Skip to content

Use AWS Organizations

You can use our assistant to add AWS environments if you use AWS Organizations or AWS Control Tower.

When you add AWS environments with AWS Organizations, the assistant prompts you to make choices and provide information. The assistant fills in the parameters needed to create the stack in AWS.

You can choose to create an AWS CloudTrail trail as you add the AWS accounts or use existing CloudTrail trails.

You can find background information about the tasks you may need to complete and the parameters that are used in this document.

StackSet requirement

To leverage AWS StackSets, you must give your organization access to operate with service-managed permissions on the AWS Management Console. If you run a StackSet command with the organization's access setting turned off, you get the following error:

An error occurred (ValidationError) when calling the CreateStackSet operation: You must enable organizations access to operate a service managed stack set

Completing the requirement allows CloudFormation to access and manage resources across your organization's accounts.

For more information on the requirement for stack set operations, see AWS's instructions.

Collect information

Before you create AWS CloudFormation StackSets, you must collect information from your Sophos Cloud Optix account. The AWS assistant guides you on the required information to collect, which you'll use later when you launch your CloudFormation template in AWS.

  1. Sign in to your Sophos Cloud Optix.
  2. Click Add Environments then click AWS.
  3. Click Choose a full setup option.
  4. Click CloudFormation or the relevant Go button.
  5. Select Add multiple AWS Accounts and choose whether you're using AWS Organizations, an existing CloudTrail aggregation, or both.
  6. If you select Use existing CloudTrail aggregation, fill in the S3 details.
  7. Click Continue.

  8. Note the values of the following parameters as shown under Use AWS Console:

    • DnsPrefixCloudTrail
    • ExternalId
    • ReqID
    • CustomerId
    • DnsPrefixFlow
    • IsCloudTrailAggregation
    • OptixBaseURL

Add multiple AWS accounts

You can add multiple accounts managed by AWS Organizations or AWS Control Tower.

To add multiple AWS accounts using AWS Organizations, do as follows:

  1. Sign in to your Sophos Cloud Optix.
  2. Click Add Environments then click AWS.
  3. Click Choose a full setup option.
  4. Click CloudFormation or the relevant Go button.
  5. Select Add multiple AWS Accounts and select Use AWS Organizations.
  6. Click Continue.

  7. Follow the on-screen instructions to add your AWS account to Sophos Cloud Optix, either using Use the AWS Console or Use the AWS CLI.

    If you follow the Use the AWS CLI on-screen instructions, the assistant creates your script and other commands. After the script finishes, you'll see the message: CREATE_COMPLETE.

  8. If there are no errors, click Finish.

Your AWS accounts are added to the Sophos Cloud Optix. You'll find it listed as CloudOptixStack-ACCOUNT_ID.

Configure management account StackSet

To create the AWS CloudFormation StackSet in your management account, do as follows:

  1. Sign in to the AWS console with your AWS management account.
  2. Locate and select the CloudFormation service.
  3. In the left pane, select StackSets.
  4. Select Create StackSet.

  5. On the Choose a template page, select Template is ready.

    Here's an image showing template selection.

    Template selection.

  6. Select Amazon S3 URL as the template source.

  7. Enter the template URL: https://avidcore.s3-us-west-2.amazonaws.com/aws/collectorv2-config/cloudformation/cfn-onboarding.yaml

    Here's an image showing the correct URL.

    Template source field with correct URL.

  8. Click Next.

  9. Continue creating CloudFormation StackSet. See Create CloudFormation StackSet.

Create CloudFormation StackSet

Use Sophos Cloud Optix information in the Create StackSet assistant.

Use the parameters you obtained earlier from your Sophos Cloud Optix account to fill in the fields in the AWS CloudFormation StackSet assistant. This links your StackSets to Sophos Cloud Optix.

Warning

Don't delete or amend any fields that are pre-populated by Sophos Cloud Optix or onboarding fails.

Make sure you're signed in to your chosen AWS management account and do as follows:

  1. Enter OptixStackSet into StackSet name on the Specify StackSet details page. Change the description if necessary.

  2. Enter the following parameters from Sophos Cloud Optix:

    • DnsPrefixCloudTrail
    • ExternalId
    • ReqID
    • CustomerId
    • DnsPrefixFlow
    • IsCloudTrailAggregation

    Don't change the SophosOptixAccountId field.

  3. The pre-populated list in the RegionList must only be changed if some of your regions don't have a default Amazon Virtual Private Cloud (VPC). You must remove those regions from the RegionList field or the onboarding process fails.

  4. Set the isOrganizationTrail parameter to true.

  5. Don't change any other fields.

    Here's an example of the Parameters menu with correct data.

    Parameters menu, showing correct data in fields.

  6. Click Next. The Configure StackSet options page appears. You don't need to change anything.

  7. Click Next.

  8. On the Set deployment options page, select Deploy to Organization.

    Set deployment options menu, showing correct options selected.

  9. In Specify regions, choose one region.

    The CloudFormation stack instance is created in this region for the target member account.

  10. Click Next.

  11. On the Review page, check all the options you've entered.
  12. Select I acknowledge that AWS CloudFormation might create IAM resources with custom names.
  13. Close the assistant.

This creates the stack instance and adds the target member accounts to Sophos Cloud Optix.

Adding EKS clusters

After adding your AWS account to Sophos Cloud Optix, you can add Amazon Elastic Kubernetes Service (EKS) clusters.

You must add these clusters to Sophos Cloud Optix separately, using the Amazon CLI script provided by Sophos. See Add Amazon EKS clusters.

Upgrade CloudFormation deployments

You may have to upgrade your CloudFormation deployments when we make changes to our deployment template. These changes could include fixing vulnerabilities, upgrading packages, or introducing new capabilities.

Follow the instructions below to upgrade CloudFormation StackSets in the AWS console.

To upgrade multiple AWS CloudFormation deployments, do as follows:

  1. Sign in to the AWS console with your AWS management account.
  2. Locate and select the CloudFormation service.
  3. In the left pane, click StackSets.
  4. Select the StackSet named OptixStackSet.
  5. In the top right, click Actions.
  6. Select Edit StackSet details.
  7. In Prerequisite - Prepare template, select Replace current template.

  8. In Specify template, enter the following template URL in Amazon S3 URL.

    https://avidcore.s3-us-west-2.amazonaws.com/aws/collectorv2-config/cloudformation/cfn-onboarding.yaml

  9. Click Next.

  10. On the following pages, click Next without making any changes.

  11. In Set deployment options, select the accounts or organizational units (OUs) to which you've deployed the StackSet.

    This ensures that the CloudFormation template is refreshed across all accounts or OUs.

  12. Click Next until you reach the last page.

  13. Read and acknowledge the update, and click Submit.

Your CloudFormation StackSet instance is now successfully upgraded.