Legacy: Add AWS environments using AWS CloudFormation

You can add AWS environments to Sophos Cloud Optix using AWS CloudFormation.

Introduction

Warning You must only use this help section if you opened your Sophos Cloud Optix account before November 17, 2020. If you opened your account after that date, you must use the instructions under Add your AWS environments.
Warning If you're using AWS Organizations to centrally manage multiple AWS accounts, don't follow these instructions. Follow the instructions in Add AWS environments with AWS Organizations instead.

To add a single AWS account using AWS CloudFormation, follow the instructions on Add your AWS environment to add the account in your Sophos Cloud Optix console.

You can also add multiple AWS accounts using AWS CloudFormation StackSets. To do this you must choose one AWS account as a master account, then assign target member accounts. You use details from your Sophos Cloud Optix console to configure your AWS CloudFormation StackSet.

This starts Stack Instance creation in the specified target member accounts and adds those accounts to Sophos Cloud Optix.

You must do as follows:

  • Collect information from Sophos Cloud Optix.
  • Assign roles to your master AWS account and target member AWS accounts.
  • Configure the CloudFormation StackSet in the master account.
  • Create the CloudFormation StackSet.

Collect information from your Sophos Cloud Optix console

The information is used to link the StackSet to your Sophos Cloud Optix accounts.

Before creating AWS CloudFormation StackSets you must collect information from your Sophos Cloud Optix account. This is used later in the AWS Create StackSet assistant.

  1. Sign in to your Sophos Cloud Optix account.
  2. Go to Settings and click Environments > Add New Environment.
  3. On the Add your cloud environment page, note the details under Add multiple AWS accounts using CloudFormation StackSets.

    You must take note of the following parameters:

    • DnsPrefixCloudTrail
    • ExternalId
    • ReqID
    • CustomerId
    • DnsPrefixFlow
  4. Go to the AWS console to create your CloudFormation StackSets.

Assign a role to the AWS account chosen as your master account

You must first choose an AWS account as your master account.

Choose an AWS account to be your master account. To assign the appropriate role to this account, do as follows:

  1. Sign into the AWS console using the account you have chosen.
  2. Click the Launch Stack button here to go to the Quick stack create page with the correct parameters: Launch Stack button
    Note You must click the Launch Stack button on this help page. It is configured with the correct parameters.
  3. In Quick create stack check the Template URL is https://avidcore.s3-us-west-2.amazonaws.com/aws/cloudformation/cloudformation/AWSCloudFormationStackSetAdministrationRole.yml.

    Screenshot of Template URL field

  4. Check that the Stack name is CloudOptixStackSetAdmin.

    Screenshot of Stack name field

  5. Turn on I acknowledge that AWS CloudFormation might create IAM resources with custom names
  6. Click Create stack to create the role in your master account.
  7. Sign out of your AWS console.

Assign roles to each target member AWS account

You assign roles for the designated target member accounts.

This process does not add the AWS master account to Sophos Cloud Optix. It only adds the target member accounts. If you want to add the master account, you must do it separately.

To create an AWS CloudFormation StackSet in every target member account, follow these instructions for each account:

  1. Sign into the AWS console using an account you have chosen as a target account.

    You must not be signed into your chosen master account.

  2. Click the Launch Stack button here to go to the Quick stack create page with the correct parameters: Launch Stack button
    Note You must click the Launch Stack button on this help page. It is configured with the correct parameters.
  3. In Quick create stack, check that the Template URL is https://avidcore.s3-us-west-2.amazonaws.com/aws/cloudformation/cloudformation/AWSCloudFormationStackSetExecutionRole.yml.

    Screenshot of Template URL field

  4. Check that the Stack name is CloudOptixStackSetTarget

    Screenshot of Stack name field

  5. Under Parameters, enter the AWS Account ID of your admin account in AdministratorAccountId.

    Screenshot of AdministratorAccountId field

  6. Turn on I acknowledge that AWS CloudFormation might create IAM resources with custom names.
  7. Click Create stack to create the role in the target account.
  8. Sign out of your target member account's AWS console.
  9. Sign into the next target member account and repeat as required.

Configure CloudFormation StackSet in the master AWS account

Using the Create StackSet assistant.

To create the AWS CloudFormation StackSet do as follows:

  1. Sign into the AWS console with your AWS master account.
  2. Select the CloudFormation service.
  3. Select StackSets.
  4. Select Create StackSet.
  5. On the Choose a template page select Template is ready.

    Screenshot of Prepare template selection

  6. Select Amazon S3 URL as the template source.
  7. Enter the template URL: https://avidcore.s3-us-west-2.amazonaws.com/aws/cloudformation/cloudformation/cfn-onboarding.yaml

    Screenshot of Template source field

  8. Click Next.

Create CloudFormation StackSet

Use Sophos Cloud Optix information in the Create StackSet assistant.

Use the parameters you obtained earlier from your Sophos Cloud Optix account to fill in the fields in the AWS CloudFormation StackSet assistant. This links your StackSets to Sophos Cloud Optix.

Warning Don't delete or amend any fields that are pre-populated by Sophos Cloud Optix or on-boarding fails.

Ensure you are signed into your chosen AWS master account and do as follows:

  1. Enter OptixStackSet into StackSet name on the Specify StackSet details page.
  2. You may change the pre-populated description field if necessary.
  3. Enter the following parameters from Sophos Cloud Optix:
    • DnsPrefixCloudTrail
    • ExternalId
    • ReqID
    • CustomerId
    • DnsPrefixFlow
  4. Don't change the AvidAccountId and BucketPrefix fields.
  5. The pre-populated list in the RegionList must only be changed if some of your regions don't have a default Amazon Virtual Private Cloud (VPC). You must remove those regions from the RegionList field or the on-boarding process fails.
  6. Don't change any other fields.
    Screenshot of Parameters fields
  7. Click Next.
  8. You don't need to do anything on the Configure StackSet options page.
  9. Click Next.
  10. On the Set deployment options page, select Deploy stacks in accounts.
  11. In the Account numbers field, enter the account numbers of the target member accounts you want to add to Sophos Cloud Optix (the accounts in which you created the AWSCloudFormationStackSetExecutionRole).

    Screenshot of Set deployment options

  12. In Specify regions, choose one region. The CloudFormation stack instance is created in this region for the target member account.
  13. Click Next.
  14. This takes you to a Review page which shows you all the options you have entered. Check this carefully.
  15. Turn on I acknowledge that AWS CloudFormation might create IAM resources with custom names.
  16. Close the assistant. This creates the stack instance and adds the target member accounts to Sophos Cloud Optix.

Adding EKS clusters

Note After adding your AWS account to Cloud Optix, you can add Amazon Elastic Kubernetes Service (EKS) clusters. You must add these clusters to Sophos Cloud Optix separately, using the Amazon CLI script provided by Sophos. See Add your Amazon EKS clusters.