# Get Started
## Linking Accounts To get started, you will deploy our CloudFormation stack into the first AWS account which you would like to us to ingest data from, confirm the stack creation in DataDefender, and we'll begin ingesting data. You can link as many AWS accounts as you would like using the following method. Linking an Account is a 4-5 step process. This page will detail how to complete each step. * Initiate Deployment from DataDefender * Configure and deploy CloudFormation stack from AWS * Add SQS Permissions and set up Event Notification (If using Activity Monitor) * Link the stack to DataDefender * Confirm Deployment ### 1. Initiate Deployment from DataDefender In order to do this, navigate to Settings > **Linked Accounts** and click the "Link New Account" button. The following form will assist in linking an AWS Account. #### Account Details
* Enter the Account ID of your AWS account. 1. To find your account id, sign in to the AWS Management Console, click your account name in the top-right corner. Your 12-digit Account ID will display within this dropdown. * Optionally, add an Account Name. 1. We recommend you add the friendly name of your account, but this can be whatever you would like that will help you identify this account later. 2. This name can be changed at any time if you’d like. #### Inventory Selection
* Select the AWS Services that you would like us to collect and protect. 1. Selecting a service will ensure the required permissions are deployed by the CloudFormation stack for us to retrieve its data. These permissions can be modified at any time. 2. Selecting 'Security Checks' allows us to run configuration checks against your account to identify misconfigurations and compare your account against data security best practices. #### File Scanning
* File Scanning allows DataDefender to scan and classify your data to find sensitive files. DataDefender will be granted ECS deployment permissions into select regions. Data scanned will never leave the region where it resides in. #### Activity Monitoring
* Activity Monitoring allows DataDefender to ingest CloudTrail and/or S3 Server Access Logs. For each type of activity monitor (CloudTrail, S3 Server Access Logs) we require one S3 bucket already set up with logs directed into them for the Application to ingest logs. DataDefender uses this information in its [Monitoring](https://help.datadefender.io/broken-reference) and [File Access Report](https://help.datadefender.io/broken-reference) features. Please refer to the [Configuring CloudTrail Log Bucket](#configuring-cloudtrail-log-bucket) and [Configuring Server Access Log Bucket](#configuring-server-access-log-bucket) sections for more details. * Copy the full S3 bucket ARN for your desired log repository buckets and paste into the appropriate field. ### 2. Configure and deploy CloudFormation stack in AWS Select 'Launch CloudFormation'. It will bring you to an AWS Login where you will need to sign in to the account where you wish to deploy our stack. Once signed in, you'll be brought to CloudFormation's 'Quick create stack' menu.

CSS CloudFormation Stack

Linked Account Stack Parameters Currently, we have 13 parameters that you can configure to deploy our stack. Most settings are already created from the form from the previous step. Here is each parameter and its function:
ParameterFunctionExample Values
Stack NameWhat your stack will be namedmy-stack
ActivityMonitoringCloudTrailQueueNameOptional; name to give the created Activity Monitoring SQS queue.datadefender-activity-monitoring-ct
ActivityMonitoringCloudTrailS3BucketArnThe ARN of the S3 bucket that CloudTrail events are logged to.arn:aws:s3:::example
ActivityMonitoringS3ServerAccessLogsBucketArnThe ARN of the S3 bucket that S3 server access logs are logged to.arn:aws:s3:::example
ActivityMonitoringS3ServerAccessLogsQueueNameOptional; name to give the created Activity Monitoring S3 Server Access Logs SQS queue.datadefender-activity-monitoring-sal
ConnectionManagementTypeWhether the connection is self-managed or is a manager of other connections.Self, Managed
EnableActivityMonitoringCloudTrailFeatureSetPick Yes if you would like to enable the activity monitoring feature set for a CloudTrail event source.Yes, No
EnableActivityMonitoringS3ServerAccessLogsFeatureSetPick Yes if you would like to enable the activity monitoring feature set for a S3 Server Access Logs event source.Yes, No
EnableEBSInventoryFeatureSetPick Yes if you would like to enable the EBS Inventory feature set.Yes, No
EnableFileSystemsInventoryFeatureSetPick Yes if you would like to enable the File Systems Inventory feature set.Yes, No
EnableS3InventoryFeatureSetPick Yes if you would like to enable the S3 Inventory feature set.Yes, No
EnableSecurityChecksFeatureSetPick Yes if you would like to enable the security checks feature set.Yes, No
IamRoleNameSuffixOptional; suffix to include in the created IAM role. May be required if there are IAM role name conflicts.CloudStorageSec
IdentityProviderUrlThe URL of the Cloud Storage Security identity provider to verify the identity when assuming the role. Do not include https:// in the URL. This does not have to be modified.auth.datadefender.io/realms/datadefender
After you are satisfied with your parameters, select '**I acknowledge that AWS CloudFormation might create IAM resources with custom names.**' and deploy the stack. ### 3. Add SQS Permissions and set up Event Notification {% hint style="info" %} This section only applies if you are using the Server Access Logs or CloudTrail functionality. {% endhint %} #### SQS Permissions Go to the deployed CloudFormation stack and locate the SQS queues that the stack created. For each queue created, permissions must be added for SQS queues for the S3 buckets to forward event notifications to them. Keep any existing policy statements that exist, just **add** the snippet. In the snippet, two pieces need to be replaced: {queue-arn}, and {s3-bucket-arn}. For the CloudTrail queue, substitute the {s3-bucket-arn} value for the CloudTrail Bucket, and for the Server Access Logs queue, substitute the {s3-bucket-arn} value for the Server Access Logs. In the Queue Access Policy, add the following snippet to the existing Policy. : ``` { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "sqs:SendMessage", "Resource": "{queue-arn}", "Condition": { "ArnLike": { "aws:SourceArn": "{s3-bucket-arn}" } } } ``` #### Event Notification For each type of bucket you've set up (Server Access Logs bucket, CloudTrail bucket): Ensure that the previous step has been completed. S3 Bucket requires permissions prior to creating an Event Notification for an SQS Queue. Go to the S3 Bucket that the SQS Queue corresponds to and navigate to Properties. Under 'Event Notifications', click 'Create Event Notification'.
In the settings: 1. Set an Event name of your choosing. 2. Ensure that 'All object create events' are checked. 3. Set destination as SQS queue, and specify the corresponding SQS queue that was created. 4. Select 'Save changes'. ### 4. Link the Stack to DataDefender Go to the deployed CloudFormation stack and open the **Outputs** tab. You should see three outputs if you are using both the Activity Monitoring and Server Access Logs features. Otherwise, you'll just see one output. * For all deployments, copy the **ARN of the Cross-Account IAM Role**. * If you also enabled **Activity Monitoring – S3 Server Access Logs** and **Activity Monitoring – CloudTrail Feature Set**, copy the values of the respective queues as well.

Cross-Account Role ARN

Now, return to the **DataDefender portal** and complete the following steps: 1. Leave the CloudFormation stack name and region as they appear (these are the stack name and region used in the previous deployment). 2. Paste the **Cross-Account IAM Role ARN** into the **AWS Role ARN** field.
If you enabled Activity Monitoring with CloudTrail or S3 Access Logging, complete **Configure Activity Monitoring**. (Otherwise, disable both CloudTrail and S3 Server Access Logs checkboxes and skip this step.) * Paste the **CloudTrail Queue** value from the Outputs into the *CloudTrail queue name* field, and select the region where the queue resides. * Paste the **S3 Access Logging Queue** value from the Outputs into the *S3 queue name* field, and select the region where the queue resides.
Click 'Complete Setup' to finalize your account linkage. ### 5. Confirm Deployment Your stack should now be linked. Verify in the 'Linked Accounts' section for the green check symbol under 'Credential Status' alongside your alias.
## Using the Product Now that you have data flowing into your account, you are free to start using DataDefender! For explanations of the DataDefender Portal, head on over to the [Portal Overview](https://help.datadefender.io/portal-overview) page.