Legacy: Resources created in your AWS environments
A full deployment of Sophos Cloud Optix adds AWS environments to the service and sets up communication between AWS and Sophos.
There are three full deployment methods:
- Using the Sophos Cloud Optix AWS CLI script provided for Linux and macOS.
- Using AWS CloudFormation.
- Using the Terraform template provided.
Full deployment sets up two communication channels with the environment:
- Pull channel to gather infrastructure information about instances, security groups, etc. This uses a read-only IAM Role in your AWS account.
- Push channel to export CloudTrail Logs and VPC Flow Logs to Sophos Cloud Optix for analysis. This requires resources to be created and configured in your AWS environment.
You can also set up Sophos Cloud Optix for AWS environments using Quick-start, which only sets up the pull channel. You can perform a full deployment to add the push channel later, if necessary.
Pull channel
To set up the pull channel Avid-Role, a read-only IAM role, is created.
If this role already exists in the environment, the deployment continues after checking for the
appropriate policy permissions. If not, the new role is created, with the SecurityAudit AWS managed
policy (arn:aws:iam::aws:policy/SecurityAudit
) and the following additional
permissions:
- elasticfilesystem:DescribeMountTargetSecurityGroups
- elasticfilesystem:DescribeMountTargets
- sns:ListSubscriptions
- s3:GetAccountPublicAccessBlock
- ce:GetCostAndUsage
- ce:GetCostForecast
- ce:GetUsageForecast
- eks:List*
Push channel
Resources are required to export CloudTrail Logs and VPC Flow Logs to Sophos Cloud Optix.
To export CloudTrail Logs, the following resources are created and configured:
- A trail (CloudTrail)
CT-AvidSecure
to deliver AWS CloudTrail log events from all regions to an S3 bucketavid-cloudtrail-<ACCOUNT>
. If the bucket doesn't already exist in your account, it's created. The trail is configured to log all management and data events, and deliver to the newly created log groupCT-Avid-LogGroup
for CloudWatch. - A role
Avid-CT-to-CW
for CloudTrail. This allows the CloudTrail to send events to CloudWatch and has the permissions fors3:GetBucketAcl
,s3:PutObject
, and is allowed to perform the following actions:logs:CreateLogStream
,logs:PutLogEvents
, on resources associated with log groupCT-Avid-LogGroup
. - A role
Avid-Lambda-to-CloudWatch
. This allows an AWS Lambda function to read CloudWatch events using the policy permissionarn:aws:iam::aws:policy/CloudWatchEventsReadOnlyAccess
. The role can do the following actions:logs:CreateLogGroup
,logs:CreateLogStream
,logs:DescribeLogGroups
,logs:DescribeLogStreams
,logs:PutLogEvents
. - A subscription filter is created and associated with
CT-Avid-LogGroup
to subscribe to the real-time stream of log events and deliver them to the AWS Lambda functionAvid-CloudTrail-function
. The Lambda function reads and parses the log, and sends the parsed events to Sophos Cloud Optix.
VPC Flow Logs are turned on and exported to the Sophos Cloud Optix service for analysis.
To export VPC Flow Logs the following steps are taken:
- VPC Flow Logs are turned on to capture IP traffic information and publish it to CloudWatch Logs
under log group
Flowlogs-Avid-LogGroup
. - An IAM role
Avid-VPCFlow-Role
is created, which allows the AWS VPC-Flow-Logs to perform the following actions:logs:CreateLogGroup
,logs:CreateLogStream
,logs:DescribeLogGroups
,logs:DescribeLogStreams
,logs:PutLogEvents
. - A subscription filter is created and associated with
Flowlogs-Avid-LogGroup
to subscribe to the real-time stream of log events and deliver them to the AWS Lambda functionAvid-VPC-LOGS-function
. The Lambda function reads and parses the flow logs and sends them to Sophos Cloud Optix.