Add AWS environments using an organization trail

You can use an AWS SNS topic to add the AWS accounts in an organization trail to Sophos Cloud Optix.

Restriction Use these instructions only if you're using AWS Organizations with an organization trail, and your organization trail is owned by an AWS account that isn't your master account.

You then do as follows:

  • Create and configure an SNS topic.
  • Configure your S3 bucket to send notifications to the SNS topic.
  • Add the AWS account that owns the organization trail to Sophos Cloud Optix.
  • Then add each AWS account that sends its CloudTrail events to the account you just added.

Create and configure SNS topic

Before you begin you need to identify the S3 bucket that stores your organization trail files.

To create and configure the SNS topic, do as follows.

  1. Sign in to AWS.
  2. Create an SNS topic.

    The topic must be in the same region as the S3 bucket that receives your organization trail files.

  3. Copy the S3 bucket name and the name of the SNS topic to use later.
  4. Click Access policy and use the JSON editor to configure the access policy as follows:
    1. In the Resource field, replace SNS ARN with your SNS Amazon Resource Name (ARN).
    2. In the AWS:SourceArn field, replace BUCKET ARN with your CloudTrail S3 bucket ARN.

    Here's an example:

    {
        "Version": "2012-10-17",
        "Statement": [
        {
        "Sid": "OptixSNSpermission20150201",
        "Effect": "Allow",
        "Principal": {
        "Service": "s3.amazonaws.com"
        },
        "Action": "SNS:Publish",
        "Resource": "${SNS ARN}",
        "Condition": {
            "StringEquals": {
            "AWS:SourceArn": "${BUCKET ARN}"
            }
        }
        }
        ]
    }
    

Configure S3 bucket notifications

To configure your S3 bucket notifications to use the new SNS topic, do as follows.

  1. In AWS go to your S3 bucket.
  2. Click Properties and go to Event notifications.
  3. Check that you don't have any existing notifications set for CloudTrail create events.
    1. If you do, you must remove them and create a new notification.
  4. Click Create event notification.
  5. Enter a name for the event notification.
  6. Enter .gz as the Suffix.
  7. Turn on All object create events.
  8. In Destination click SNS topic.
  9. Enter the name of the SNS topic you created earlier.

    Here's an example, labeled with the step numbers:


    Screenshot showing fields to edit when creating the event notification.
  10. Click Save changes.

Add AWS account to Sophos Cloud Optix

To add the AWS account that owns the organization trail to Sophos Cloud Optix do as follows:

  1. Go to Sophos Cloud Optix and click Add environments > AWS > Choose a full setup option.
  2. Go to CloudTrail Logs Setup Options.
  3. Click AWS CLI (Linux and Mac only) > Customize your setup > Continue.
  4. In CloudTrail Logs Setup Options, set Export CloudTrail logs to Cloud Optix to Yes.
  5. Click Use existing resources.
  6. Enter your SNS and S3 bucket details.

    You must leave the S3 bucket Prefix (optional) field empty.

  7. Click Continue.
  8. Finish the Add your AWS Environment assistant.

    You can set the rest of the options according to your needs.

Check that the account appears in Environments before you continue.

Add other AWS accounts

You must now add to Sophos Cloud Optix all the AWS accounts that send CloudTrail events to the account you just added.

For each account, do as follows:

  1. Go to Sophos Cloud Optix and click Add environments > AWS > Choose a full setup option.
  2. Go to CloudTrail Logs Setup Options.
  3. Click AWS CLI (Linux and Mac only) > Customize your setup > Continue.
  4. In CloudTrail Logs Setup Options, set Export CloudTrail logs to Cloud Optix to No.
  5. Click Continue.
  6. Finish the Add your AWS Environment assistant.

    You can set the rest of the options according to your needs.