AWS Deployment Guide

This guide helps you prepare for and deploy the Xshield Cloud Connector with AWS. It covers what you need before you start, how to get started, and reference details (supported resources, considerations, and AWS services used).

Prerequisites

Before you can use the Cloud Connector with AWS, ensure you have:

Active AWS account with administrative access
An IAM principal (user/role) with permissions to create and manage:
- IAM roles and policies
- CloudFormation stacks (if using a template-driven onboarding)
- VPC Flow Logs configuration (for when you enable traffic visibility later)
Active Xshield account and access to the management portal

Getting Started

After you have the prerequisites above:

Connect your account — AWS Onboarding (choose interactive, script-based, or manual).
Enable traffic visibility — VPC Flow Logs for network traffic; X-Ray Traces for application traces.

Reference

The sections below provide supporting detail.

Supported AWS Resource Types

The Cloud Connector supports discovery and visibility for a set of AWS resource types. Support may vary by release.

Amazon EC2, RDS, API Gateway, Lambda, S3, DynamoDB

See AWS Resource Management for the full list and how resources are represented in Xshield.

Important Considerations

Flow log dependency — Network traffic visibility requires VPC Flow Logs to be enabled and accessible.
X-Ray dependency — Application trace visibility requires AWS X-Ray to be enabled and accessible.
Costs — Enabling VPC Flow Logs and storing or exporting logs can incur AWS costs (CloudWatch Logs, S3, Kinesis/Firehose, inter-region transfer depending on your setup).

AWS Services Used

The Cloud Connector uses these AWS services (depending on features enabled):

IAM — Roles and policies for authentication and authorization
VPC — Discovery of networking constructs and workload placement
VPC Flow Logs — Traffic flow visibility and analytics
X-Ray — Application trace visibility
CloudFormation — Permission and resource setup when using templates (if applicable)

IAM permissions

The cross-account role used by Xshield requires specific IAM permissions for discovery and (optionally) flow log access. For the exact permissions, see the onboarding guide you use: Manual (Console-based) Onboarding has the full reference; interactive and script-based flows use equivalent permissions from their templates.

AWS Interactive Onboarding — Guided onboarding flow
AWS Script-based Onboarding — Script-based onboarding flow
AWS Manual (Console-based) Onboarding — Console-based onboarding flow
VPC Flow Logs — Enable VPC Flow Logs and grant access for network traffic visibility
X-Ray Traces — Enable AWS X-Ray for application trace visibility
AWS Resource Management — Supported resources and how they are managed in Xshield
AWS Decommissioning — Remove an AWS Cloud Connector from Xshield

Prerequisites​

Getting Started​

Reference​

Supported AWS Resource Types​

Important Considerations​

AWS Services Used​

IAM permissions​

Related Guides​