Legacy: Add AWS environments with AWS Organizations

How to add AWS environments you manage with AWS Organizations to Sophos Cloud Optix using AWS CloudFormation.

Introduction

Warning You must only use this help section if you opened your Sophos Cloud Optix account before November 17, 2020. If you opened your account after that date, you must use the instructions under Add your AWS environments.

You can use AWS CloudFormation to add multiple AWS accounts that you manage with AWS Organizations, to Sophos Cloud Optix.

To do this you use details from your Sophos Cloud Optix console to configure your AWS CloudFormation StackSet.

This starts Stack Instance creation in your AWS accounts and adds those accounts to Sophos Cloud Optix.

You must do as follows:

  • Collect information from your Sophos Cloud Optix console.
  • Configure the CloudFormation StackSet in the master account.
  • Create the CloudFormation StackSet.
  • Add your AWS Organizations CloudTrail to Sophos Cloud Optix.

Collect information from your Sophos Cloud Optix console

The information is used to link the StackSet to your Sophos Cloud Optix accounts.

Before creating AWS CloudFormation StackSets you must collect information from your Sophos Cloud Optix account. This is used later in the AWS Create StackSet assistant.

  1. Sign in to your Sophos Cloud Optix account.
  2. Go to Settings and click Environments > Add New Environment.
  3. On the Add your cloud environment page, note the details under Add multiple AWS accounts using CloudFormation StackSets.

    You must take note of the following parameters:

    • DnsPrefixCloudTrail
    • ExternalId
    • ReqID
    • CustomerId
    • DnsPrefixFlow
  4. Go to the AWS console to create your CloudFormation StackSets.

Configure CloudFormation StackSet in the master AWS account

Using the Create StackSet assistant.

To create the AWS CloudFormation StackSet do as follows:

  1. Sign into the AWS console with your AWS master account.
  2. Select the CloudFormation service.
  3. Select StackSets.
  4. Select Create StackSet.
  5. On the Choose a template page select Template is ready.

    Screenshot of Prepare template selection

  6. Select Amazon S3 URL as the template source.
  7. Enter the template URL: https://avidcore.s3-us-west-2.amazonaws.com/aws/cloudformation/cloudformation/cfn-onboarding.yaml

    Screenshot of Template source field

  8. Click Next.

Create CloudFormation StackSet for AWS Organizations

Use Sophos Cloud Optix information in the Create StackSet assistant.

Use the parameters you obtained earlier from your Sophos Cloud Optix account to fill in the fields in the AWS CloudFormation StackSet assistant. This links your StackSets to Sophos Cloud Optix.

Warning Don't delete or amend any fields that are pre-populated by Sophos Cloud Optix or on-boarding fails.

Ensure you are signed into your chosen AWS master account and do as follows:

  1. Enter OptixStackSet into StackSet name on the Specify StackSet details page.
  2. You may change the pre-populated description field if necessary.
  3. Enter the following parameters from Sophos Cloud Optix:
    • DnsPrefixCloudTrail
    • ExternalId
    • ReqID
    • CustomerId
    • DnsPrefixFlow
  4. Don't change the AvidAccountId and BucketPrefix fields.
  5. The pre-populated list in the RegionList must only be changed if some of your regions don't have a default Amazon Virtual Private Cloud (VPC). You must remove those regions from the RegionList field or the on-boarding process fails.
  6. Set the isOrganizationTrail parameter to true.
  7. Don't change any other fields.
    Screenshot of Parameters fields
  8. Click Next.
  9. You don't need to do anything on the Configure StackSet options page.
  10. Click Next.
  11. On the Set deployment options page, select Deploy to Organization.

    Screenshot of Set deployment options

  12. In Specify regions, choose one region. The CloudFormation stack instance is created in this region for the target member account.
  13. Click Next.
  14. This takes you to a Review page which shows you all the options you have entered. Check this carefully.
  15. Turn on I acknowledge that AWS CloudFormation might create IAM resources with custom names.
  16. Close the assistant. This creates the stack instance and adds the target member accounts to Sophos Cloud Optix.

Add your AWS Organizations CloudTrail to Sophos Cloud Optix.

Add your AWS Organizations CloudTrail to Sophos Cloud Optix using an additional CloudFormation template.

Note You must sign in with the AWS Organization's master account that owns your CloudTrail.

  1. Sign into the AWS console using your master account.
  2. Click the Launch Stack button here to go to the Quick stack create page with the correct parameters: Launch Stack button
    Note You must click the Launch Stack button on this help page. It is configured with the correct parameters.
  3. In Quick create stack enter the name of the existing CloudTrail that you want to use in the CloudTrail field.
  4. Enter the region of the existing CloudTrail in the CloudTrailRegion field. The field defaults to us-west-1.
    Check this carefully. Onboarding fails if this information is incorrect.
  5. Use the parameters you obtained earlier from your Sophos Cloud Optix console to fill in the following fields:
    • CustomerId
    • DnsPrefixCloudTrail
  6. Turn on I acknowledge that AWS CloudFormation might create IAM resources with custom names.
  7. Click Create Stack.

Adding EKS clusters

Note After adding your AWS account to Cloud Optix, you can add Amazon Elastic Kubernetes Service (EKS) clusters. You must add these clusters to Sophos Cloud Optix separately, using the Amazon CLI script provided by Sophos. See Add your Amazon EKS clusters.