What does the Sophos Cloud Optix script to add AWS environments do?

The Sophos Cloud Optix script adds AWS environments and sets up communication between AWS and Cloud Optix.

The script sets up two communication channels with the environment:

  • Pull channel to gather infrastructure information about instances, security groups, etc. The script periodically opens this channel via the provider APIs.
  • Push channel for sending near-real-time information about your activity logs (for example, VPC Flow Logs and CloudTrail logs).

Pull channel

To enable the pull, the script creates a read-only role: Avid-Role.

If the role already exists in the environment, the script checks for appropriate policy permissions and continues running. Otherwise it creates a new role with the policy permission arn:aws:iam::aws:policy/SecurityAudit and the following permissions:

  • elasticfilesystem:DescribeMountTargetSecurityGroups
  • elasticfilesystem:DescribeMountTargets
  • sns:ListSubscriptions
  • s3:GetAccountPublicAccessBlock
  • ce:GetCostAndUsage
  • ce:GetCostForecast
  • ce:GetUsageForecast
  • eks:List*

Push channel

For push, the script then creates and configures:

  • A trail (CloudTrail) CT-AvidSecure to deliver AWS CloudTrail log events from all regions to an S3 bucket avid-cloudtrail-<ACCOUNT>. If the bucket does not already exist in your account, it will create it. The trail is configured to log all management and data events, and deliver to the newly created log group CT-Avid-LogGroup for CloudWatch.
  • A role Avid-CT-to-CW for CloudTrail, which allows the CloudTrail to send events to CloudWatch and has the permissions for s3:GetBucketAcl, s3:PutObject and allowed to perform following actions logs:CreateLogStream, logs:PutLogEvents on resources associated with log group CT-Avid-LogGroup.
  • A role Avid-Lambda-to-CloudWatch which allows an AWS Lambda function to read CloudWatch events using policy permissions arn:aws:iam::aws:policy/CloudWatchEventsReadOnlyAccess and is allowed to perform the following actions logs:CreateLogGroup, logs:CreateLogStream, logs:DescribeLogGroups, logs:DescribeLogStreams, logs:PutLogEvents.
  • Creates a subscription filter and associates it with CT-Avid-LogGroup to subscribe to the real-time stream of log events ingested through the trail about and deliver them to AWS Lambda function Avid-CloudTrail-function. The Lambda function reads and parses the log, and sends the parsed events to Sophos Cloud Optix collectors running for your specific account.

The script also enables VPC Flow Logs in all regions and ships them to the Sophos Cloud Optix platform. In order to do this, the script does the following:

  • Enables VPC Flow Logs to capture information about the IP traffic, and publishes to CloudWatch Logs under log group Flowlogs-Avid-LogGroup.
  • Creates a role Avid-VPCFlow-Role which allows the AWS VPC-Flow-Logs to perform the following actions logs:CreateLogGroup, logs:CreateLogStream, logs:DescribeLogGroups, logs:DescribeLogStreams, logs:PutLogEvents.
  • Creates a subscription filter and associates it with Flowlogs-Avid-LogGroup to subscribe to the real-time stream of log events ingested through the trail about and deliver them to AWS Lambda function Avid-VPC-LOGS-function. The Lambda function reads and parses the flow logs, and sends them to Sophos Cloud Optix collectors running for your specific account.
Note If you prefer not to enable VPC Flow Logs, use the FLOW_LOGS variable in the script to specify that. The Topology feature will not show inbound/outbound traffic visualization, and the anomaly detection won’t find unusual traffic patterns, if you don't enable VPC Flow Logs.