Skip to content

Use CloudFormation

You can use our assistant to add AWS environments to Sophos Cloud Optix using AWS CloudFormation.

You can add single AWS accounts or multiple AWS accounts. You can also add multiple accounts managed by AWS Organizations or AWS Control Tower.

Warning

If you're using AWS Organizations or AWS Control Tower, don't follow these instructions. Instead you must follow the instructions in Use AWS Organizations.

When adding AWS environments the assistant prompts you to make choices and provide information. The assistant fills in the parameters needed to create the stack in AWS.

You can choose to create AWS CloudTrail trails as you add the AWS accounts, or use existing CloudTrail trails.

This document contains background information about the tasks you may need to complete, and the parameters used.

Collect information

Before creating AWS CloudFormation StackSets you must collect information from your Sophos Cloud Optix account. The AWS Add your AWS environment assistant shows you the information to collect. You use it later when you launch your CloudFormation template in AWS.

  1. Sign in to your Sophos Cloud Optix account.
  2. Click Add Environments > AWS > Full Setup > CloudFormation.
  3. Select Add multiple AWS Accounts and choose whether you're using AWS Organizations, an existing CloudTrail aggregation, or both.
  4. If you chose Use existing CloudTrail aggregation, fill in the S3 details.
  5. Click Continue.

  6. In Add your cloud environment, take note of the following parameters under Add multiple AWS accounts using CloudFormation StackSets:

    • DnsPrefixCloudTrail
    • ExternalId
    • ReqID
    • CustomerId
    • DnsPrefixFlow
    • IsCloudTrailAggregation
    • OptixBaseURL

  7. After you've copied the parameters, click Launch Stack.

    This takes you to the Quick stack create page in the AWS console with the correct parameters.

Assign admin account roles

You must choose an AWS account to be your admin account.

To assign the appropriate role to this account, do as follows:

  1. Sign into the AWS console using the account you have chosen.
  2. In Quick create stack check the Template URL is https://avidcore.s3-us-west-2.amazonaws.com/aws/cloudformation/cloudformation/AWSCloudFormationStackSetAdministrationRole.yml.

  3. Check that the Stack name is CloudOptixStackSetAdmin.

    This image shows the correct name.

    Stack name field.

  4. Turn on I acknowledge that AWS CloudFormation might create IAM resources with custom names

  5. Click Create stack to create the role in your admin account.
  6. Sign out of your AWS console.

Assign target member roles

You assign roles for the designated target member accounts.

This process doesn't add the AWS admin account to Sophos Cloud Optix. It only adds the target member accounts. If you want to add the admin account, you must do it separately.

To create an AWS CloudFormation StackSet in every target member account, follow these instructions for each account:

  1. Sign into the AWS console using an account you have chosen as a target account.

    You must not be signed into your chosen admin account.

  2. Click Launch Stack here to go to the Quick stack create page with the correct parameters: Launch Stack button.

    Note

    You must click Launch Stack on this help page. It's configured with the correct parameters.

  3. In Quick create stack, check that the Template URL is https://avidcore.s3-us-west-2.amazonaws.com/aws/cloudformation/cloudformation/AWSCloudFormationStackSetExecutionRole.yml.

  4. Check that the Stack name is CloudOptixStackSetTarget

    This image shows the correct name.

    Stack name field.

  5. Under Parameters, enter the AWS Account ID of your admin account in AdministratorAccountId.

    This image shows the account ID field.

    AdministratorAccountId field.

  6. Turn on I acknowledge that AWS CloudFormation might create IAM resources with custom names.

  7. Click Create stack to create the role in the target account.
  8. Sign out of your target member account's AWS console.
  9. Sign into the next target member account and repeat as required.

Configure admin account StackSet

To create the AWS CloudFormation StackSet in your admin account do as follows:

  1. Sign into the AWS console with your AWS admin account.
  2. Select the CloudFormation service.
  3. Select StackSets.
  4. Select Create StackSet.

  5. On the Choose a template page select Template is ready.

    Here's an image showing template selection.

    Template selection.

  6. Select Amazon S3 URL as the template source.

  7. Enter the template URL: https://avidcore.s3-us-west-2.amazonaws.com/aws/collectorv2-config/cloudformation/cfn-onboarding.yaml

    Here's an image showing the correct URL.

    Template source field with correct URL.

  8. Click Next.

Create CloudFormation StackSet

Use Sophos Cloud Optix information in the Create StackSet assistant.

Use the parameters you obtained earlier from your Sophos Cloud Optix account to fill in the fields in the AWS CloudFormation StackSet assistant. This links your StackSets to Sophos Cloud Optix.

Warning

Don't delete or amend any fields that are pre-populated by Sophos Cloud Optix or on-boarding fails.

Ensure you are signed into your chosen AWS admin account and do as follows:

  1. Enter OptixStackSet into StackSet name on the Specify StackSet details page. Change the description if necessary.

  2. Enter the following parameters from Sophos Cloud Optix:

    • DnsPrefixCloudTrail
    • ExternalId
    • ReqID
    • CustomerId
    • DnsPrefixFlow
    • IsCloudTrailAggregation

    Don't change the SophosOptixAccountId field.

  3. The pre-populated list in the RegionList must only be changed if some of your regions don't have a default Amazon Virtual Private Cloud (VPC). You must remove those regions from the RegionList field or the on-boarding process fails.

  4. Don't change any other fields.

    Here is an example of the Parameters menu with correct data.

    Parameters menu, showing correct data in fields.

  5. Click Next. The Configure StackSet options page appears. You don't need to change anything.

  6. Click Next.
  7. On the Set deployment options page, select Deploy stacks in accounts.

  8. In the Account numbers field, enter the account numbers of the target member accounts you want to add to Sophos Cloud Optix (the accounts in which you created the AWSCloudFormationStackSetExecutionRole).

    Set deployment options menu, showing correct options selected.

  9. In Specify regions, choose one region.

    The CloudFormation stack instance is created in this region for the target member account.

  10. Click Next.

  11. A Review page appears, which shows you all the options you have entered. Check this carefully.
  12. Turn on I acknowledge that AWS CloudFormation might create IAM resources with custom names.
  13. Close the assistant. This creates the stack instance and adds the target member accounts to Sophos Cloud Optix

Adding EKS clusters

After adding your AWS account to Sophos Cloud Optix, you can add Amazon Elastic Kubernetes Service (EKS) clusters.

You must add these clusters to Sophos Cloud Optix separately, using the Amazon CLI script provided by Sophos. See Add Amazon EKS clusters.

Upgrade CloudFormation deployments

You may have to upgrade your CloudFormation deployments when we make changes to our deployment template. These changes could include fixing vulnerabilities, upgrading packages, or introducing new capabilities.

Follow the instructions below to upgrade CloudFormation Stacks or StackSets in the AWS console.

To upgrade a single AWS CloudFormation deployment, do as follows:

  1. Sign in to the AWS console with your AWS admin account.
  2. Locate and select the CloudFormation service.
  3. In the left pane, click Stacks.
  4. Select the stack named CloudOptixStack.
  5. In the top right, click Update.
  6. In Prerequsite - Prepare template, select Replace existing template.

  7. In Specify template, enter the following template URL in Amazon S3 URL.

    https://avidcore.s3-us-west-2.amazonaws.com/aws/collectorv2-config/cloudformation/cfn-onboarding.yaml

  8. Click Next.

  9. Keep everything by default and click Next until you reach the last page.
  10. Read and acknowledge the update, and click Submit.

Your CloudFormation stack instance is now successfully upgraded.

To upgrade multiple AWS CloudFormation deployments, do as follows:

  1. Sign in to the AWS console with your AWS admin account.
  2. Locate and select the CloudFormation service.
  3. In the left pane, click StackSets.
  4. Select the StackSet named OptixStackSet.
  5. In the top right, click Actions.
  6. Select Edit StackSet details.
  7. In Prerequisite - Prepare template, select Replace current template.

  8. In Specify template, enter the following template URL in Amazon S3 URL.

    https://avidcore.s3-us-west-2.amazonaws.com/aws/collectorv2-config/cloudformation/cfn-onboarding.yaml

  9. Click Next.

  10. On the following pages, click Next without making any changes.

  11. In Set deployment options, select the accounts or organizational units (OUs) to which you've deployed the StackSet.

    This ensures that the CloudFormation template is refreshed across all accounts or OUs.

  12. Click Next until you reach the last page.

  13. Read and acknowledge the update, and click Submit.

Your CloudFormation StackSet instance is now successfully upgraded.