Legacy: AWS CLI script variables
AWS script variables
Warning
You must only use this help section if you opened your Sophos Cloud Optix account before November 17, 2020. If you opened your account after that date, you must use the instructions under Add your AWS environment.
Required variables
The script for adding an AWS environment takes the following variables:
Variable | Description |
---|---|
EXTERNAL_ID | Specify this for the assumed role that Sophos Cloud Optix uses when acting on your behalf. It is added in the trust policy of the read-only role that Sophos Cloud Optix creates in your environment. |
CUSTOMER_ID | The Customer UUID used for all uploads and connections. |
REQUEST_ID | ID used to validate the request to add the account, and also to associate the callback from the environment needed to link the account. The REQUEST_ID keeps refreshing and is valid for 7 days to allow multiple environments to be added from within a customer account via scripting. |
DNS_PREFIX_FLOW | The customer-specific prefix that allows connection back to the appropriate collector node in the Sophos Cloud Optix backend for flowlogs. |
DNS_PREFIX_CLOUDTRAIL | The customer-specific prefix that allows connection back to the appropriate collector node in the Sophos Cloud Optix backend for CloudTrial logs. |
Optional variables
Optionally, the script can also use the following variables if they are specified:
Variable | Description |
---|---|
AWS_DEFAULT_REGION | Use this if you want to install in a region that is different than your configured default region for AWS CLI. |
TRAIL_NAME | Use this if you want to reuse an existing CloudTrail instead of creating a new one (The default installation creates a new CloudTrail). Enter the existing trailname. Please note that a Lambda function should be attachable to the corresponding CloudWatch log group. |
FLOW_LOGS | The default install enables VPC Flow Logs for every Amazon VPC across all regions. Specify 0 to skip VPC flow log enablement. If you want to control specific regions for flow logs, you should specify 1 and provide the list of regions in the variable FLOWLOG_REGIONS. |
FLOWLOG_REGIONS | Command separated list of AWS regions. |