How To Set Up Wiz in AWS or Google Cloud: Step-by-step Guide

Managing security across sprawling cloud environments like Amazon Web Services (AWS) and Google Cloud can feel like an impossible task. With countless virtual machines, containers, and serverless functions, identifying and prioritizing real threats is a major challenge. Traditional security tools often require cumbersome agents and still leave significant visibility gaps. This is where a modern Cloud Native Application Protection Platform (CNAPP) like Wiz becomes essential.

Wiz provides a unified, agentless solution to scan your entire cloud stack, from infrastructure to application code. It connects directly to your cloud provider’s APIs to build a deep, contextual understanding of your environment. By visualizing your security posture through the Wiz Security Graph, you can cut through the noise of countless alerts and focus on the critical risks that truly matter. For any organization serious about securing its cloud assets, integrating Wiz is a game-changing step.

This guide will provide a detailed, step-by-step walkthrough on how to set up Wiz in both AWS and Google Cloud. We’ll cover everything from prerequisites to deployment, compare the processes for each platform, and offer troubleshooting tips to ensure a smooth integration.

Why Choose Wiz for Cloud Security?

Before diving into the setup process, it’s important to understand what makes Wiz a leading choice for cloud security.

• Agentless Scanning: Wiz’s primary advantage is its agentless approach. Instead of deploying and managing agents on every single virtual machine, Wiz takes snapshots of your workload volumes for deep analysis. This eliminates performance overhead, simplifies deployment, and ensures 100% coverage, even for short-lived or auto-scaled resources that agents often miss.
• The Wiz Security Graph: At its core, Wiz builds a comprehensive graph that maps out every resource, permission, vulnerability, and network path in your cloud environment. This contextual model allows it to identify “toxic combinations” of risks—like a virtual machine with a critical vulnerability, exposed to the internet, and holding credentials to a sensitive database. This focus on attack paths helps you prioritize what to fix first.
• Full-Stack Visibility: Wiz doesn’t just look at infrastructure misconfigurations. It scans everything from virtual machines and containers to serverless functions and managed Platform-as-a-Service (PaaS) offerings. This gives you a single pane of glass for your entire cloud security posture.
• Rapid Deployment: Because it’s agentless, you can connect Wiz to your AWS or Google Cloud environment and get meaningful results in minutes, not weeks or months.

Setting Up Wiz in Amazon Web Services (AWS)

Connecting Wiz to your AWS environment is a streamlined process that leverages AWS CloudFormation to automate the creation of necessary roles and permissions. The goal is to grant Wiz read-only access to your AWS organization so it can begin scanning.

Prerequisites for AWS Setup

Before you start, ensure you have the following:

1. Administrator Access: You need administrator-level access to your Wiz tenancy.
2. AWS Permissions: You’ll need sufficient permissions in your AWS management account to create a CloudFormation stack. This typically requires an IAM user or role with permissions for IAM, Organizations, and CloudFormation.
3. AWS Organization OU ID: You will need the ID of the AWS Organizational Unit (OU) you want to connect. For full coverage, it’s recommended to use the root OU ID, which ensures that any new accounts added to your organization are automatically discovered and scanned by Wiz. You can find this in the AWS Organizations console.
4. Enable Trusted Access for StackSets: If you are connecting an OU, you must enable trusted access for CloudFormation StackSets within AWS Organizations. This allows the management account to deploy stacks across all accounts in the organization. You can find instructions in the AWS documentation.

Step-by-Step Guide to AWS Deployment

1. Start the Deployment in Wiz:
   Image ALT Text: Screenshot of the Wiz portal showing the ‘Add Deployment’ screen with Amazon Web Services selected.
2. • Log in to your Wiz portal.
   • Navigate to Settings > Deployments.
   • Click on Add Deployment and select Cloud.
   • Choose Amazon Web Services (AWS) from the list of cloud providers.
2. Configure the Connector Scope:
   Image ALT Text: Screenshot of the Wiz connector configuration screen, highlighting the Organization scope and OU ID field.
3. • You will be asked to define the connector’s scope. Select Organization for the most comprehensive coverage. This allows Wiz to scan all current and future accounts within your specified OUs.
   • Choose CloudFormation as the deployment method. This is the recommended and most automated approach.
   • Enter your AWS Organization OU ID. As mentioned, using the root OU is best practice.
3. Select Services for Scanning:
4. • Wiz will prompt you to select additional services to scan. It is highly recommended to enable scanning for Data Security Posture Management (DSPM) and Amazon EKS. This extends Wiz’s visibility into your data stores and Kubernetes clusters.
   • Click the Launch CloudFormation button.
4. Create the CloudFormation Stack in AWS:
   Image ALT Text: Screenshot of the AWS CloudFormation ‘Create stack’ page with the acknowledgement box highlighted.
5. • You will be redirected to the AWS Console, specifically to the “Create stack” page. The necessary template URL and parameters will be pre-filled by Wiz.
   • Review the details. At the bottom of the page, you must acknowledge that AWS CloudFormation might create IAM resources by checking the box.
   • Click Create stack.
5. Wait for Stack Creation and Get the Role ARN:
6. • The stack creation process will begin and typically takes about 5-10 minutes. You can monitor its status on the CloudFormation page. It will change from CREATE_IN_PROGRESS to CREATE_COMPLETE.
   • Once complete, click on the stack you just created and go to the Outputs tab.
   • Copy the WizRoleArn value. This is the Amazon Resource Name (ARN) of the role that Wiz will use to scan your environment.
6. Finalize the Connection in Wiz:
7. • Return to the Wiz portal.
   • Paste the copied WizRoleArn into the designated field.
   • On the final screen, give your connector a descriptive name (e.g., “AWS-Production-Org”). You also have the option to exclude specific OUs or accounts if needed.
   • Click Finish.

Wiz will now begin its initial scan of your AWS environment. Within minutes, you should start seeing resources and security issues appear on your Wiz dashboard.

Setting Up Wiz in Google Cloud

The process for connecting Wiz to Google Cloud is conceptually similar to AWS, involving the creation of a service account with read-only permissions. Wiz provides auto-generated scripts to simplify this process, whether you prefer using the Cloud Shell or Terraform.

Prerequisites for Google Cloud Setup

1. Administrator Access: You need administrator-level access to your Wiz tenancy.
2. Google Cloud Permissions: The user performing the setup needs specific permissions at the organization or project level.
3. • Organization Level: A user with roles like Organization Admin (roles/resourcemanager.organizationAdmin), IAM Admin (roles/iam.serviceAccountAdmin), and Security Admin (roles/iam.securityAdmin).
   • Project Level: A user with the Project Owner role (roles/owner).
3. Organization or Project ID: Have your Google Cloud Organization ID or Project ID ready.
4. API Services Enabled: You must have permissions to enable the necessary Google Cloud APIs, which the Wiz script will handle for you.

Step-by-Step Guide to Google Cloud Deployment

1. Start the Deployment in Wiz:
   Image ALT Text: Screenshot of the Wiz portal showing the ‘Add Deployment’ screen with Google Cloud Platform selected.
2. • In the Wiz portal, navigate to Settings > Deployments.
   • Click Add Deployment and select Cloud.
   • Choose Google Cloud Platform (GCP) from the provider list.
2. Choose Deployment Method and Scope:
3. • Select your desired scope: Organization or Project. Connecting at the organization level is recommended for complete visibility.
   • Wiz offers two primary deployment methods: Cloud Shell Script or Terraform. The Cloud Shell script is generally the easiest for most users.
3. Run the Deployment Script in Google Cloud Shell:
   Image ALT Text: Screenshot of the Google Cloud Shell with the Wiz deployment script command being executed.
4. • Wiz will provide a curl command to run. Copy this command.
   • Open the Google Cloud Shell from your Google Cloud Console.
   • Paste the command into the Cloud Shell and press Enter.
   • The script will prompt you to authorize it. Follow the on-screen instructions.
4. What the Script Does:
   The script automates several key actions:
5. • Enables APIs: It enables all required Google Cloud APIs for Wiz to gather metadata (e.g., Compute Engine API, IAM API, Cloud Storage API).
   • Creates a Service Account: It creates a dedicated service account for Wiz (e.g., wiz-service-account).
   • Assigns Read-Only Roles: It creates a custom role with the necessary read-only permissions and assigns it to the service account. These permissions allow Wiz to list resources, read configurations, and create/delete snapshots for workload scanning.
5. Finalize the Connection in Wiz:
6. • Once the script completes successfully, it will have established the connection.
   • Return to the Wiz portal. The status of your Google Cloud connector should update to “Connected.”
   • You can give the connector a descriptive name for easy identification.

Wiz will immediately begin scanning your Google Cloud projects. The agentless workload scanner will automatically create snapshots of your Compute Engine instances, analyze them for vulnerabilities and misconfigurations, and then delete the snapshots, leaving no footprint.

AWS vs. Google Cloud Setup: A Comparison

While both setup processes are designed to be simple, there are a few key differences to be aware of.

Key Takeaway: The end result is the same—Wiz gets secure, read-only access to scan your environment. AWS leverages its native infrastructure-as-code service (CloudFormation), while Google Cloud’s setup leans on a CLI-based script, which is equally effective and fast. Both methods are robust and reflect the standard integration patterns for their respective platforms.

Troubleshooting Common Setup Issues

Even with automated scripts, you might encounter a few hurdles. Here are some common problems and their solutions.

• Problem (AWS): CloudFormation Stack Fails to Create.
• • Cause: This is often due to insufficient permissions. The IAM user or role executing the CloudFormation stack needs permission to create IAM roles and other resources across the organization.
  • Solution: Ensure your IAM principal has the necessary administrative privileges. Also, double-check that you have enabled trusted access for StackSets in your AWS Organization.
• Problem (Google Cloud): Script Fails with “Permission Denied” Errors.
• • Cause: The user running the script in Cloud Shell lacks the required IAM roles at the organization or project level.
  • Solution: Verify that your user account has the necessary roles (e.g., Organization Admin, Project Owner). You may need to ask a Google Cloud administrator to either grant you the permissions or run the script on your behalf.
• Problem (Both): Wiz shows “Connecting” but never finishes.
• • Cause: There might be a network issue or a misconfiguration preventing Wiz from communicating with your cloud provider’s APIs. This can happen in highly restrictive environments with firewalls or VPC Service Controls.
  • Solution: Check your network egress rules to ensure Wiz’s IP addresses can communicate with AWS or Google Cloud APIs. For Google Cloud, you may need to configure an ingress rule in VPC Service Controls to allow the Wiz service account. Refer to the official Wiz documentation for the required IP ranges.
• Problem (Both): Not all resources are appearing in Wiz.
• • Cause: This could be a scope issue. You may have connected a specific project or OU instead of the entire organization. It could also be that the Wiz role is missing permissions for a particular service.
  • Solution: Edit your connector in the Wiz portal and verify the scope. If needed, rerun the setup process targeting the root OU or organization to ensure full coverage. If a specific service is missing, review the IAM role created by Wiz and compare it against the latest permissions in the Wiz documentation.

Best Practices for Ongoing Management

Setting up Wiz is just the first step. To get the most out of the platform, follow these best practices for ongoing management.

1. Integrate with Your Workflow: Don’t let Wiz become just another security dashboard. Integrate it with your existing tools. Send critical Wiz issues to Slack for immediate notification, create Jira tickets for remediation tasks, or trigger automated responses with tools like Sentinel or SOAR platforms.
2. Regularly Review Your Security Graph: Schedule time to explore the Security Graph. Use it to proactively hunt for threats and understand complex attack paths. Ask questions like, “Which public-facing servers have critical vulnerabilities and access to sensitive data?”
3. Customize Policies and Controls: While Wiz comes with hundreds of built-in controls, you can create custom queries and policies tailored to your organization’s specific compliance and security requirements.
4. Use Role-Based Access Control (RBAC): Configure RBAC within Wiz to give different teams (e.g., DevOps, security, compliance) access to only the information they need. This empowers teams to fix their own issues without overwhelming them.
5. Keep Your Connector Updated: Wiz periodically updates its scanning logic and may require additional permissions. Keep an eye out for notifications from Wiz about updating your connector to ensure you’re always using the latest capabilities.

Conclusion: A Clearer Path to Cloud Security

Connecting Wiz to your AWS or Google Cloud environment is a straightforward process that delivers immediate and profound security insights. By replacing the friction of agent-based solutions with the power of an API-first, graph-based approach, Wiz gives you the visibility and context needed to manage risk effectively at scale.

Whether you are running on AWS, Google Cloud, or both, the setup takes only a few minutes but provides a lasting foundation for a robust cloud security program. By following the steps in this guide, you can move beyond simple vulnerability scanning and start proactively identifying and neutralizing the most critical threats to your cloud infrastructure. Take control of your cloud security posture today by integrating Wiz and turning visibility into actionable defense.