Legacy: Add your Amazon EKS clusters

You can add Amazon EKS clusters to AWS accounts you've added to Sophos Cloud Optix.

Warning You must only use this help section if you opened your Sophos Cloud Optix account before November 17, 2020. If you opened your account after that date, you must use the instructions under Add your AWS environments.

When you add an AWS environment, Sophos Cloud Optix automatically detects Amazon Elastic Kubernetes Service (Amazon EKS) clusters and does the following:

  • Populates the inventory with cluster and node group information about your EKS deployment.
  • Runs EKS-specific security checks based on Sophos's best practice policy for AWS.
You can add your EKS clusters using the additional script if you want the following additional benefits:
  • Full comprehensive EKS resource inventory, including pods, containers, services, network policies, and RBAC roles.
  • EKS nodes identified on AWS Network Visualization pages in Sophos Cloud Optix.

Although there are several ways to add environments to Sophos Cloud Optix, using the script is the only way to get these additional features for EKS clusters.

Before you can add EKS clusters to your environments, you need to do as follows:

  • Install AWS CLI (version 1.16.96 or later) on a Linux or Mac computer.
  • Install AWS IAM Authenticator for Kubernetes for authentication to your EKS cluster.
  • Install the kubectl utility to communicate with the cluster API server (select the version that corresponds to your EKS cluster).
  • Ensure that the AWS account you're using to add the cluster to Sophos Cloud Optix has permissions in the EKS cluster.
  • Ensure that Endpoint Public Access is turned on, which is the default for new EKS clusters. Public Access must be turned on so that Sophos Cloud Optix can communicate with your EKS cluster's API server. We recommend restricting this access to specific Sophos Cloud Optix IP addresses (currently 184.169.234.229 and 52.52.72.162). You can modify your cluster API server endpoint access using the AWS Management Console or AWS CLI.

Running the Sophos script creates a read-only service account in your EKS cluster and adds the cluster to your Sophos Cloud Optix console. To add your cluster, do as follows:

  1. Go to Settings and click Environments.
  2. Find the AWS environment that has your Amazon EKS cluster.
  3. Under Actions click the Kubernetes icon Image of Kubernetes settings icon to find EKS clusters in your cloud.
  4. Select the EKS cluster you want to add.
  5. Download the Sophos Cloud Optix script.
  6. Run the script.