q
qrie

Get Started with Qrie

Deploy your CNAPP solution in minutes with our guided setup process

📋
Onboarding Overview

1

Initial Contact

Contact Qrie for a personalized demo and consultation

2

Agreement

Sign a simple order form to get started

3

QOP Deployment

We deploy your per-region QOP stacks and provide SQS Queue ARNs

4

Event Connection

Your team deploys CloudFormation stacks to forward events

5

Verification

We confirm events are flowing and your UI shows live data

Ready to Go

Your dedicated Qrie instance is live and monitoring

1

Initial Contact

Contact Qrie for a personalized demo and consultation

Reach out to the Qrie team to schedule a demo and discuss your cloud security monitoring needs. We’ll walk through your AWS environment and explain how Qrie can provide comprehensive visibility into your cloud infrastructure.

What to expect

  • • 30-minute product demonstration
  • • Discussion of your specific security requirements
  • • Architecture overview and deployment planning
  • • Pricing and contract terms review
2

Agreement

Sign a simple order form to get started

Once you’re ready to proceed, we’ll provide a straightforward order form that outlines the service terms, pricing, and deployment timeline.

Agreement includes

  • • Service level agreements (SLAs)
  • • Data processing and privacy terms
  • • Regional deployment specifications
  • • Support and maintenance coverage
3

QOP Deployment

We deploy your per-region QOP stacks and provide SQS Queue ARNs

The Qrie team deploys your dedicated Qrie-on-Premises (QOP) infrastructure in your specified AWS regions. This includes all the backend processing, storage, and UI components needed for your security monitoring.

What gets deployed

  • • SQS queues for event ingestion
  • • Lambda functions for processing
  • • DynamoDB tables for storage
  • • Web UI with CloudFront distribution

You receive

  • • SQS Queue ARNs for each region
  • • Web UI access credentials
  • • CloudFormation template for setup
  • • Documentation and support contacts

🔐Important: Your QOP Account

Ownership & Access: qrie provisions and owns the qrie On Prem (QOP) account. However, the account remains dedicated to your security operations and you have full access to all the resources and data within it.
Privacy Model: qrie engineers will not access your QOP account post-deployment except for agreed-upon maintenance.
Billing: All AWS costs in the QOP account are pass-through and included in your qrie invoice.
UI Access: Your team accesses a dedicated, regionally-separated UI at https://us-east-1.acme.qrie.io (customized with your domain).
4

Event Connection

Deploy CloudFormation stacks to forward events from your AWS account to Qrie

Before getting started, ensure you have:

  • • ✅ Signed agreements and contract
  • • ✅ Confirmation from Qrie team that QOP account is deployed for you
  • • ✅ SQS Queue ARN provided by Qrie team (this is the queue in your dedicated QOP account where your events are processed)
  • • ✅ Admin access to your AWS account (root credentials or IAM user with AdministratorAccess permissions)

Step 4.1: Download CloudFormation Template

Download the bootstrap template for connecting your AWS account:

Download Template
# Download the CloudFormation template
curl -fsSL -o qrie-customer-bootstrap.yaml \
  https://qrie.io/onboarding/customer_bootstrap.yaml

Alternative: Download directly from browser

Step 4.2: Enable CloudTrail EventBridge Integration

⚠️ Critical: CloudTrail EventBridge Integration

The EventBridge rules won’t trigger without CloudTrail sending events to EventBridge. Enable this if not already configured:

Enable CloudTrail → EventBridge
# Option 1: Basic setup (captures ALL services, filtered by EventBridge rules)
aws cloudtrail put-event-selectors \
  --trail-name <your-existing-trail-name> \
  --event-selectors '[{
    "ReadWriteType": "WriteOnly",
    "IncludeManagementEvents": true,
    "DataResources": []
  }]' \
  --region us-east-1

# Option 2: Advanced filtering (only EC2, S3, IAM at CloudTrail level)
aws cloudtrail put-event-selectors \
  --trail-name <your-existing-trail-name> \
  --advanced-event-selectors '[{
    "Name": "Log EC2, S3, IAM write events only",
    "FieldSelectors": [
      {"Field": "category", "Equals": ["Management"]},
      {"Field": "readOnly", "Equals": ["false"]},
      {"Field": "eventSource", "Equals": ["ec2.amazonaws.com", "s3.amazonaws.com", "iam.amazonaws.com"]}
    ]
  }]' \
  --region us-east-1

# Option 3: Create new trail with EventBridge integration
aws cloudtrail create-trail \
  --name qrie-eventbridge-trail \
  --s3-bucket-name <your-cloudtrail-bucket> \
  --include-global-service-events \
  --is-multi-region-trail \
  --enable-log-file-validation \
  --region us-east-1

aws cloudtrail start-logging \
  --name qrie-eventbridge-trail \
  --region us-east-1
💡 Alternative: Use AWS Console
  • • Go to CloudTrail → Trails → Select your trail
  • • Under "Event selectors" → Edit
  • • Ensure "Management events" and "Write" are selected
  • • Save changes

Step 4.3: Deploy CloudFormation Stack

⚠️ Important: Regional Deployment Strategy

us-east-1 (Required): Must be deployed to capture IAM events (global service)

Other regions: Deploy in regions where you have EC2, S3, and other regional resources

Start with us-east-1:

  • • Navigate to AWS Console in your target account
  • • Search for "CloudShell" and open it
  • Set region to us-east-1 (required for IAM events)
Deploy to us-east-1
# Set your QOP SQS ARN and Account ID for us-east-1 (replace with actual values from Qrie team)
AWS_REGION="us-east-1"
QOP_QUEUE_ARN="arn:aws:sqs:$AWS_REGION:<QOP_ACCOUNT_ID>:<your-qrie-queue-us-east-1>"
QOP_ACCOUNT_ID="<QOP_ACCOUNT_ID>"

# Deploy to us-east-1 first (REQUIRED for global services like IAM)
aws cloudformation deploy \
  --region $AWS_REGION \
  --stack-name QrieForwardToQOP \
  --template-file qrie-customer-bootstrap.yaml \
  --parameter-overrides QopQueueArn="$QOP_QUEUE_ARN" QopAccountId="$QOP_ACCOUNT_ID" \
  --capabilities CAPABILITY_NAMED_IAM

Deploy to Additional Regions

Repeat for each region where you have resources to monitor:

Additional Regions
# Example: Deploy to us-west-2
AWS_REGION="us-west-2"
QOP_QUEUE_ARN="arn:aws:sqs:$AWS_REGION:<QOP_ACCOUNT_ID>:<your-qrie-queue-us-west-2>"
QOP_ACCOUNT_ID="<QOP_ACCOUNT_ID>"

aws cloudformation deploy \
  --region $AWS_REGION \
  --stack-name QrieForwardToQOP \
  --template-file qrie-customer-bootstrap.yaml \
  --parameter-overrides QopQueueArn="$QOP_QUEUE_ARN" QopAccountId="$QOP_ACCOUNT_ID" \
  --capabilities CAPABILITY_NAMED_IAM
5

Verification & Go-Live

Confirm your setup is working correctly with end-to-end testing

✓ Stack Deployment

Verify all CloudFormation stacks show CREATE_COMPLETE status in each deployed region.

✓ Event Flow

Qrie team confirms test events are received and processed successfully.

End-to-End Testing

Send test events to verify the complete pipeline is working:

Test Events (Write Operations Only)
# Test IAM events (only works in us-east-1 due to global service)
aws iam create-user --user-name qrie-test-user
aws iam delete-user --user-name qrie-test-user

# Test S3 write events
aws s3 mb s3://qrie-test-bucket-$(date +%s)
aws s3 rb s3://qrie-test-bucket-$(date +%s)

# Test EC2 write events (use appropriate region)
aws ec2 create-security-group --group-name qrie-test-sg --description "Qrie test security group"
aws ec2 delete-security-group --group-name qrie-test-sg

Note: IAM events only appear in us-east-1 CloudTrail. The Qrie team will confirm receipt of events from all deployed regions and verify they’re being processed by your QOP Lambda functions.

How to evaluate test results

Web UI (Coming Soon): The Qrie web interface will display security findings and resource inventory. During initial setup, this UI is still being prepared for your deployment.

QOP Account Access: You have access to your dedicated QOP account where you can:

  • • Monitor Lambda function executions in CloudWatch
  • • Check DynamoDB tables for new findings and resource entries
  • • View SQS queue metrics to confirm event ingestion

Advanced Testing: Create a non-compliant resource (e.g., an S3 bucket with public read access) to generate a positive security finding that should appear in your QOP DynamoDB tables.

Security Note:

Your QOP SQS queue only accepts events from the specific EventBridge rules created by this stack (prefix: qrie-forward-*). The queue is not publicly accessible.

🎉 Ready to Go!

Once verification is complete, your dedicated Qrie instance is live and monitoring your AWS environment. You’ll receive access to your web UI and can start exploring security findings and resource inventory.

🏗️
What Gets Deployed

In Your AWS Account

QrieEventsToSqs-<account>-<region> IAM role

Trusted by EventBridge with SQS send permissions

QrieReadOnly-<account> cross-account IAM role

SecurityAudit permissions for resource discovery and policy evaluation

qrie-forward-ec2-<region> EventBridge rule

Monitors EC2 API write operations

qrie-forward-s3-<region> EventBridge rule

Monitors S3 API write operations

qrie-forward-iam-<region> EventBridge rule

Monitors IAM API write operations

In Qrie QOP Account

SQS Queue + DLQ

Secure event ingress with resource policies

DynamoDB Tables

Resource inventory and security findings storage

Lambda Functions

Event processing, inventory, and policy scanning

Web UI Stack

CloudFront + S3 + Cognito for dashboard access

🔧
Troubleshooting

EventBridge Rules Not Triggering

  • • Verify CloudTrail is sending events to EventBridge (not just S3)
  • • Check that management events are enabled on your CloudTrail
  • • Ensure the trail covers the region where you’re testing

Events Not Reaching QOP Queue

  • • Verify the QOP SQS queue ARN is correct
  • • Check cross-account SQS permissions in QOP account
  • • Confirm EventBridge IAM role has SQS send permissions

CloudFormation Stack Redeploy Issues

If you encounter IAM policy parsing errors or other issues when redeploying:

Delete and Recreate Stack
# Delete the existing stack
aws cloudformation delete-stack \
  --stack-name QrieForwardToQOP \
  --region us-east-1

# Wait for deletion to complete
aws cloudformation wait stack-delete-complete \
  --stack-name QrieForwardToQOP \
  --region us-east-1

# Deploy fresh stack
aws cloudformation deploy \
  --region us-east-1 \
  --stack-name QrieForwardToQOP \
  --template-file qrie-customer-bootstrap.yaml \
  --parameter-overrides QopQueueArn="<your-qop-queue-arn>" QopAccountId="<qop-account-id>" \
  --capabilities CAPABILITY_NAMED_IAM

Note: Deleting and recreating the stack may cause a brief gap in event forwarding during the transition.

Frequently Asked Questions

Is the QOP SQS queue secure?

Yes. The queue uses resource policies that only allow EventBridge service access from rules with the qrie-forward-* prefix in your account/region. It’s not publicly accessible.

Can we add more AWS services later?

Absolutely. Update the bootstrap stack to include additional EventBridge rules for services like RDS, EKS, etc. The QOP SQS policy already supports the rule prefix pattern.

How do we scale to 10+ regions?

Use AWS StackSets to deploy across multiple accounts/regions simultaneously, or run the CloudShell commands in a loop. Each QOP region operates independently.

What about offboarding?

Simply disable the EventBridge rules in your account and we’ll revoke the viewer role. Your data remains in your dedicated QOP instance until you’re ready to fully decommission.