Configuring AWS Devices

This chapter covers the following sections:

Update AWS VPC Connection Credentials

If you create a new access key and secret access key to connect to the AWS VPC, you must update the connection credentials in Security Cloud Control. To do this, first update the credentials in the AWS console. Next, update the credentials in the Security Cloud Control console by using this procedure. For more information, refer to Managing Access Keys for IAM Users (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) or Creating, Disabling, and Deleting Access Keys for Your AWS Account Root User (https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html).

You cannot change the access key or secret access key from Security Cloud Control. You must manually manage the connection credentials using the AWS console or the AWS CLI console.


Note

If multiple AWS VPCs are onboarded to your Security Cloud Control tenant, you must update the credentials for one device at a time.

Procedure

Step 1

Choose Security Devices.

Step 2

Click the Devices tab, and then click AWS VPC.

Step 3

Select the AWS VPC whose connection credentials you want to update.

Use the filter and search functionalities to find the required device.

Step 4

Under Device Actions, click Update Credentials.

Step 5

Enter the new Access Key and Secret Access Key, which you want to use to connect to the AWS VPC.

Step 6

Click Update.

Note

 

If Security Cloud Control fails to sync the device, the connectivity status in Security Cloud Control may display "Invalid Credentials." If this occurs, you may have entered an invalid username and password combination. For more information about troubleshooting invalid credentials, refer to Troubleshoot Invalid Credentials

Monitor AWS VPC Tunnels using AWS Transit Gateway

Amazon Web Services (AWS) Transit Gateway acts as a cloud router. It connects enterprise virtual private clouds (VPCs) to AWS VPCs through a central hub, which allows for simplified peering relationships.

Security Cloud Control allows you to monitor the connection status of your onboarded AWS VPCs using AWS Transit Gateway.

Procedure

Step 1

Choose Secure Connections > Network Connections > Site to Site VPN.

The VPN Tunnels page displays the connection status for all network tunnels managed by your Security Cloud Control tenant. The connection status for the VPN tunnel can be active or idle.

Step 2

Select a VPC, and then under Actions, click Check Connectivity. This triggers a real-time connectivity check against the tunnel and identifies whether the tunnel is currently active or idle. If you do not click the on-demand connectivity check link, a check across all tunnels on all onboarded devices occurs every ten minutes.

Note

 

Security Cloud Control prompts a notification if the connection of a VPN tunnel goes down. No notification appears when the link comes back up.

Search and Filter Site-to-Site VPN Tunnels

Use the filter sidebar Filter icon. in combination with the search field to focus your search of VPN tunnels presented in the VPN tunnel diagram.

Procedure

Step 1

Choose Secure Connections > Network Connections > Site to Site VPN.

Step 2

Click the filter icon Filter icon. to open the filter pane.

Step 3

Use these filters to refine your search:

  • Filter by Device: Click Filter by Device, select the device type tab, and check the devices you want to find by filtering.

  • Tunnel Issues: Indicates whether issues have been detected on either side of the tunnel. For example, a device may be missing an associated interface, peer IP address, access list, or may have IKEv1 proposal mismatches. (Detecting tunnel issues is not yet available for AWS VPC VPN tunnels.)

  • Devices/Services: Filters by type of device.

  • Status: Indicates tunnel status, which can be active or idle.

    • Active: An open session exists in which network packets traverse the VPN tunnel, or a successful session was established that has not timed out yet. The "Active" status indicates that the tunnel is operational and relevant.

    • Idle: Security Cloud Control is unable to discover an open session for this tunnel. The tunnel may either be not in use or there is an issue with this tunnel.

  • Onboarded: Devices could be managed by Security Cloud Control or not managed (unmanaged) by Security Cloud Control.

    • Managed: Filters by devices that Security Cloud Control manages.

    • Unmanaged: Filters by devices that Security Cloud Control does not manage.

  • Device Types: Indicates whether either side of the tunnel is a live (connected) or model device.

Step 4

You can also search the filtered results by device name or IP address by entering that information in the search bar. The search is case-insensitive.

View a history of changes made to the AWS VPC tunnels

To view a history of changes made to AWS VPC tunnels, follow these steps.

Procedure

Step 1

Choose Events & Logs > Logs > Change Log.

Step 2

On the Change Log page, click the filter icon, select the Filter by device tab, and then click AWS VPC .

Step 3

Select the AWS VPC whose history you want to review, and click OK.

AWS VPC Policy

Security Cloud Control enables you to keep security policies consistent across any Amazon Web Services (AWS) Virtual Private Cloud (VPC) associated with your AWS account. You can also use Security Cloud Control to share objects across multiple device types. See these topics for more information.

AWS VPC Security Groups Rules

AWS security groups are collections of rules that govern inbound and outbound network traffic to all AWS EC2 instances, and other entities, associated with the security group. Similar to the Amazon Web Services (AWS) console, Security Cloud Control displays each rule individually.

If your SDC has Internet access, you can create and manage AWS Virtual Private Cloud (VPC) rules for these environments:

  • A security group allowing information to or from another security group within the same AWS VPC.

  • A security group allowing to or from an IPv4 or IPv6 address.

When creating a rule in Security Cloud Control that contains an AWS security group, keep these limitations in mind:

  • For a rule allowing inbound traffic, the source can be one or more security group objects in the same AWS VPC, an IPv4 or IPv6 CIDR block, or a single IPv4 or IPv6 address. Inbound rules can have only one security group object as the destination.

  • For a rule allowing outbound traffic, the destination can be one or more security group objects in the same AWS VPC, a prefix list ID, an IPv4 or IPv6 CIDR block, a single IPv4 or IPv6 address. Outbound rules can have only one security group object as the source.

  • Security Cloud Control translates rules that contain multiple entities, such as more than one port or subnet, into separate rules before deploying them to an AWS VPC.

  • When you add or remove rules, the changes are automatically applied to all AWS entities associated with the security group.

  • An AWS security group is limited to hosting a maximum of 60 inbound rules and 60 outbound rules. This limit is enforced separately for IPv4 rules and IPv6 rules; any additional rules created in Security Cloud Control are inclusive to the total number of rules. You cannot exceed the 60-rule limit by onboarding to Security Cloud Control.


Warning

If you edit an existing rule, the system deletes the edited rule and creates a new rule with the updated details. As a result, traffic that depends on the rule may be dropped briefly during the update process. This does not occur if you create a brand new rule.

For more information about the types of rules you can create from the AWS console, refer to AWS Security Group Object. For more information about objects that can be associated with AWS VPCs, refer to AWS Security Groups and Cloud Security Group Objects.

Create a Security Group Rule

By default, Amazon Web Services (AWS) Virtual Private Cloud (VPC) blocks all network traffic. As a result, any rules are automatically configured to Allow traffic. You cannot edit this action.


Note

When you create a new security group rule, you must associate it with a security group.

The AWS console does not support rules that contain more than one source or destination. This means that if you deploy a single security group rule that contains more than one entity, Security Cloud Control converts the rule into separate rules before deploying it to the AWS VPC. For example, if you create an inbound rule that allows traffic from two port ranges into one cloud security group object, Security Cloud Control converts it into two separate rules. One allows traffic from the first port range to the security group, and the other allows traffic from the second port range to the security group.

Use this procedure to create a security group rule:

Procedure

Step 1

Choose Security Devices.

Step 2

Click the Template tab.

Step 3

Click the AWS tab, and select the AWS VPC device template whose access control policy you want to edit.

Step 4

In the Management pane, select Policy.

Step 5

Click the blue plus button next to the security group you wish to add the rule to.

Add icon.

Step 6

Click Inbound or Outbound.

Inbound rules: The source network can contain one or multiple IPv4 addresses, IPv6 addresses, or cloud security group objects. The destination network must be defined as a single cloud security group object.

Outbound rules: The source network must be defined as a single cloud security group object. The destination network can contain one or multiple IPv4 addresses, IPv6 addresses, or security group objects.

Step 7

Enter the rule name. You can use alphanumeric characters, spaces, and the special characters plus, period, underscore, and hyphen.

Step 8

Define the traffic matching criteria by using any combination of attributes in the following tabs.

Source : Click the Source tab and add or remove networks (which includes networks and continents). You cannot define a port or port range as the source.

Destination: Click the Destination tab and add or remove networks (which includes networks and continents), or ports on which the traffic arrives. The default value is "Any."

Note

 

If no network object is defined, it will be translated into two rules in the AWS Console: one for IPv4 (0.0.0.0/0) and one for IPv6 (::0/0).

Step 9

Click Save.

Step 10

Review and deploy the changes you made immediately, or wait and deploy multiple changes at once.

Caution

 

If the deploy fails, Security Cloud Control tries to restore the AWS VPC to its previous state. This is done on a "best-effort" basis. Because AWS does not maintain a "state," this rollback attempt might fail. If this happens, log in to the AWS management console and manually restore the AWS VPC configuration and then read the changes into Security Cloud Control.

Edit a Security Group Rule

Use this procedure to edit an access control rule for an AWS VPC using Security Cloud Control:

Procedure

Step 1

Choose Security Devices.

Step 2

Click the Devices tab to locate the device, or click the Templates tab to locate the model device.

Step 3

Click the AWS tab and select the AWS VPC whose access control policy you want to edit.

Step 4

In the Management pane, select Policy.

Step 5

To edit an existing security group rule, select the rule and click the edit icon Edit icon. in the Actions pane. You can also make simple edits inline without entering edit mode. For more information about rule limitations and exceptions, refer to AWS VPC Security Group Rules.

Step 6

Click Save.

Step 7

Review and deploy the changes you made immediately, or wait and deploy multiple changes at once.

Caution

 

If the deployment fails, Security Cloud Control tries to restore the AWS VPC to its previous state. This is done on a "best-effort" basis. Because AWS does not maintain a "state," this rollback attempt might fail. If this happens, log in to the AWS management console and manually restore the AWS VPC configuration. Then poll for differences between the AWS VPC device configuration and the configuration in Security Cloud Control.

Delete a Security Group Rule

Procedure

Step 1

Choose Security Devices.

Step 2

Click the Devices tab to locate the device, or click the Templates tab to locate the model device.

Step 3

Click the AWS tab and select the AWS VPC whose access control policy you want to edit.

Step 4

In the Management pane, select Policy.

Step 5

To delete a security group rule you no longer need, select the rule and click the delete icon Delete icon. in the Actions pane.

Step 6

Review and deploy the changes you made immediately, or wait and deploy multiple changes at once.

Caution

 

If the deployment fails, Security Cloud Control tries to restore the AWS VPC to its previous state. This is done on a "best-effort" basis. Because AWS does not maintain a "state," this rollback attempt might fail. If this happens, log in to the AWS management console and manually restore the AWS VPC configuration. Then poll for differences between the AWS VPC device configuration and the configuration in Security Cloud Control.