Resources created in AWS environments
A full deployment of Sophos Cloud Optix adds AWS environments to the service and sets up communication between AWS and Sophos.
There are three full deployment methods:
- Using the Sophos Cloud Optix AWS CLI script provided for Linux and macOS.
- Using AWS CloudFormation.
- Using the Terraform template provided.
Full deployment sets up two communication channels with the environment:
- Pull channel to gather infrastructure information about instances, security groups, etc. This uses a read-only IAM Role in your AWS account.
- Push channel to export CloudTrail Logs and VPC Flow Logs to Sophos Cloud Optix for analysis. This requires resources to be created and configured in your AWS environment.
You can also set up Sophos Cloud Optix for AWS environments using Quick-start, which only sets up the pull channel. You can perform a full deployment to add the push channel later, if necessary.
Pull channel
To set up the pull channel a read-only IAM role called Sophos-Optix-role
is created.
If this role already exists in the environment, the deployment continues after checking for the appropriate policy permissions. If not, the new role is created, with the SecurityAudit AWS managed policy (arn:aws:iam::aws:policy/SecurityAudit
) and the following additional permissions:
elasticfilesystem:DescribeMountTargetSecurityGroups
elasticfilesystem:DescribeMountTargets
sns:ListSubscriptions
s3:GetAccountPublicAccessBlock
ce:GetCostAndUsage
ce:GetCostForecast
ce:GetUsageForecast
eks:List\*
detective:ListGraphs
ec2:SearchTransitGatewayRoutes
ec2:GetTransitGatewayRouteTableAssociations
support:DescribeTrustedAdvisorCheckResult
support:RefreshTrustedAdvisorCheck
Push channel
Resources are required to export CloudTrail Logs and VPC Flow Logs to Sophos Cloud Optix.
To export CloudTrail Logs, the following resources are created and configured:
- A trail (CloudTrail)
Sophos-Optix-cloudtrail
to deliver AWS CloudTrail log events from all regions to an S3 bucketSophos-Optix-cloudtrail-<ACCOUNT>
. If the bucket doesn't already exist in your account, it's created. The trail is configured to log all management event to this bucket. - An SNS called
Sophos-Optix-cloudtrail-s3-sns-topic
for CloudTrail. The SNS is then configured to trigger onAllCreateObject
events in thesophos-optix-cloudtrail-<ACCOUNT>
cloudtrail folder. With this SNS you can setup multiple exports on your CloudTrail using the same infrastructure. You can subscribe to this SNS topic, get keys for new CloudTrail log dump files, and use the keys to pull them if required. - A Lambda function
Sophos-Optix-cloudTrail-fn
, to send keys of CloudTrail dump files created in S3 to Sophos Cloud Optix. The Lambda function is subscribed to the SNS topic. Sophos Cloud Optix uses these keys to pull CloudTrail logs. - A policy configuration to grant
S3:GetObject
permission toSophos-Optix-role
, to read object logs files from the bucket folder forsophos-optix-cloudtrail-<ACCOUNT> cloudtrail
. - An S3 Lifecycle configuration automatically deletes logs stored in the S3 bucket after 365 days. You can change this time limit when you add a new AWS environment.
VPC Flow Logs are turned on and exported to the Sophos Cloud Optix service for analysis.
Note
You can choose not to export VPC Flow Logs to Sophos Cloud Optix, or only export VPC Flow Logs from specific AWS regions. If you do this, some advanced features such as AI-powered anomaly detection and traffic visibility in Network Visualization, will not work.
To export VPC Flow Logs the following steps are taken:
- VPC Flow Logs are turned on to capture IP traffic information for all VPCs (this can be configured). Logs are delivered to an S3 bucket called
Sophos-Optix-flowlogs-<ACCOUNT>-<region>
. If the bucket doesn't already exist in your account, it's created. - An SNS called
Sophos-Optix-flowlogs-s3-sns-topic
is created to export flow logs. The SNS is then configured to trigger onAllCreateObject
events in the flow logs folder forSophos-Optix-flowlogs-<ACCOUNT>-<region>
. With this SNS you can setup multiple exports on your flow logs using same infrastructure. You can subscribe to this SNS topic, get keys for new flow log dump files created, and use the keys to pull them if required. - A Lambda function called
Sophos-Optix-flowlogs-fn
is created, to send keys of flow log dump files created in S3 to Sophos Cloud Optix. The Lambda function is subscribed to the SNS topic. Sophos Cloud Optix uses these keys to pull CloudTrail logs. - An S3 Lifecycle configuration automatically deletes logs stored after one day. You can change this time limit when you add a new AWS environment.
- A policy configuration to grant
s3:GetObject
permission theSophos-Optix-role
to read object logs files from the CloudTrail folder forSophos-Optix-flowlogs-<ACCOUNT>-<region>
. - VPC Flow Logs are exported in every region separately, on Amazon's recommendation, creating an S3 bucket, SNS, and Lambda in each region. You can set up exports of flow logs into single regions when adding a new AWS environment.