Resources created in your AWS environments

A full deployment of Sophos Cloud Optix adds AWS environments to the service and sets up communication between AWS and Sophos.

There are three full deployment methods:

  • Using the Sophos Cloud Optix AWS CLI script provided for Linux and macOS.
  • Using AWS CloudFormation.
  • Using the Terraform template provided.

Full deployment sets up two communication channels with the environment:

  • Pull channel to gather infrastructure information about instances, security groups, etc. This uses a read-only IAM Role in your AWS account.
  • Push channel to export CloudTrail Logs and VPC Flow Logs to Sophos Cloud Optix for analysis. This requires resources to be created and configured in your AWS environment.

You can also set up Sophos Cloud Optix for AWS environments using Quick-start, which only sets up the pull channel. You can perform a full deployment to add the push channel later, if necessary.

Pull channel

To set up the pull channel a read-only IAM role called Sophos-Optix-role is created.

If this role already exists in the environment, the deployment continues after checking for the appropriate policy permissions. If not, the new role is created, with the SecurityAudit AWS managed policy (arn:aws:iam::aws:policy/SecurityAudit) and the following additional permissions:

  • elasticfilesystem:DescribeMountTargetSecurityGroups
  • elasticfilesystem:DescribeMountTargets
  • sns:ListSubscriptions
  • s3:GetAccountPublicAccessBlock
  • ce:GetCostAndUsage
  • ce:GetCostForecast
  • ce:GetUsageForecast
  • eks:List*
  • detective:ListGraphs
  • ec2:SearchTransitGatewayRoutes
  • ec2:GetTransitGatewayRouteTableAssociations
  • support:DescribeTrustedAdvisorCheckResult
  • support:RefreshTrustedAdvisorCheck

Push channel

Resources are required to export CloudTrail Logs and VPC Flow Logs to Sophos Cloud Optix.

To export CloudTrail Logs, the following resources are created and configured:

  • A trail (CloudTrail) Sophos-Optix-cloudtrail to deliver AWS CloudTrail log events from all regions to an S3 bucket Sophos-Optix-cloudtrail-<ACCOUNT>. If the bucket doesn't already exist in your account, it's created. The trail is configured to log all management and data events, and deliver to this bucket.
  • An SNS called Sophos-Optix-cloudtrail-s3-sns-topic for CloudTrail. The SNS is then configured to trigger on AllCreateObject events in the sophos-optix-cloudtrail-<ACCOUNT> cloudtrail folder. With this SNS you can setup multiple exports on your CloudTrail using the same infrastructure. You can subscribe to this SNS topic, get keys for new CloudTrail log dump files, and use the keys to pull them if required.
  • A Lambda function Sophos-Optix-cloudTrail-fn, to send keys of CloudTrail dump files created in S3 to Sophos Cloud Optix. The Lambda function is subscribed to the SNS topic. Sophos Cloud Optix uses these keys to pull CloudTrail logs.
  • A policy configuration to grant S3:GetObject permission to Sophos-Optix-role, to read object logs files from the bucket folder for sophos-optix-cloudtrail-<ACCOUNT> cloudtrail.
  • An S3 Lifecycle configuration automatically deletes logs stored in the S3 bucket after 365 days. You can change this time limit when you add a new AWS environment.

VPC Flow Logs are turned on and exported to the Sophos Cloud Optix service for analysis.

Note You can choose not to export VPC Flow Logs to Sophos Cloud Optix, or only export VPC Flow Logs from specific AWS regions. If you do this, some advanced features such as AI-powered anomaly detection and traffic visibility in Network Visualization, will not work.

To export VPC Flow Logs the following steps are taken:

  • VPC Flow Logs are turned on to capture IP traffic information for all VPCs (this can be configured). Logs are delivered to an S3 bucket called Sophos-Optix-flowlogs-<ACCOUNT>-<region>. If the bucket doesn't already exist in your account, it's created.
  • An SNS called Sophos-Optix-flowlogs-s3-sns-topic is created to export flow logs. The SNS is then configured to trigger on AllCreateObject events in the flow logs folder for Sophos-Optix-flowlogs-<ACCOUNT>-<region>. With this SNS you can setup multiple exports on your flow logs using same infrastructure. You can subscribe to this SNS topic, get keys for new flow log dump files created, and use the keys to pull them if required.
  • A Lambda function called Sophos-Optix-flowlogs-fn is created, to send keys of flow log dump files created in S3 to Sophos Cloud Optix. The Lambda function is subscribed to the SNS topic. Sophos Cloud Optix uses these keys to pull CloudTrail logs.
  • An S3 Lifecycle configuration automatically deletes logs stored after one day. You can change this time limit when you add a new AWS environment.
  • A policy configuration to grant s3:GetObject permission the Sophos-Optix-role to read object logs files from the CloudTrail folder for Sophos-Optix-flowlogs-<ACCOUNT>-<region>.
  • VPC Flow Logs are exported in every region separately, on Amazon's recommendation, creating an S3 bucket, SNS, and Lambda in each region. You can set up exports of flow logs into single regions when adding a new AWS environment.