For AWS customers that want to set up Wiz sensors on the Glean compute workloads (EC2 instances and EKS nodes), please review the following:

General Setup Details

Wiz sensor installation is conducted via the standard Glean deploy process. The customer need not worry about having to perform the installation, nor does the customer need to make any changes to the Glean deployment. The customer will need to provide Glean with some details to have Wiz deployed properly. Please see the requirements section.

Requirements and Instructions

Glean requires that the customer perform the following steps:
  1. In Wiz, create a Service Account for a Wiz sensor. Consult with the Wiz documentation for instructions on how to do this. When you do this, you will receive a Client ID and a Client Secret (used later as WIZ_API_CLIENT_SECRET). Please keep note of these as these will be needed.
  2. You will also need to collect the runtime sensor image pull key from your Wiz tenant. This can be obtained by going to your tenant info by clicking on this link: (https://app.wiz.io/tenant-info/general). You will be presented with a screen that looks like this: Wiz screenshot
    • You will need to obtain the Domain - You can select this via the drop-down. It is recommended that you select registry.wiz.io
    • You will need the Username (Used later as WIZ_REGISTRY_USERNAME)
    • You will need the Password (Used later as WIZ_REGISTRY_PASSWORD)
  3. Next, you are going to create an AWS Secrets Manager Secret in the same region as the Glean deployment. For simplicity, we recommend creating this AWS secret in the same AWS account as the Glean deployment, however you don’t have to. See the AWS Secrets Manager Requirements section below on how to create the secret and what to place in there. Once you have provisioned the secret, come back here.
  4. You will send over to your Glean representative the following information:
    • The Wiz Client ID
    • The Wiz registry Domain
    • The ARN for the Secrets Manager Secret
    • The ARN for the KMS key that is encrypting for the Secrets Manager secret
  5. Once the information is sent over to your Glean representative, Glean will perform a deployment to get the Wiz sensors installed.

AWS Secrets Manager Requirements

In all cases, you will need to create a secret in the same region as the Glean deployment.

Preferred: Secret in the same AWS account as the Glean deployment:

If you are creating a secret in the same AWS account as the Glean deployment, then we recommend that you create a secret that is encrypted with the AWS managed aws/secretsmanager KMS key. Create the secret and proceed to the next section on what the secret value should be.

Secret in a different AWS account than the Glean deployment:

If you are creating a secret in a different AWS account than the Glean deployment, then you must create a new AWS Customer Managed Key (KMS) first. This KMS key will need to have the following policy applied: 
{
  "Version": "2012-10-17",
  "Id": "key-consolepolicy-3",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT-ID-THAT-THE-KMS-KEY-RESIDES-IN:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow secrets manager use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::YOUR-GLEAN-DEPLOYMENT-AWS-ACCOUNT-ID:root"
      },
      "Action": [
        "kms:Decrypt",
        "kms:DescribeKey"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:ViaService": "secretsmanager.DEPLOYMENT-REGION.amazonaws.com"
        }
      }
    }
  ]
}
The secret that is created will also need a cross-account policy attached to it. The policy will need to look like this: 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCrossAccountSecretRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::YOUR-GLEAN-DEPLOYMENT-AWS-ACCOUNT:root"
            },
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "*"
        }
    ]
}
For cross-account secrets, you cannot use the aws/secretsmanager AWS managed key as it cannot be used cross-account.

The Secret Contents

The secret that is created needs to be a JSON string that looks like this: 
{
    "WIZ_API_CLIENT_SECRET": "ADD-ME",
    "WIZ_REGISTRY_USERNAME": "ADD-ME",
    "WIZ_REGISTRY_PASSWORD": "ADD-ME"
}
You need to embed:
  1. The Wiz Client Secret for WIZ_API_CLIENT_SECRET
  2. The image pull registry username for WIZ_REGISTRY_USERNAME
  3. The password for the image as WIZ_REGISTRY_PASSWORD
Once you create the secret, you will need to keep note of:
  1. The ARN of the created secret
  2. The ARN of the KMS key that encrypted the secret. You can locate this in the KMS console. For the aws/secretsmanager managed secret, you can locate this in the AWS console under AWS managed keys to obtain the ARN for it.

Pricing

Because this is reporting back to the customer’s Wiz tenant, the customer is responsible for billing and capacity requirements. Generally, this will require a billable unit for each EC2 instance and EKS node instance. Please work with your Glean representative to discuss sizing.