AWS CLI script variables

AWS script variables

Required variables

The script for adding an AWS environment takes the following variables:

Variable

Description

EXTERNAL _ID

Specify this for the assumed role that Sophos Cloud Optix uses when acting on your behalf. It is added in the trust policy of the read-only role that Sophos Cloud Optix creates in your environment.

CUSTOMER_ID

The Customer UUID used for all uploads and connections.

REQUEST_ID

The self-generated ID used to validate the account addition request and associate the callback from the environment for linking the account added.

The REQUEST_ID keeps refreshing and is valid for 7 days to allow multiple environments to be added from within a customer account via scripting.

DNS_PREFIX_FLOW

The customer specific prefix that allows connection back to the appropriate collector node in the Sophos Cloud Optix backend for flowlogs.

DNS_PREFIX_CLOUDTRAIL

The customer specific prefix that allows connection back to the appropriate collector node in the Sophos Cloud Optix backend for CloudTrial logs.

Optional variables

Optionally, the script can also use the following variables if they are specified:

Variable

Description

AWS_DEFAULT_REGION

Use this if you want to install in a region that is different than your configured default region for AWS CLI.

TRAIL_NAME

Use this if you want to reuse an existing CloudTrail instead of creating a new one (The default installation creates a new CloudTrail).

Enter the existing trailname.

Please note that a Lambda function should be attachable to the corresponding CloudWatch log group.

FLOW_LOGS

The default install enables VPC Flow Logs for every Amazon VPC across all regions.

Specify 0 to skip VPC flow log enablement.

If you want to control specific regions for flow logs, you should specify 1 and provide the list of regions in the variable FLOWLOG_REGIONS.

FLOWLOG_REGIONS

Command separated list of AWS regions.