Legacy: Add AWS environments with AWS Organizations

How to add AWS environments you manage with AWS Organizations to Sophos Cloud Optix using AWS CloudFormation.

Introduction

Warning You must only use this help section if you opened your Sophos Cloud Optix account before November 17, 2020. If you opened your account after that date, you must use the instructions under Add your AWS environments.

You can use AWS CloudFormation to add multiple AWS accounts that you manage with AWS Organizations, to Sophos Cloud Optix.

To do this you use details from your Sophos Cloud Optix console to configure your AWS CloudFormation StackSet.

This starts Stack Instance creation in your AWS accounts and adds those accounts to Sophos Cloud Optix.

You must do as follows:

  • Collect information from your Sophos Cloud Optix console.
  • Configure the CloudFormation StackSet in the master account.
  • Create the CloudFormation StackSet.
  • Add your AWS Organizations CloudTrail to Sophos Cloud Optix.

Collect information from your Sophos Cloud Optix console

The information is used to link the StackSet to your Sophos Cloud Optix accounts.

Before creating AWS CloudFormation StackSets you must collect information from your Sophos Cloud Optix account. This is used later in the AWS Create StackSet assistant.

  1. Sign in to your Sophos Cloud Optix account.
  2. Go to Settings and click Environments > Add New Environment.
  3. On the Add your cloud environment page, note the details under Add multiple AWS accounts using CloudFormation StackSets.

    You must take note of the following parameters:

    • DnsPrefixCloudTrail
    • ExternalId
    • ReqID
    • CustomerId
    • DnsPrefixFlow
  4. Go to the AWS console to create your CloudFormation StackSets.

Configure CloudFormation StackSet in the master AWS account

To create the AWS CloudFormation StackSet do as follows:

  1. Sign into the AWS console with your AWS master account.
  2. Select the CloudFormation service.
  3. Select StackSets.
  4. Select Create StackSet.
  5. On the Choose a template page select Template is ready.

    Here's an image showing template selection.


    Screenshot showing template selection
  6. Select Amazon S3 URL as the template source.
  7. Enter the template URL: https://avidcore.s3-us-west-2.amazonaws.com/aws/cloudformation/cloudformation/cfn-onboarding.yaml

    Here's an image showing the correct URL.


    Screenshot showing template source field with correct URL
  8. Click Next.

Create CloudFormation StackSet for AWS Organizations

Use Sophos Cloud Optix information in the Create StackSet assistant.

Use the parameters you obtained earlier from your Sophos Cloud Optix account to fill in the fields in the AWS CloudFormation StackSet assistant. This links your StackSets to Sophos Cloud Optix.

Warning Don't delete or amend any fields that are pre-populated by Sophos Cloud Optix or on-boarding fails.

Ensure you are signed into your chosen AWS master account and do as follows:

  1. Enter OptixStackSet into StackSet name on the Specify StackSet details page.Change the description if necessary.
  2. Enter the following parameters from Sophos Cloud Optix:
    • DnsPrefixCloudTrail
    • ExternalId
    • ReqID
    • CustomerId
    • DnsPrefixFlow
    1. Don't change the SophosOptixAccountId field.
  3. The pre-populated list in the RegionList must only be changed if some of your regions don't have a default Amazon Virtual Private Cloud (VPC). You must remove those regions from the RegionList field or the on-boarding process fails.
  4. Set the isOrganizationTrail parameter to true.
  5. Don't change any other fields.

    Here is an example of the Parameters menu with correct data.

    Screenshot of Parameters menu, showing correct data in fields

  6. Click Next.
    The Configure StackSet options page appears. You don't need to change anything.
  7. Click Next.
  8. On the Set deployment options page, select Deploy to Organization.

    Screenshot of Set deployment options menu, showing correct options selected

  9. In Specify regions, choose one region.

    The CloudFormation stack instance is created in this region for the target member account.

  10. Click Next.
  11. A Review page appears, which shows you all the options you have entered. Check this carefully.
  12. Turn on I acknowledge that AWS CloudFormation might create IAM resources with custom names.
  13. Close the assistant.
    This creates the stack instance and adds the target member accounts to Sophos Cloud Optix.

Add your AWS Organizations CloudTrail to Sophos Cloud Optix.

Add your AWS Organizations CloudTrail to Sophos Cloud Optix using an additional CloudFormation template.

Note You must sign in with the AWS Organization's master account that owns your CloudTrail.

  1. Sign into the AWS console using your master account.
  2. Click the Launch Stack button here to go to the Quick stack create page with the correct parameters: Launch Stack button
    Note You must click the Launch Stack button on this help page. It is configured with the correct parameters.
  3. In Quick create stack enter the name of the existing CloudTrail that you want to use in the CloudTrail field.
  4. Enter the region of the existing CloudTrail in the CloudTrailRegion field. The field defaults to us-west-1.
    Check this carefully. Onboarding fails if this information is incorrect.
  5. Use the parameters you obtained earlier from your Sophos Cloud Optix console to fill in the following fields:
    • CustomerId
    • DnsPrefixCloudTrail
  6. Turn on I acknowledge that AWS CloudFormation might create IAM resources with custom names.
  7. Click Create Stack.

Adding EKS clusters

Note After adding your AWS account to Sophos Cloud Optix, you can add Amazon Elastic Kubernetes Service (EKS) clusters. You must add these clusters to Sophos Cloud Optix separately, using the Amazon CLI script provided by Sophos. See Add your Amazon EKS clusters.