Add AWS environments using AWS CloudFormation

You can add AWS environments to Sophos Cloud Optix using AWS CloudFormation.

Introduction

To add a single AWS account using AWS CloudFormation, follow the instructions on the Add your AWS environment page to add the account in your Sophos Cloud Optix console.

You can also add multiple AWS accounts using AWS CloudFormation StackSets. To do this you must choose one AWS account as a master account, then assign target member accounts. You use details from your Sophos Cloud Optix console to configure your AWS CloudFormation StackSet.

This starts Stack Instance creation in the specified target member accounts and adds those accounts to Sophos Cloud Optix.

Note After adding your AWS account to Cloud Optix, you can add Amazon Elastic Kubernetes Service (EKS) clusters if you want to. You must add these clusters to Sophos Cloud Optix separately, using the Amazon CLI script provided by Sophos.

You must do as follows:

  • Collect information from your Sophos Cloud Optix console.
  • If you're not using AWS Organizations, assign roles to your master AWS account and target member AWS accounts.
  • Configure the CloudFormation StackSet in the master account.
  • Create the CloudFormation StackSet.
  • If you're using AWS Organizations, you'll also need to deploy an additional CloudFormation template to use an existing CloudTrail.
Note If you're using AWS Organizations to centrally manage multiple AWS accounts, follow the additional instructions after you have created and configured the CloudFormation StackSet.

Collect information from your Sophos Cloud Optix console

The information is used to link the StackSet to your Sophos Cloud Optix accounts.

Before creating AWS CloudFormation StackSets you must collect information from your Sophos Cloud Optix account. This is used later in the AWS Create StackSet assistant.

  1. Sign into your Sophos Cloud Optix account.
  2. Under Settings click Environments > Add New Environment.
  3. On the Add your cloud environment page, note the details under Add multiple AWS accounts using CloudFormation StackSets.

    You must take note of the following parameters:

    • DnsPrefixCloudTrail
    • ExternalId
    • ReqID
    • CustomerId
    • DnsPrefixFlow
  4. Go to the AWS console to create your CloudFormation StackSets.

Assign a role to the AWS account chosen as your master account

You must first choose an AWS account as your master account.

Restriction You must not do this if you're using AWS Organizations. Go straight to Create CloudFormation StackSet in the Master AWS account.

Choose an AWS account to be your master account. To assign the appropriate role to this account, do as follows:

  1. Sign into the AWS console using the account you have chosen.
  2. Click the Launch Stack button here to go to the Quick stack create page with the correct parameters: Launch Stack button
    Note You must click the Launch Stack button on this help page. It is configured with the correct parameters.
  3. In Quick create stack check the Template URL is https://avidcore.s3-us-west-2.amazonaws.com/aws/cloudformation/cloudformation/AWSCloudFormationStackSetAdministrationRole.yml.

    Screenshot of Template URL field

  4. Check that the Stack name is CloudOptixStackSetAdmin.

    Screenshot of Stack name field

  5. Turn on I acknowledge that AWS CloudFormation might create IAM resources with custom names
  6. Click Create stack to create the role in your master account.
  7. Sign out of your AWS console.

Assign roles to each target member AWS account

You assign roles for the designated target member accounts.

Restriction You must not do this if you're using AWS Organizations. Go straight to Create CloudFormation StackSet in the Master AWS account.

This process does not add the AWS master account to Sophos Cloud Optix. It only adds the target member accounts. If you want to add the master account, you must do it separately.

To create an AWS CloudFormation StackSet in every target member account, follow these instructions for each account:

  1. Sign into the AWS console using an account you have chosen as a target account.

    You must not be signed into your chosen master account.

  2. Click the Launch Stack button here to go to the Quick stack create page with the correct parameters: Launch Stack button
    Note You must click the Launch Stack button on this help page. It is configured with the correct parameters.
  3. In Quick create stack, check that the Template URL is https://avidcore.s3-us-west-2.amazonaws.com/aws/cloudformation/cloudformation/AWSCloudFormationStackSetExecutionRole.yml.

    Screenshot of Template URL field

  4. Check that the Stack name is CloudOptixStackSetTarget

    Screenshot of Stack name field

  5. Under Parameters, enter the AWS Account ID of your admin account in AdministratorAccountId.

    Screenshot of AdministratorAccountId field

  6. Turn on I acknowledge that AWS CloudFormation might create IAM resources with custom names.
  7. Click Create stack to create the role in the target account.
  8. Sign out of your target member account's AWS console.
  9. Sign into the next target member account and repeat as required.

Configure CloudFormation StackSet in the master AWS account

Using the Create StackSet assistant.

To create the AWS CloudFormation StackSet do as follows:

  1. Sign into the AWS console with your AWS master account.
  2. Select the CloudFormation service.
  3. Select StackSets.
  4. Select Create StackSet.
  5. On the Choose a template page select Template is ready.

    Screenshot of Prepare template selection

  6. Select Amazon S3 URL as the template source.
  7. Enter the template URL: https://avidcore.s3-us-west-2.amazonaws.com/aws/cloudformation/cloudformation/cfn-onboarding.yaml

    Screenshot of Template source field

  8. Click Next.

Create CloudFormation StackSet

Use Sophos Cloud Optix information in the Create StackSet assistant.

Use the parameters you obtained earlier from your Sophos Cloud Optix account to fill in the fields in the AWS CloudFormation StackSet assistant. This links your StackSets to Sophos Cloud Optix.

Warning Do not delete or amend any fields that are pre-populated by Sophos Cloud Optix or on-boarding fails.

Ensure you are signed into your chosen AWS master account and do as follows:

  1. Enter OptixStackSet into StackSet name on the Specify StackSet details page.
  2. You may change the pre-populated description field if necessary.
  3. Enter the following parameters from Sophos Cloud Optix:
    • DnsPrefixCloudTrail
    • ExternalId
    • ReqID
    • CustomerId
    • DnsPrefixFlow
  4. Do not change the fields AvidAccountId and BucketPrefix.
  5. The pre-populated list in the RegionList must only be changed if some of your regions do not have a default Amazon Virtual Private Cloud (VPC). You must remove those regions from the RegionList field or the on-boarding process fails.
  6. 6. If you're using AWS Organizations, set the isOrganizationTrail parameter to true. Otherwise, set this parameter to false.
  7. Do not change any other fields.
    Screenshot of Parameters fields
  8. Click Next.
  9. You don't need to do anything on the Configure StackSet options page.
  10. Click Next.
  11. On the Set deployment options page, select Deploy stacks in accounts.
  12. In the Account numbers field, enter the account numbers of the target member accounts you want to add to Sophos Cloud Optix (the accounts in which you created the AWSCloudFormationStackSetExecutionRole).

    Screenshot of Set deployment options

  13. In Specify regions, choose one region. The CloudFormation stack instance is created in this region for the target member account.
  14. Click Next.
  15. This takes you to a Review page which shows you all the options you have entered. Check this carefully.
  16. Turn on I acknowledge that AWS CloudFormation might create IAM resources with custom names.
  17. Close the assistant. This creates the stack instance and adds the target member accounts to Sophos Cloud Optix.

Additional instructions for AWS Organizations

AWS Organizations users must follow these additional steps.

If you are using AWS Organizations you must deploy an additional CloudFormation template to update your existing AWS Organization CloudTrail for Sophos Cloud Optix.

Note You must sign in with the AWS Organization's master account that owns your CloudTrail.

  1. Sign into the AWS console using your master account.
  2. Click the Launch Stack button here to go to the Quick stack create page with the correct parameters: Launch Stack button
    Note You must click the Launch Stack button on this help page. It is configured with the correct parameters.
  3. In Quick create stack enter the name of the existing CloudTrail that you want to use in the CloudTrail field.
  4. Enter the region of the existing CloudTrail in the CloudTrailRegion field. The field defaults to us-west-1.
    Check this carefully. Onboarding fails if this information is incorrect.
  5. Use the parameters you obtained earlier from your Sophos Cloud Optix console to fill in the following fields:
    • CustomerId
    • DnsPrefixCloudTrail
  6. Turn on I acknowledge that AWS CloudFormation might create IAM resources with custom names.
  7. Click Create Stack.