk to us