Legacy: Resources created in your AWS environments
A full deployment of Sophos Cloud Optix adds AWS environments to the service and sets up communication between AWS and Sophos.
Warning
You must only use this help section if you opened your Sophos Cloud Optix account before November 17, 2020. If you opened your account after that date, you must use the instructions under Add your AWS environment.
There are three full deployment methods:
- Using the Sophos Cloud Optix AWS CLI script provided for Linux and macOS.
- Using AWS CloudFormation.
- Using the Terraform template provided.
Full deployment sets up two communication channels with the environment:
- Pull channel to gather infrastructure information about instances, security groups, etc. This uses a read-only IAM Role in your AWS account.
- Push channel to export CloudTrail Logs and VPC Flow Logs to Sophos Cloud Optix for analysis. This requires resources to be created and configured in your AWS environment.
You can also set up Sophos Cloud Optix for AWS environments using Quick-start, which only sets up the pull channel. You can perform a full deployment to add the push channel later, if necessary.
Pull channel
To set up the pull channel Avid-Role, a read-only IAM role, is created.
If this role already exists in the environment, the deployment continues after checking for the appropriate policy permissions. If not, the new role is created, with the SecurityAudit AWS managed policy (arn:aws:iam::aws:policy/SecurityAudit
) and the following additional permissions:
elasticfilesystem:DescribeMountTargetSecurityGroups
elasticfilesystem:DescribeMountTargets
sns:ListSubscriptions
s3:GetAccountPublicAccessBlock
ce:GetCostAndUsage
ce:GetCostForecast
ce:GetUsageForecast
eks:List\*
Push channel
Resources are required to export CloudTrail Logs and VPC Flow Logs to Sophos Cloud Optix.
To export CloudTrail Logs, the following resources are created and configured:
- A trail (CloudTrail)
CT-AvidSecure
to deliver AWS CloudTrail log events from all regions to an S3 bucketavid-cloudtrail-<ACCOUNT>
. If the bucket doesn't already exist in your account, it's created. The trail is configured to log all management and data events, and deliver to the newly created log groupCT-Avid-LogGroup
for CloudWatch. - A role
Avid-CT-to-CW
for CloudTrail. This allows the CloudTrail to send events to CloudWatch and has the permissions fors3:GetBucketAcl
,s3:PutObject
, and is allowed to perform the following actions:logs:CreateLogStream
,logs:PutLogEvents
, on resources associated with log groupCT-Avid-LogGroup
. -
A role
Avid-Lambda-to-CloudWatch
. This allows an AWS Lambda function to read CloudWatch events using the policy permissionarn:aws:iam::aws:policy/CloudWatchEventsReadOnlyAccess
. The role can do the following actions:logs:CreateLogGroup
logs:CreateLogStream
logs:DescribeLogGroups
logs:DescribeLogStreams
logs:PutLogEvents
.
-
A subscription filter is created and associated with
CT-Avid-LogGroup
to subscribe to the real-time stream of log events and deliver them to the AWS Lambda functionAvid-CloudTrail-function
. The Lambda function reads and parses the log, and sends the parsed events to Sophos Cloud Optix.
VPC Flow Logs are turned on and exported to the Sophos Cloud Optix service for analysis.
Note
You can choose not to export VPC Flow Logs to Sophos Cloud Optix, or only export VPC Flow Logs from specific AWS regions. If you do this, some advanced features such as AI-powered anomaly detection and traffic visibility in Network Visualization, will not work.
To export VPC Flow Logs the following steps are taken:
- VPC Flow Logs are turned on to capture IP traffic information and publish it to CloudWatch Logs under log group
Flowlogs-Avid-LogGroup
. -
An IAM role
Avid-VPCFlow-Role
is created, which allows the AWS VPC-Flow-Logs to perform the following actions:logs:CreateLogGroup
logs:CreateLogStream
logs:DescribeLogGroups
logs:DescribeLogStreams
logs:PutLogEvents
.
-
A subscription filter is created and associated with
Flowlogs-Avid-LogGroup
to subscribe to the real-time stream of log events and deliver them to the AWS Lambda functionAvid-VPC-LOGS-function
. The Lambda function reads and parses the flow logs and sends them to Sophos Cloud Optix.