AWS Marketplace

Demonstrating least privilege with Sonrai Security and AWS Control Tower

During the cloud journey, some of my customers must create identity principals, such as roles or users. Engineers or services use these roles to perform their jobs in the cloud. To support this effort, Sonrai Security has developed an integration with AWS Control Tower. This integration enables you to see all of the security policies and resource relationships in multiple AWS accounts into a single view. This integration also enables you to see which policies affect what resources, identify broad security policies, and demonstrate least privilege in your environment.

Sonrai Dig is an enterprise identity and data security platform built on a graph that helps you to continuously identify and monitor relationships between identities and data in your AWS environment. Sonrai Dig’s Governance Automation Engine automates workflow, remediation, and prevention capabilities across cloud and security teams. With this integration, your organization can reduce identity risks getting to and maintaining least-privilege access.

As customers move to the cloud, you are required to ensure identity management, access controls, privilege management configuration drift, and sensitive data protection are built into your environment. In this blog post, Arijit, Brad, and I will show how to automate workflow and remediation across a multi-account AWS environment to improve your security posture using Sonrai Dig’s Governance Automation Engine.

Solution overview

Sonrai Dig’s integration with AWS Control Tower enables you to automatically protect existing and newly enrolled accounts through a series of automated actions. These actions are triggered by AWS Control Tower Lifecycle Events.

This solution performs the following steps:

  •  Sets up Sonrai Dig in an account vended by AWS Control Tower Account Factory.
  •  Registers the account in the Sonrai Dig portal to initiate ingestion setup.
  •  Sets up the ingestion of AWS CloudTrail logs into the Sonrai Dig platform.
  •  Sonrai Dig finds accounts that are part of your organization in AWS Organizations and enforces security guardrails in them.

Architecture diagram

  1. The AWS CloudFormation template creates IAM roles and a Lambda function
    The following architecture diagram shows what happens when you first deploy the AWS CloudFormation template for Sonrai Dig:
    •  Creates a role for Sonrai Dig in your management account.
    •  Creates a RotateCredentials Lambda function to manage the Sonrai API token in AWS Secrets Manager.
    •  Creates a Setup Lambda function to deploy a stack instance into sub-accounts of the organization for configuring Sonrai Dig.
    •  Creates a trigger to invoke the Setup Lambda and onboard the existing organization’s accounts.

  1. The setup Lambda function creates IAM roles in the member accounts
    When the setup Lambda function runs, it deploys a series of stack instances to create Sonrai Dig roles in all of the accounts in your organization. It also creates a set of collectors deployed in your designated security account. These collectors report findings back to the Sonrai platform. Refer to the following diagram.


  1. Establishing automation for future accounts
    Deploying new AWS accounts via the Control Tower Account Factory triggers a lifecycle event, CreateManagedAccount. This invokes the Sonrai setup Lambda function to onboard the new account into Sonrai Dig. Refer to the following diagram.


You can view the complete diagram in PDF format here.


To run this solution, you must have the following prerequisites:

  • AWS Control Tower deployed in your AWS environment. If you haven’t already installed AWS Control Tower, see Getting started with AWS Control Tower in the AWS Control Tower User Guide.
  • A Sonrai Dig account. If you don’t have a Sonrai Dig subscription, visit the listing in AWS Marketplace.
  • A dedicated account for centralizing security tooling. The solution requires a dedicated account to be designated as a security account. If you already have one, use it. Otherwise, you can use your AWS Control Tower Audit account.
  • Sonrai Dig deployed and configured in that security account. To configure Sonrai Dig collectors, on the Sonrai Dig platform, navigate to Collectors. For detailed instructions, see the AWS Intelligence Collector Configuration Guide.

When deploying collectors, take note of the following, because you need them for the AWS Control Tower integration:

  1.  The account number that the collectors are deployed into (your security account)
  2.  The name that you gave the deployment on the Sonrai Dig platform
  3.  The external ID assigned to that deployment. You can obtain this by navigating to Collector configuration on the Sonrai portal and choosing Create Role. During the Sonrai Create Role process, an additional external ID is automatically populated to further secure the role.

Solution walkthrough

The solution has four steps:

  1. Subscribe to Sonrai Security.
  2. Log in to the Sonrai Security portal.
  3. Connect to Sonrai Dig.
  4. Validate results.

Step 1: Subscribe to Sonrai Security

In AWS Marketplace, go to Sonrai Dig. Complete the subscription wizard. Sonrai creates a customer tenant, and the Sonrai Customer Success team contacts the customer for setup, deployment, and onboarding.

Step 2: Log in to the Sonrai Security portal

Go to the login page and log in with your Sonrai account credentials obtained in Step 1.

Step 3: Connect to Sonrai Dig

  1. To connect to Sonrai Dig, generate an API token for the Sonrai Dig platform.
    •  Ensure the user generating the keys has sufficient permissions to configure collectors and add new accounts.
    •  Go to Sonrai Dig GraphQL API. In that interface copy, paste, and execute the following:

                     mutation createToken {

                                GenerateSonraiUserToken (input:{

                                expiresIn: 2592000

                                name: "Control Tower Integration"

                     }) {





    • Once you execute the above query, you will receive a response in JSON format. The response will contain data which will include the values of token and expireAt.
    • Copy the value of token to use in step 3.3.
  1. Create an AWS CloudFormation stack.

Create an AWS CloudFormation stack in your organization’s management account by using this template. The source code for templates and AWS Lambda functions is available on GitHub.

  1. Configure the stack.

Configure the stack by entering the following information from the prerequisites section and step 3.1:

    • Sonrai Dig configuration:
      • Sonrai Dig Collector Deployment Name: from prerequisite 2
      • Sonrai Dig Collector Role External Id (UUID): from prerequisite 3
      • Sonrai Dig Collector Account Number: from prerequisite 1
      • Sonrai Dig API token: from step 3.1.
    • Organization configuration:
      • Organization Id: from Settings on the AWS Organizations console
      • Audit Account Number: from the Audit section in Accounts on the AWS Organizations console
      • Log Archive Account Number: from the Log archive section in Accounts on the AWS Organizations console
    • Deployment configuration:
      • Source Bucket: leave as default
      • Stack Set Name: SonraiDigAccess (default)
    • Other parameters:
      • Role Name: sonrai-collector-role (default)

After the stack has been created, the solution is automatically deployed.

Step 4: Validate results

Inside all of the accounts in your organization, you should now see an additional IAM role with a trust relationship to your security account with the external Id provided. The Rotate Credentials Lambda function keeps the Sonrai Dig credentials up to date using the secret rotation functionality of AWS Secrets Manager.

The Sonrai Dig platform monitors your organization for changes. Any existing accounts or accounts added to the organization in the future are automatically added to the list of accounts scanned. The AWS Control Tower lifecycle events detect the account creation and create the IAM roles that grant the scanning access.

Use case: Demonstrating and maintaining least privilege

The Sonrai platform helps you achieve a least-privilege state across all of your cloud environments.

To maintain least-privilege IAM control, you must review and remove unnecessary permissions for AWS administrators, policies, roles, and service admins. To maintain least privilege using the Sonrai platform, do the following:

  1. Navigate to the Sonrai portal. From the left sidebar, choose the Control Frameworks tab. Choose the four Least Privilege – Optimize IAM control frameworks that focus on unnecessary permissions for AWS Administrators, Policies, Roles and Service Admins. Select Enable Globally.
  2. To see all identified risks, in the Sonrai portal, choose the Tickets tab from the left sidebar. Under Filters Applied select the + button and then from the dropdown box, add the filters SL: Global and CF: Least Privilege – Optimize Policy. The resulting dashboard shows all of the resources that Sonrai has identified for excessive permissions across AWS roles, users, and groups. In my case, there were seven resources identified in alert tickets.
  3. To display specific details about the risk in the alert ticket, choose the first resource identified. For my example, it is AllSafeProdRole.
  4. This takes me to the AWS Roles: Unused Sensitive Permissions page. In the Details tab, between the Resource details and Policy details, there is a blue Show Remediation Steps button. Choose that button. The original policy will be displayed on the left and the optimized least privilege policy on the right.
  5. To choose the various policy recommendations for this role, at the top, choose a policy from the drop-down bar for Select Policy to Compare. You can see how Sonrai examines all used permissions and recommends a better least-privilege policy on the right, only assigning the exact permissions that the role needs to function. Close the Remediation Steps window.
  6. To implement the optimal policy, choose the Remediations button on the right. Under Auto Remediate, choose the appropriate auto-remediation option from the available options. Select either Create policy and assign to identity or Choose Bot manually.

The sonrai-collector-role used by Sonrai Dig is expected to create a ticket. This is because the role uses a policy (ReadOnlyAccess) with a resource filter that is simply “*”. This permission is required for Sonrai to automatically add new service discovery and audit as they are created by AWS, without the client constantly having to reconfigure all of their permissions when there is a change. Accepting the risk on this ticket will not impact the use of the system; it will simply close the ticket and leave it closed as the client has accepted that risk.

This use case shows how you can discover and expose complex permission chaining by using Sonrai Dig. These chains can result in toxic permissions, privilege escalation, cross-account access, and other unintentional escalated privileges. Sonrai can monitor and learn which permissions are essential and then recommend optimal least-privilege policies for both person and non-person identities.


In this blog post, we showed you how to integrate your AWS Control Tower landing zone with Sonrai Dig and use it to maintain least privilege inside of your AWS Accounts. This automated solution automatically provisions new accounts into the Sonrai platform, giving you ongoing visibility and resource and policy monitoring inside those accounts.

For more information on solutions for AWS Control Tower in AWS Marketplace, see Security in a multi-account environment. For more information about the Sonrai platform, see Sonrai Dig for AWS Cloud Security on the Sonrai Security website.

About the authors

Giuseppe Zappia Giuseppe Zappia is a Senior Solutions Architect working with customers who are in the early stages of adopting AWS. In his spare time, he enjoys playing video games, programming, and building things.




ArijiArijit Pault Paul is a Specialist Solutions Architect focusing on AWS Service Catalog, AWS Control Tower, AWS Systems Manager, and AWS Marketplace. Outside of work, he enjoys cooking, traveling, and spending time with his family.




Brad_PetersBrad Peters is the Platform Architect at Sonrai Security. He has 20 years’ experience building solutions in both public and private sectors, across various domains from cybersecurity to healthcare. His focus in recent years has been cybersecurity dealing with security at scale, zero trust, and identities as the perimeter.