R12 Publication-2025July16

Integration with AWS Organization

Using REST API to Manage AWS Data explains how you can use the REST API to integrate with the NetBrain system and update the AWS data. Sometimes you need to create scripts with these APIs to complete complex tasks and integrate them into your account onboarding/offboarding process. Instead of creating the integration scripts, you can use the NetBrain onboarding/offboarding tool to integrate with your AWS organization. (AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources. Reference link: https://aws.amazon.com/organizations/.)

The architecture diagram is shown as follows:

Diagram Description automatically generated

The following requirements must be met to enable the proper function of the AWS onboarding/offboarding tool:

  • The tool must have access to the AWS public endpoints to get the AWS organization data, and it can investigate the data to define what accounts can be added to NetBrain System.
  • The tool must have access to the NetBrain web servers to use REST APIs defined in Using REST API to Manage AWS Data to update the AWS data.
    Information Note: You can contact NetBrain Support to help you deploy the tool based on your specific requirements.

Configure Access to NetBrain and your AWS Organization

You will need to configure the access to both NetBrain and your AWS organization in config.YAML:
 

  • Access to NetBrain: You must specify the NetBrain URL, username, password, tenant, domain, and the front server. Make sure the created user has domain management permission.
  • Access to AWS Organization: You will need to specify the access method to the master accounts where the onboarding/offboarding tool can get the AWS organization info:
    • Key-based Access: Using the key-based access to configure the access key/secret key to access the AWS master account.
    • Role-based Access: Using the role-based access so the onboarding/offboarding tool can access the AWS master account.

You can use the combination of OU, accounts, and tag as the filter to only onboard specific accounts into the NetBrain system. The following rules should be obeyed:

  1. Select_ous: Define the search scope and the function scope of excelude_ous, exclude_accounts, and exclude_tags. In most cases, select the OUs you want to onboard and do not leave them empty.
  2. Exclude_ous: Define what OUs or subOUs you want to exclude.
  3. Exclude_accounts: Define specific accounts you want to exclude.
  4. Exclude_tags: Define tags so accounts with these tags won’t be included. In most cases, you may want to exclude sandbox accounts or other types of accounts that you don’t want to add to NetBrain.

The following diagram gives an overview of how the various conditions work together. The green color represents the entire organization tree. From there, you can define the select_ou to specify certain OUs you want to add to NetBrain. Within the selected OU group, you can use different types of excluding flags to exclude certain ous/accounts/tags. The final accounts added to NetBrain are the area shown in blue.

Access to the Master Accounts:

To access the master accounts and list all accounts within the current organization, you must configure the correct access policy. We have attached different policies for you to choose from based on your security considerations.

If your security team permits, you can use the board policy, which allows access to the entire organization:

Or, if you want more specific policies, you can use the following detailed policy:

There are two ways to access the master accounts: key-based access or role-based access:

Key-based access to the Master Account

If you use the key-based access to access the master account, list organization information, select the access method as key-based access and configure the access key/secret key to the master accounts, NetBrain will access the master account and list the organization information.

Role-based Access to the Master Account

If you use role-based access to access the master account, list organization information, select the access method as role-based access and configure the role and other details, NetBrain will access the master account and list the organization information.

 

Using REST API to Manage AWS Data Appendix