Configuring AWS Devices

This chapter covers the following sections:

Update AWS VPC Connection Credentials

If you create a new access key and secret access key to connect to the AWS VPC, you must update the connection credentials in Security Cloud Control. Update the credentials in the AWS console and then update the credentials from the Security Cloud Control console using the procedure below. See Managing Access Keys for IAM Users (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) or Creating, Disabling, and Deleting Access Keys for Your AWS Account Root User (https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) for more information.

You cannot change the access key or secret access key from Security Cloud Control; you must manually manage the connection credentials from the AWS console or the AWS CLI console.


Note

If you have multiple AWS VPCs onboarded to your Security Cloud Control tenant, you must update the credentials for one device at a time.

Procedure

Step 1

In the left pane, click Security Devices.

Step 2

Click the Devices tab and then click AWS VPC.

Step 3

Select the AWS VPC whose connection credentials you want to update.

You can use the filter and search functionalities to find the required device.

Step 4

In the Device Action pane, click Update Credentials.

Step 5

Enter the new access key and secret access key you want to use to connect to the AWS VPC.

Step 6

Click Update.

Note

 

If Security Cloud Control fails to sync the device, the connectivity status in Security Cloud Control may show "Invalid Credentials." If that's the case, you may have tried to use an invalid username and password combination. See Troubleshoot Invalid Credentials

Monitor AWS VPC Tunnels using AWS Transit Gateway

Amazon Web Service (AWS) Transit Gateway acts as a cloud router connecting enterprise virtual private clouds (VPCs) to AWS VPCs through a central hub that allows for simplified peering relationships.

Security Cloud Control allows you to monitor the connection status of your onboarded AWS VPCs using AWS Transit Gateway.

Procedure

Step 1

In the left pane, click Manage > Secure Connections > Network Connections > Site to Site VPN.

Step 2

The VPN Tunnels page displays the connection status for all network tunnels managed by your Security Cloud Control tenant. The connection status for the VPN tunnel can be active or idle.

Step 3

Select a VPC and under Actions click Check Connectivity to trigger a real-time connectivity check against the tunnel and identify whether the tunnel is currently active or idle. Unless you click the on-demand connectivity check link, a check across all tunnels, available across all onboarded devices, occurs every ten minutes.

Note

 

Security Cloud Control prompts a notification if a VPN tunnel’s connection goes down. However, there is no notification prompt if the link is back up.

Search and Filter Site-to-Site VPN Tunnels

Use the filter sidebar in combination with the search field to focus your search of VPN tunnels presented in the VPN tunnel diagram.

Procedure

Step 1

In the left pane, click Manage > Secure Connections > Network Connections > Site to Site VPN to open the VPN page.

Step 2

Click the filter icon to open the filter pane.

Step 3

Use these filters to refine your search:

  • Filter by Device-Click Filter by Device, select the device type tab, and check the devices you want to find by filtering.

  • Tunnel Issues-Whether or not we have detected either side of the tunnel has issues. Some examples of a device having issues may be but not limited to is: missing associated interface or peer IP address or access list, IKEv1 proposal mismatches, etc. (Detecting tunnel issues is not yet available for AWS VPC VPN tunnels.)

  • Devices/Services-Filter by type of device.

  • Status–Tunnel status can be active or idle.

    • Active-There is an open session where network packets are traversing the VPN tunnel or a successful session was established and hasn’t been timed-out yet. Active can assist to indicate that tunnel is active and relevant.

    • Idle - Security Cloud Control is unable to discover an open session for this tunnel. The tunnel may either be not in use or there is an issue with this tunnel.

  • Onboarded - Devices could be managed by Security Cloud Control or not managed (unmanaged) by Security Cloud Control.

    • Managed – Filter by devices that Security Cloud Control manages.

    • Unmanaged – Filter by devices that Security Cloud Control does not manage.

  • Device Types - Whether or not either side of the tunnel is a live (connected device) or model device.

Step 4

You can also search the filtered results by device name or IP address by entering that information in the search bar. The search is case-insensitive.

View a history of changes made to the AWS VPC tunnels

To view a history of changes made to AWS VPC tunnels:

Procedure

Step 1

In the left pane, click Monitor > Events & Logs > Logs > Change Log.

Step 2

On the Change Log page, click the filter icon and select Filter by device tab and then click AWS VPC .

Step 3

Select the AWS VPC whose history you want to review and click OK.

AWS VPC Policy

Security Cloud Control provides users the ability to keep security policies consistent across an Amazon Web Services (AWS) Virtual Private Cloud (VPC) associated with your AWS account. You can also use Security Cloud Control to share objects across multiple device types. See the following topics for more information:

AWS VPCs and Security Groups in Security Cloud Control

AWS VPC Security Groups Rules

AWS security groups are a collection of rules that govern inbound and outbound network traffic to all the AWS EC2 instances, and other entities, associated with the security group.

Similar to the Amazon Web Services (AWS) console, Security Cloud Control displays each rule individually. As long as your SDC has access to the Internet, you can create and manage AWS Virtual Private Cloud (VPC) rules for the following environments:

  • A security group allowing information to or from another security group within the same AWS VPC.

  • A security group allowing to or from an IPv4 or IPv6 address.

When creating a rule in Security Cloud Control that contains an AWS security group, keep the following limitations in mind:

  • For a rule allowing inbound traffic, the source can be one or more security group objects in the same AWS VPC, an IPv4 or IPv6 CIDR block, or a single IPv4 or IPv6 address. Inbound rules can only have one security group object as the destination.

  • For a rule allowing outbound traffic, the destination can be one or more security group objects in the same AWS VPC, a prefix list ID, an IPv4 or IPv6 CIDR block, a single IPv4 or IPv6 address. Outbound rules can only have one security group object as the source.

  • Security Cloud Control translates rules that contain multiple entities, such as more than one port or subnet, into separate rules before deploying them to an AWS VPC.

  • When you add or remove rules, the changes are automatically applied to all AWS entities associated with the security group.

  • An AWS security group is limited to hosting a maximum of 60 inbound rules and 60 outbound rules. This limit is enforced separately for IPv4 rules and IPv6 rules; any additional rules created in Security Cloud Control are inclusive to the total number of rules. In short, you cannot exceed the 60 rule limitation by onboarding to Security Cloud Control.


Warning

Any edits made to existing rules will result in the edited rule being deleted and a new rule created with the new details. This will cause traffic that depends on that rule to be dropped for a very brief period of time until the new rule can be created. This does not occur if you create a brand new rule.

If you need more information on the types of rules you can create from the AWS console, see AWS Security Group Object. See AWS Security Groups and Cloud Security Group Objects for more information on objects that can be associated with AWS VPCs.

Create a Security Group Rule

By default, Amazon Web Services (AWS) Virtual Private Cloud (VPC) blocks all network traffic. This means that any rules are automatically configured to Allow traffic. You cannot edit this action.


Note

When you create a new security group rule you must associate it with a security group.

The AWS console does not support rules that contain more than one source or destination. This means that if you deploy a single security group rule that contains more than one entity, Security Cloud Control translates the rule into separate rules before deploying it to the AWS VPC. For example, if you create an inbound rule that allows traffic from two port ranges into one cloud security group object, Security Cloud Control translates it into two separate rules: (1) to allow traffic from the first port range to the security group and (2) to allow traffic from the second port range to the security group.

Use this procedure to create a security group rule:

Procedure

Step 1

In the left pane, click Security Devices.

Step 2

Click the Template tab.

Step 3

Click the AWS tab and select the AWS VPC device template whose access control policy you want to edit..

Step 4

In the Management pane at the right, select Policy.

Step 5

Click the blue plus button next to the security group you wish to add the rule to.

Step 6

Click Inbound or Outbound.

  • Inbound rules - The source network can contain one or multiple IPv4 addresses, IPv6 addresses, or cloud security group objects. The destination network must be defined as a single cloud security group object.

  • Outbound rules - The source network must be defined as a single cloud security group object. The destination network can contain one or multiple IPv4 addresses, IPv6 addresses, or security group objects

Step 7

Enter the rule name. You can use alphanumeric characters, spaces, and these special characters: + . _ -

Step 8

Define the traffic matching criteria by using any combination of attributes in the following tabs:

  • Source - Click the Source tab and add or remove networks (which includes networks and continents). You cannot define a port or port range as the source.

  • Destination - Click the Destination tab and add or remove networks (which includes networks and continents), or ports on which the traffic arrives. The default value is "Any."

    • Note:

      If no network object is defined, it will be translated into two rules in the AWS Console: one for IPv4 (0.0.0.0/0) and one for IPv6 (::0/0)

Step 9

Click Save.

Step 10

Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Caution

 

If the deploy fails, Security Cloud Control attempts to return the state of the AWS VPC to what it was before you made the deployment attempt. This is done on a "best effort" basis. Because AWS doesn't maintain a state, this rollback attempt could fail. In that case, you will have to log in to the AWS management console and manually return the AWS VPC to its previous configuration and then read the changes into Security Cloud Control.

Edit a Security Group Rule

Use this procedure to edit an access control rule for an AWS VPC using Security Cloud Control:

Procedure

Step 1

In the left pane, click Security Devices.

Step 2

Click the Devices tab to locate the device or the Templates tab to locate the model device.

Step 3

Click the AWS tab and select the AWS VPC whose access control policy you want to edit.

Step 4

In the Management pane on the right, select Policy.

Step 5

To edit an existing security group rule, select the rule and click the edit icon in the Actions pane. (Simple edits may also be performed inline without entering edit mode.) See AWS VPC Security Group Rules for rule limitations and exceptions.

Step 6

Click Save.

Step 7

Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Caution

 

If the deployment fails, Security Cloud Control attempts to return the state of the AWS VPC to what it was before you made the deployment attempt. This is done on a "best effort" basis. Because AWS doesn't maintain a state, this rollback attempt could fail. In that case, you will have to log in to the AWS management console and manually return the AWS VPC to its previous configuration and then poll for changes between the AWS VPC device configuration and the configuration in Security Cloud Control.

Delete a Security Group Rule

Procedure

Step 1

In the left pane, click Security Devices.

Step 2

Click the Devices tab to locate the device or the Templates tab to locate the model device.

Step 3

Click the AWS tab and select the AWS VPC whose access control policy you want to edit.

Step 4

In the Management pane on the right, select Policy.

Step 5

To delete a security group rule you no longer need, select the rule and click the remove icon in the Actions pane.

Step 6

Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Caution

 

If the deployment fails, Security Cloud Control attempts to return the state of the AWS VPC to what it was before you made the deployment attempt. This is done on a "best effort" basis. Because AWS doesn't maintain a "state," this rollback attempt could fail. In that case, you will have to log in to the AWS management console and manually return the AWS VPC to its previous configuration and then poll for changes between the AWS VPC device configuration and the configuration in Security Cloud Control.