CloudFormation Stack Deployment

After subscribing to ZoneHero through AWS Marketplace and creating your account, you need to deploy a CloudFormation stack that sets up the necessary cross-account permissions for ZoneHero to operate in your AWS environment.

Accessing the Deployment Page#

You can access the CloudFormation deployment page:

1. Immediately after completing the registration process
2. At any time by going to your AWS Marketplace subscriptions, and clicking on “Set up product”, and then “Set up your account”.

Deploying a New Stack#

If you haven’t deployed the ZoneHero CloudFormation stack before:

1. Click the “Launch Stack” button on the deployment page
2. You’ll be redirected to the AWS CloudFormation console
3. Review the stack details and proceed to the parameters section

Updating an Existing Stack#

If you’ve previously deployed the stack and need to update it:

1. Copy your existing stack ARN
2. Paste it into the text field on the deployment page
3. Click the “Generate Link” button
4. Click the “Update Stack” button
5. You’ll be redirected to the AWS CloudFormation console with your existing stack selected for update

Configuration Parameters#

When deploying or updating the stack, you’ll need to configure the following parameters:

AdminUsersList#

This parameter defines which AWS users or roles will be allowed to perform ZoneHero operations via the ZoneHero API.

You can specify:

• Simple IAM users: arn:aws:iam::1234567890:user/username
• SSO users: arn:aws:iam::1234567890:role/aws-reserved/sso.amazonaws.com/region/AWSReservedSSO_RoleName_ID

Example:

arn:aws:iam::1234567890:user/francois
arn:aws:iam::1234567890:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_AdministratorAccess_0123456789abcde

ExternalId#

This field is pre-populated with the appropriate value and should not be changed. It is used to guard against confused deputy attacks.

R53HostedZones#

This parameter specifies which Route 53 hosted zones ZoneHero will be allowed to create new records in.

A Route 53 Zone ARN is the zone ID prefixed with arn:aws:route53:::hostedzone/

Example:

arn:aws:route53:::hostedzone/Z1D633SJN98FT9
arn:aws:route53:::hostedzone/Z2FETNDATAQYW2

S3BucketList#

This parameter defines which S3 buckets ZoneHero proxy nodes will be allowed to push access logs to.

We recommend using a different bucket for each region you operate in to avoid cross-region data transfer costs.

Example:

zonehero-logs-us-east-1
zonehero-logs-eu-west-1

After Deployment#

Once the CloudFormation stack has been successfully deployed:

1. Return to the ZoneHero dashboard
2. Generate API keys from your account settings
3. Configure the ZoneHero CLI or Terraform provider using your new API keys

For more information on using the Terraform provider, see our Terraform Provider documentation.