Skip to content

Resources created in AWS environments

A full deployment of Sophos Cloud Optix adds AWS environments to the service and establishes communication between AWS and Sophos.

There are three deployment methods available:

  • Using AWS CloudFormation.
  • Using the Sophos-provided AWS CLI script on Linux or Mac.
  • Using the Sophos-provided Terraform template.

A full deployment configures two communication channels with the environment:

  • Pull channel: Gathers infrastructure information about instances, security groups, and so on using a read-only IAM Role in your AWS account.
  • Push channel: Exports CloudTrail and VPC Flow Logs to Sophos Cloud Optix for analysis. This requires specific resources to be set up and configured in your AWS environment.

You can also set up Sophos Cloud Optix for AWS environments using Quick-start, which only sets up the pull channel. You can upgrade to a full deployment later to add the push channel if needed.

Pull channel

To set up the pull channel, a read-only IAM role called Sophos-Optix-role is created.

If the role already exists, the deployment continues after the appropriate policy permissions are checked. Otherwise, a new role is created with the SecurityAudit AWS managed policy (arn:aws:iam::aws:policy/SecurityAudit) and the following additional permissions:

  • elasticfilesystem:DescribeMountTargetSecurityGroups
  • elasticfilesystem:DescribeMountTargets
  • sns:ListSubscriptions
  • s3:GetAccountPublicAccessBlock
  • ce:GetCostAndUsage
  • ce:GetCostForecast
  • ce:GetUsageForecast
  • eks:List\*
  • detective:ListGraphs
  • ec2:SearchTransitGatewayRoutes
  • ec2:GetTransitGatewayRouteTableAssociations
  • support:DescribeTrustedAdvisorCheckResult
  • support:RefreshTrustedAdvisorCheck

Push channel

Resources are required to export CloudTrail Logs and VPC Flow Logs to Sophos Cloud Optix.

The following resources are created and configured for exporting CloudTrail Logs:

  • A trail (CloudTrail) Sophos-Optix-cloudtrail to deliver AWS CloudTrail log events from all regions to an S3 bucket Sophos-Optix-cloudtrail-<ACCOUNT>.

    If the bucket doesn't already exist in your account, it's created. The trail is configured to log all management events to this bucket.

  • An SNS called Sophos-Optix-cloudtrail-s3-sns-topic for CloudTrail. The SNS is then configured to trigger on AllCreateObject events in the sophos-optix-cloudtrail-<ACCOUNT> CloudTrail folder.

    With this SNS, you can set up multiple exports on your CloudTrail using the same infrastructure. You can subscribe to this SNS topic, get keys for new CloudTrail log dump files, and use the keys to pull them if required.

  • A Lambda function, Sophos-Optix-cloudTrail-fn, to send keys of CloudTrail dump files created in S3 to Sophos Cloud Optix.

    The Lambda function is subscribed to the SNS topic. Sophos Cloud Optix uses these keys to pull CloudTrail logs.

  • A policy configuration to grant S3:GetObject permission to Sophos-Optix-role, to read object logs files from the bucket folder for sophos-optix-cloudtrail-<ACCOUNT> cloudtrail.

  • An S3 Lifecycle configuration automatically deletes logs stored in the S3 bucket after 365 days. You can change this time limit when you add a new AWS environment.

VPC Flow Logs are turned on and exported to the Sophos Cloud Optix service for analysis.

Note

You can choose not to export VPC Flow Logs to Sophos Cloud Optix, or only export VPC Flow Logs from specific AWS regions. If you do this, some advanced features, such as AI-powered anomaly detection and traffic visibility in Network Visualization, won't work.

The following steps are taken to export VPC Flow Logs:

  • VPC Flow Logs are turned on to capture IP traffic information for all VPCs. This can be configured. Logs are delivered to an S3 bucket called Sophos-Optix-flowlogs-<ACCOUNT>-<region>.

    If the bucket doesn't already exist in your account, it's created.

  • An SNS called Sophos-Optix-flowlogs-s3-sns-topic is created to export flow logs. The SNS is then configured to trigger on AllCreateObject events in the flow logs folder for Sophos-Optix-flowlogs-<ACCOUNT>-<region>.

    With this SNS, you can use the same infrastructure to set up multiple exports on your flow logs. You can subscribe to this SNS topic, get keys for new flow log dump files created, and use the keys to pull them if required.

  • A Lambda function called Sophos-Optix-flowlogs-fn is created to send the keys to the flow log dump files created in S3 to Sophos Cloud Optix.

    The Lambda function is subscribed to the SNS topic. Sophos Cloud Optix uses these keys to pull CloudTrail logs.

  • An S3 Lifecycle configuration automatically deletes logs stored after one day. You can change this time limit when you add a new AWS environment.

  • A policy configuration to grant s3:GetObject permission the Sophos-Optix-role to read object logs files from the CloudTrail folder for Sophos-Optix-flowlogs-<ACCOUNT>-<region>.
  • VPC Flow Logs are exported in every region separately, on Amazon's recommendation, creating an S3 bucket, SNS, and Lambda in each region. You can set up exports of flow logs into single regions when adding a new AWS environment.