Using CloudFormation template to set up a connection with AWS

Products

Cloud Workload Protection

Issue/Introduction

Resolution

For detailed instructions, watch the video Setting up an AWS connection using CloudFormation template

To set up an AWS connection using CloudFormation template

Go to the Settings > AWS Connection page of the Cloud Workload Protection web portal and press the + icon.
Press Download to download the CloudFormation template.
Log on to the AWS portal and go to CloudFormation.
Create a stack:
- Upload the template
- Select a setup type:
  - Create cross-account role: Select if you want to only set up a cross-account role, without setting up CloudTrail.
  - Create cross-account role and CloudTrail setup: Select if you want to create cross-account role and also want to set up CloudTrail.
  - Configure CloudTrail for current region: Select if you want to set up CloudTrail for the first time or to add for another region.
When the stack is complete, copy the Role ARN value from Outputs tab of CloudFormation and paste it in Settings > AWS Connection of the Cloud Workload Protection portal.
In Sync Options, select either AWS CloudTrail or Periodic Sync.

The key differences between these two synchronization options are:

In AWS CloudTrail sync, Cloud Workload Protection synchronizes only the instances that have changed. Whereas in Periodic Sync, all the instances are polled. The limited polling increases the efficiency of AWS CloudTrail sync.

AWS CloudTrail sync provides the additional benefit of creating alert profiles in Cloud Workload Protection to generate alerts based on the CloudTrail events.

If you choose AWS CloudTrail, you must specify the name and URL for the SQS queue in the Cloud Workload Protection portal. Copy the SQS URL from the Outputs tab of the CloudFormation stack.

Press Save to save the conenction.

Additional steps

You must edit the IAm role policy in the following scenarios:

If you want to configure CloudTrail for an existing conenction, you must also update the role policy and add S3 ARN and SQS ARN in the policy. Paste the S3 ARN and the SQS ARN as specified. If the role policy does not contain the following code, add the code manually:
(If you select Create cross-account role and CloudTrail setup, the policy automatically contains this code.)

{
            "Action": "s3:GetObject",
            "Resource": [
                "
               Paste S3 ARN here
            "
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "sqs:DeleteMessage*",
                "sqs:ReceiveMessage",
                "sqs:DeleteMessageBatch"
            ],
            "Resource": [
                "
               Paste SQS ARN here
            "
            ],
            "Effect": "Allow"
        }

If you want to enable Stop Instance to stop an unprotected instance from the Cloud Workload Protection portal, you must modify the role policy. Edit the policy and look for "ec2:describeRouteTables". Add a new entry: "ec2:StopInstances*". Save and apply the policy.

If you want to publish the vevents from Symantec Cloud Workload Protection to AWS CloudWatch, you must add the following code in the IAM role policy:

{
            "Action": [
                "logs:PutLogEvents",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams"
            ],
            "Effect": "Allow",
            "Resource": "*"
}

After you save the connection, Cloud Workload Protection starts to import the AWS instances. The Instances tab displays all the imported instances. Install the agent and apply policy groups to secure the instances.