Legacy: Resources created in your AWS environments

A full deployment of Sophos Cloud Optix adds AWS environments to the service and sets up communication between AWS and Sophos.

There are three full deployment methods:

• Using the Sophos Cloud Optix AWS CLI script provided for Linux and macOS.
• Using AWS CloudFormation.
• Using the Terraform template provided.

Full deployment sets up two communication channels with the environment:

• Pull channel to gather infrastructure information about instances, security groups, etc. This uses a read-only IAM Role in your AWS account.
• Push channel to export CloudTrail Logs and VPC Flow Logs to Sophos Cloud Optix for analysis. This requires resources to be created and configured in your AWS environment.

You can also set up Sophos Cloud Optix for AWS environments using Quick-start, which only sets up the pull channel. You can perform a full deployment to add the push channel later, if necessary.

Pull channel

To set up the pull channel Avid-Role, a read-only IAM role, is created.

If this role already exists in the environment, the deployment continues after checking for the appropriate policy permissions. If not, the new role is created, with the SecurityAudit AWS managed policy (arn:aws:iam::aws:policy/SecurityAudit) and the following additional permissions:

• elasticfilesystem:DescribeMountTargetSecurityGroups
• elasticfilesystem:DescribeMountTargets
• sns:ListSubscriptions
• s3:GetAccountPublicAccessBlock
• ce:GetCostAndUsage
• ce:GetCostForecast
• ce:GetUsageForecast
• eks:List\*

Push channel

Resources are required to export CloudTrail Logs and VPC Flow Logs to Sophos Cloud Optix.

To export CloudTrail Logs, the following resources are created and configured:

• A trail (CloudTrail) CT-AvidSecure to deliver AWS CloudTrail log events from all regions to an S3 bucket avid-cloudtrail-<ACCOUNT>. If the bucket doesn't already exist in your account, it's created. The trail is configured to log all management and data events, and deliver to the newly created log group CT-Avid-LogGroup for CloudWatch.
• A role Avid-CT-to-CW for CloudTrail. This allows the CloudTrail to send events to CloudWatch and has the permissions for s3:GetBucketAcl, s3:PutObject, and is allowed to perform the following actions: logs:CreateLogStream, logs:PutLogEvents, on resources associated with log group CT-Avid-LogGroup.

• A role Avid-Lambda-to-CloudWatch. This allows an AWS Lambda function to read CloudWatch events using the policy permission arn:aws:iam::aws:policy/CloudWatchEventsReadOnlyAccess. The role can do the following actions:

  • logs:CreateLogGroup
  • logs:CreateLogStream
  • logs:DescribeLogGroups
  • logs:DescribeLogStreams
  • logs:PutLogEvents.

• A subscription filter is created and associated with CT-Avid-LogGroup to subscribe to the real-time stream of log events and deliver them to the AWS Lambda function Avid-CloudTrail-function. The Lambda function reads and parses the log, and sends the parsed events to Sophos Cloud Optix.

VPC Flow Logs are turned on and exported to the Sophos Cloud Optix service for analysis.

To export VPC Flow Logs the following steps are taken:

• VPC Flow Logs are turned on to capture IP traffic information and publish it to CloudWatch Logs under log group Flowlogs-Avid-LogGroup.

• An IAM role Avid-VPCFlow-Role is created, which allows the AWS VPC-Flow-Logs to perform the following actions:

  • logs:CreateLogGroup
  • logs:CreateLogStream
  • logs:DescribeLogGroups
  • logs:DescribeLogStreams
  • logs:PutLogEvents.

• A subscription filter is created and associated with Flowlogs-Avid-LogGroup to subscribe to the real-time stream of log events and deliver them to the AWS Lambda function Avid-VPC-LOGS-function. The Lambda function reads and parses the flow logs and sends them to Sophos Cloud Optix.