AWS CLI script variables
The variables used by the script that adds AWS environments are listed here. Some are required, others are optional.
Required variables
The script for adding an AWS environment uses the following variables:
| Variable | Description |
|---|---|
EXTERNAL_ID | Specify this for the assumed role that Sophos Cloud Optix uses when acting on your behalf. It is added in the trust policy of the read-only role that Sophos Cloud Optix creates in your environment. |
CUSTOMER_ID | The customer UUID used for all uploads and connections. |
REQUEST_ID | ID used to validate the request to add the account, and also to associate the callback from the environment needed to link the account. The REQUEST_ID keeps refreshing and is valid for 7 days to allow multiple environments to be added from within a customer account via scripting. |
DNS_PREFIX_FLOW | The customer specific prefix that allows connection back to the appropriate collector node in the Sophos Cloud Optix backend for flowlogs. |
DNS_PREFIX_CLOUDTRAIL | The customer specific prefix that allows connection back to the appropriate collector node in the Sophos Cloud Optix backend for CloudTrial logs. |
Optional variables
Optionally, the script can also use the following variables if they are specified:
| Variable | Default | Description |
|---|---|---|
OPTIX_RESOURCE_KEY | created_by | Key used to tag all resources. |
OPTIX_RESOURCE_VALUE | optix | Value used to tag all resources. |
CLOUDTRAIL_BUCKET_NAME | Sophos-Optix-$USERACCOUNT | Name of S3 bucket used to export CloudTrail. Specify to use an existing bucket for CloudTrail export. |
CLOUDTRAIL_BUCKET_FOLDER | Sophos-Optix-cloudtrail | Name of the S3 bucket folder used to export CloudTrail. |
CLOUDTRAIL_SNS_TOPIC | Sophos-Optix-cloudtrail-s3-sns-topic | Name of SNS used to export CloudTrail. |
CLOUDTRAIL_S3_RETENTION | 365 | Number of days to retain logs in CloudTrail bucket. Older logs are deleted. |
SET_RETENTION_ON_S3_CLOUDTRAIL | 1 | Set to 1 to turn on retention in CloudTrail bucket, 0 to turn off. |
FLOW_LOGS_S3_RETENTION | 1 | Number of days to retain logs in flow log bucket. Older logs are deleted. |
SET_RETENTION_ON_S3_FLOW | 1 | Set to 1 to turn on retention of flow log bucket, 0 to turn off. |
ENABLE_SPEND_MONITORING | true | Turn spend monitoring on or off. |
AWS_DEFAULT_REGION | us-west-1 | Default region where all resources that are specific to single regions are created, when adding environments. Per-region resources are not affected. |
FLOW_LOGS | 1 | Set to 1 to turn on VPC flow logs, 0 to turn off. |
CLOUDTRAIL_LOGS | 1 | Set to 1 to turn CloudTrail on, 0 to turn off. |
USE_EXISTING_TRAIL_SETUP | null | Set to true only if you want to use your existing trail and have followed the steps in Use an existing AWS CloudTrail. |
ENABLE_FLOW_ONE_REGION | 0 | Set to 1 for flow logs to be exported to single S3 bucket, 0 to turn off. |
FLOW_ONE_REGION_VALUE | null | Specify a region for flow logs to be exported to a single S3 in a region different to the default region. |
FLOWLOG_REGIONS | null | Specify a list of regions for which flow logs should be turned on, if you do not want to turn it on in all regions. |
FLOW_LOG_SINGLE_OPT_OUT | OptInRegions=ap-east-1,eu-south-1,me-south-1,af-south-1 | The opt-in regions are ignored by default. If you want to add environments to any of these regions, remove those regions from the input parameters. For example, to add environments from af-south-1, use FLOW_LOG_SINGLE_OPT_OUT="OptInRegions-ap-east-1,eu-south-1,me-south-1 in your command. |