Skip to content

Use AWS CloudFormation

You can use our assistant to add AWS environments to Sophos Cloud Optix using AWS CloudFormation.

When you add AWS environments, the assistant prompts you to make choices and provide information. The assistant fills in the parameters needed to create the stack in AWS.

You can create AWS CloudTrail trails as you add the AWS accounts or use existing CloudTrail trails.

This document contains background information about the tasks you may need to complete and the parameters used.

Collect information

Before you create AWS CloudFormation StackSets, you must collect information from your Sophos Cloud Optix account. The AWS assistant guides you on the required information to collect, which you’ll use later when you launch your CloudFormation template in AWS.

  1. Sign in to your Sophos Cloud Optix.
  2. Click Add Environments then click AWS.
  3. Click Choose a full setup option.
  4. Click CloudFormation , or the relevant Go button.
  5. Select Add multiple AWS Accounts and choose whether you're using AWS Organizations, an existing CloudTrail aggregation, or both.
  6. If you select Use existing CloudTrail aggregation, fill in the S3 details.
  7. Click Continue.

  8. Note the values of the following parameters as shown under Use AWS Console:

    • DnsPrefixCloudTrail
    • ExternalId
    • ReqID
    • CustomerId
    • DnsPrefixFlow
    • IsCloudTrailAggregation
    • OptixBaseURL

Add your AWS environments

You can add single or multiple AWS accounts and multiple accounts managed by AWS Organizations or AWS Control Tower.

Warning

If you're using AWS Organizations or AWS Control Tower, don't follow these instructions. Instead, you must follow the instructions in Use AWS Organizations.

Add an AWS account

To add a single AWS account, do as follows:

  1. Sign in to your Sophos Cloud Optix.
  2. Click Add Environments then click AWS.
  3. Click Choose a full setup option.
  4. Click CloudFormation or the relevant Go button.
  5. Select Add a single AWS account and click Continue.

  6. Choose an installation method from the following options:

    • Select Use standard setup and click Continue.
    • Select Customize your setup and click Continue.

    If you select Customize your setup, you're asked questions about your CloudTrail and VPC flow log files.

  7. Follow the on-screen instructions to add your AWS account to Sophos Cloud Optix, either using Use the AWS Console or Use the AWS CLI.

    If you follow the Use the AWS CLI on-screen instructions, the assistant creates your script and other commands. After the script finishes, you'll see the message: CREATE_COMPLETE.

  8. If there are no errors, click Finish.

Your AWS account is added to the Sophos Cloud Optix. You'll find it listed as CloudOptixStack-ACCOUNT_ID.

Add multiple AWS accounts

To add multiple AWS accounts, do as follows:

  1. Sign in to your Sophos Cloud Optix.
  2. Click Add Environments then click AWS.
  3. Click Choose a full setup option.
  4. Click CloudFormation or the relevant Go button.
  5. Select Add multiple AWS Accounts and choose whether you're using AWS Organizations, an existing CloudTrail aggregation, or both.
  6. If you select Use existing CloudTrail aggregation, fill in the S3 details.
  7. Click Continue.

  8. Follow the on-screen instructions to add your AWS account to Sophos Cloud Optix, either using Use the AWS Console or Use the AWS CLI.

    If you follow the Use the AWS CLI on-screen instructions, the assistant creates your script and other commands. After the script finishes, you'll see the message: CREATE_COMPLETE.

  9. If there are no errors, click Finish.

Your AWS accounts are added to the Sophos Cloud Optix. You'll find it listed as CloudOptixStack-ACCOUNT_ID.

Assign admin account roles

You must choose an AWS account to act as your admin account.

To assign the appropriate role to this account, do as follows:

  1. Sign in to the AWS console using your chosen account.
  2. In Quick create stack, check the Template URL is https://avidcore.s3-us-west-2.amazonaws.com/aws/cloudformation/cloudformation/AWSCloudFormationStackSetAdministrationRole.yml.

  3. Check that the Stack name is CloudOptixStackSetAdmin.

    This image shows the correct name.

    Stack name field.

  4. Select I acknowledge that AWS CloudFormation might create IAM resources with custom names.

  5. Click Create stack to create the role in your admin account.
  6. Sign out of your AWS console.

Assign target member roles

You assign roles for the designated target member accounts.

This process doesn't allow the AWS admin account to be added to Sophos Cloud Optix. It only adds the target member accounts. If you want to add the admin account, you must do it separately.

To create an AWS CloudFormation StackSet in every target member account, do as follows:

  1. Sign in to the AWS console using your chosen account as a target account.

    You mustn’t be signed in to your chosen admin account.

  2. Click Launch Stack here to go to the Quick stack create page with the correct parameters: Launch Stack button.

    Note

    You must click Launch Stack on this help page. It's configured with the correct parameters.

  3. In Quick create stack, check that the Template URL is https://avidcore.s3-us-west-2.amazonaws.com/aws/cloudformation/cloudformation/AWSCloudFormationStackSetExecutionRole.yml.

  4. Check that the Stack name is CloudOptixStackSetTarget.

    This image shows the correct name.

    Stack name field.

  5. Under Parameters, enter the AWS Account ID of your admin account in AdministratorAccountId.

    This image shows the account ID field.

    AdministratorAccountId field.

  6. Select I acknowledge that AWS CloudFormation might create IAM resources with custom names.

  7. Click Create stack to create the role in the target account.
  8. Sign out of your target member account's AWS console.
  9. Sign into the next target member account and repeat as required.

Configure admin account StackSet

To create the AWS CloudFormation StackSet in your admin account, do as follows:

  1. Sign in to the AWS console with your AWS admin account.
  2. Locate and select the CloudFormation service.
  3. In the left pane, select StackSets.
  4. Click Create StackSet.

  5. On the Choose a template page, select Template is ready.

    Here's an image showing the template selection.

    Template selection.

  6. Select Amazon S3 URL as the template source.

  7. Enter the template URL: https://avidcore.s3-us-west-2.amazonaws.com/aws/collectorv2-config/cloudformation/cfn-onboarding.yaml

    Here's an image showing the correct URL.

    Template source field with correct URL.

  8. Click Next.

  9. Continue creating CloudFormation StackSet. See Create CloudFormation StackSet.

Create CloudFormation StackSet

Use Sophos Cloud Optix information in the Create StackSet assistant.

Use the parameters you obtained earlier from your Sophos Cloud Optix account to fill in the fields in the AWS CloudFormation StackSet assistant. This links your StackSets to Sophos Cloud Optix.

Warning

Don't delete or amend any fields that are pre-populated by Sophos Cloud Optix or onboarding fails.

Make sure you're signed in to your chosen AWS admin account and do as follows:

  1. Enter OptixStackSet into StackSet name on the Specify StackSet details page. Change the description if necessary.

  2. Enter the following parameters from Sophos Cloud Optix:

    • DnsPrefixCloudTrail
    • ExternalId
    • ReqID
    • CustomerId
    • DnsPrefixFlow
    • IsCloudTrailAggregation

    Don't change the SophosOptixAccountId field.

  3. The pre-populated list in the RegionList must only be changed if some of your regions don't have a default Amazon Virtual Private Cloud (VPC). You must remove those regions from the RegionList field, or the onboarding process fails.

  4. Don't change any other fields.

    Here's an example of the Parameters menu with correct data.

    Parameters menu, showing correct data in fields.

  5. Click Next. The Configure StackSet options page appears. You don't need to change anything.

  6. Click Next.
  7. On the Set deployment options page, select Deploy stacks in accounts.

  8. In the Account numbers field, enter the account numbers of the target member accounts you want to add to Sophos Cloud Optix (the accounts in which you created the AWSCloudFormationStackSetExecutionRole).

    Set deployment options menu, showing correct options selected.

  9. In Specify regions, choose one region.

    The CloudFormation stack instance is created in this region for the target member account.

  10. Click Next.

  11. On the Review page, check all the options you've entered.
  12. Select I acknowledge that AWS CloudFormation might create IAM resources with custom names.
  13. Close the assistant.

This creates the stack instance and adds the target member accounts to Sophos Cloud Optix.

Adding EKS clusters

After adding your AWS account to Sophos Cloud Optix, you can add Amazon Elastic Kubernetes Service (EKS) clusters.

You must add these clusters to Sophos Cloud Optix separately, using the Amazon CLI script provided by Sophos. See Add Amazon EKS clusters.

Upgrade CloudFormation deployments

You may have to upgrade your CloudFormation deployments when we make changes to our deployment template. These changes could include fixing vulnerabilities, upgrading packages, or introducing new capabilities.

Follow the instructions below to upgrade CloudFormation Stacks or StackSets in the AWS console.

To upgrade a single AWS CloudFormation deployment, do as follows:

  1. Sign in to the AWS console with your AWS admin account.
  2. Locate and select the CloudFormation service.
  3. In the left pane, click Stacks.
  4. Select the stack named CloudOptixStack.
  5. In the top right, click Update.
  6. In Prerequsite - Prepare template, select Replace existing template.

  7. In Specify template, enter the following template URL in Amazon S3 URL.

    https://avidcore.s3-us-west-2.amazonaws.com/aws/collectorv2-config/cloudformation/cfn-onboarding.yaml

  8. Click Next.

  9. Keep everything by default and click Next until you reach the last page.
  10. Read and acknowledge the update, and click Submit.

Your CloudFormation stack instance is now successfully upgraded.

To upgrade multiple AWS CloudFormation deployments, do as follows:

  1. Sign in to the AWS console with your AWS admin account.
  2. Locate and select the CloudFormation service.
  3. In the left pane, click StackSets.
  4. Select the StackSet named OptixStackSet.
  5. In the top right, click Actions.
  6. Select Edit StackSet details.
  7. In Prerequisite - Prepare template, select Replace current template.

  8. In Specify template, enter the following template URL in Amazon S3 URL.

    https://avidcore.s3-us-west-2.amazonaws.com/aws/collectorv2-config/cloudformation/cfn-onboarding.yaml

  9. Click Next.

  10. On the following pages, click Next without making any changes.

  11. In Set deployment options, select the accounts or organizational units (OUs) to which you've deployed the StackSet.

    This ensures that the CloudFormation template is refreshed across all accounts or OUs.

  12. Click Next until you reach the last page.

  13. Read and acknowledge the update, and click Submit.

Your CloudFormation StackSet instance is now successfully upgraded.