Add AWS environments using CloudFormation

You can use our assistant to add AWS environments to Sophos Cloud Optix using AWS CloudFormation.

Introduction

Warning If you're using AWS Organizations to centrally manage multiple AWS accounts, don't follow these instructions. Follow the instructions in Add AWS environments with AWS Organizations instead.

When adding AWS environments the assistant prompts you to make choices and provide information. The assistant fills in the parameters needed to create the stack in AWS.

This document contains background information about the tasks you may need to complete, and the parameters used.

Collect information from your Sophos Cloud Optix console

The information is used to link the StackSet to your Sophos Cloud Optix accounts.

Before creating AWS CloudFormation StackSets you must collect information from your Sophos Cloud Optix account. This is used later in the AWS Create StackSet assistant.

  1. Sign in to your Sophos Cloud Optix account.
  2. Go to Settings and click Environments > Add New Environment.
  3. On the Add your cloud environment page, note the details under Add multiple AWS accounts using CloudFormation StackSets.

    You must take note of the following parameters:

    • DnsPrefixCloudTrail
    • ExternalId
    • ReqID
    • CustomerId
    • DnsPrefixFlow
  4. Go to the AWS console to create your CloudFormation StackSets.

Assign a role to the AWS account chosen as your master account

You must first choose an AWS account as your master account.

Choose an AWS account to be your master account. To assign the appropriate role to this account, do as follows:

  1. Sign into the AWS console using the account you have chosen.
  2. Click the Launch Stack button here to go to the Quick stack create page with the correct parameters: Launch Stack button
    Note You must click the Launch Stack button on this help page. It is configured with the correct parameters.
  3. In Quick create stack check the Template URL is https://avidcore.s3-us-west-2.amazonaws.com/aws/cloudformation/cloudformation/AWSCloudFormationStackSetAdministrationRole.yml.
  4. Check that the Stack name is CloudOptixStackSetAdmin.

    This image shows the correct name.


    Screenshot showing Stack name field
  5. Turn on I acknowledge that AWS CloudFormation might create IAM resources with custom names
  6. Click Create stack to create the role in your master account.
  7. Sign out of your AWS console.

Assign roles to each target member AWS account

You assign roles for the designated target member accounts.

This process does not add the AWS master account to Sophos Cloud Optix. It only adds the target member accounts. If you want to add the master account, you must do it separately.

To create an AWS CloudFormation StackSet in every target member account, follow these instructions for each account:

  1. Sign into the AWS console using an account you have chosen as a target account.

    You must not be signed into your chosen master account.

  2. Click the Launch Stack button here to go to the Quick stack create page with the correct parameters: Launch Stack button
    Note You must click the Launch Stack button on this help page. It is configured with the correct parameters.
  3. In Quick create stack, check that the Template URL is https://avidcore.s3-us-west-2.amazonaws.com/aws/cloudformation/cloudformation/AWSCloudFormationStackSetExecutionRole.yml.
  4. Check that the Stack name is CloudOptixStackSetTarget

    This image shows the correct name.

    Screenshot showing Stack name field

  5. Under Parameters, enter the AWS Account ID of your admin account in AdministratorAccountId.

    This image shows the account ID field.

    Screenshot showing AdministratorAccountId field

  6. Turn on I acknowledge that AWS CloudFormation might create IAM resources with custom names.
  7. Click Create stack to create the role in the target account.
  8. Sign out of your target member account's AWS console.
  9. Sign into the next target member account and repeat as required.

Configure CloudFormation StackSet in the master AWS account

To create the AWS CloudFormation StackSet do as follows:

  1. Sign into the AWS console with your AWS master account.
  2. Select the CloudFormation service.
  3. Select StackSets.
  4. Select Create StackSet.
  5. On the Choose a template page select Template is ready.

    Here's an image showing template selection.


    Screenshot showing template selection
  6. Select Amazon S3 URL as the template source.
  7. Enter the template URL: https://avidcore.s3-us-west-2.amazonaws.com/aws/collectorv2-config/cloudformation/cfn-onboarding.yaml

    Here's an image showing the correct URL.


    Screenshot showing template source field with correct URL
  8. Click Next.

Create CloudFormation StackSet

Use Sophos Cloud Optix information in the Create StackSet assistant.

Use the parameters you obtained earlier from your Sophos Cloud Optix account to fill in the fields in the AWS CloudFormation StackSet assistant. This links your StackSets to Sophos Cloud Optix.

Warning Don't delete or amend any fields that are pre-populated by Sophos Cloud Optix or on-boarding fails.

Ensure you are signed into your chosen AWS master account and do as follows:

  1. Enter OptixStackSet into StackSet name on the Specify StackSet details page.Change the description if necessary.
  2. Enter the following parameters from Sophos Cloud Optix:
    • DnsPrefixCloudTrail
    • ExternalId
    • ReqID
    • CustomerId
    • DnsPrefixFlow
    1. Don't change the SophosOptixAccountId field.
  3. The pre-populated list in the RegionList must only be changed if some of your regions don't have a default Amazon Virtual Private Cloud (VPC). You must remove those regions from the RegionList field or the on-boarding process fails.
  4. Don't change any other fields.

    Here is an example of the Parameters menu with correct data.


    Screenshot of Parameters menu, showing correct data in fields
  5. Click Next.
    The Configure StackSet options page appears. You don't need to change anything.
  6. Click Next.
  7. On the Set deployment options page, select Deploy stacks in accounts.
  8. In the Account numbers field, enter the account numbers of the target member accounts you want to add to Sophos Cloud Optix (the accounts in which you created the AWSCloudFormationStackSetExecutionRole).

    Screenshot of Set deployment options menu, showing correct options selected
  9. In Specify regions, choose one region.

    The CloudFormation stack instance is created in this region for the target member account.

  10. Click Next.
  11. A Review page appears, which shows you all the options you have entered. Check this carefully.
  12. Turn on I acknowledge that AWS CloudFormation might create IAM resources with custom names.
  13. Close the assistant.
    This creates the stack instance and adds the target member accounts to Sophos Cloud Optix

Adding EKS clusters

Note After adding your AWS account to Sophos Cloud Optix, you can add Amazon Elastic Kubernetes Service (EKS) clusters. You must add these clusters to Sophos Cloud Optix separately, using the Amazon CLI script provided by Sophos. See Add your Amazon EKS clusters.