Sophos provides the ability to associate your Amazon Web Services (AWS) accounts with your Sophos Central account, to improve the management of Sophos Server Protection on AWS Elastic Compute Cloud (EC2) instances. This article answers the frequently asked questions on Amazon Web Services integration with Sophos Central.
Applies to the following Sophos product(s) and version(s) Sophos Central Server Protection
The following questions are answered:
This integration with AWS improves the management of Sophos Server Protection on EC2 instances in AWS. It will:
You will also be able to view UTM instances in your AWS environment.
Note: Sophos does not test Amazon WorkSpaces. If you have not connected your AWS account you may find the associated AWS Instance ID does not get removed if you delete the Server in Sophos Central.
AWS integration is covered under both the Server Standard Protection and Server Advanced Protection licenses. A license is required for each EC2 instance that is protected with a Sophos Server Protection Agent.
Both Windows and Linux servers can be managed:
See, Creating an IAM Role for Sophos Central.
Note: This option will be available to read-only users but they will not be able to complete the migration, this must be done by an admin.
Under Server Protection, go to AWS Workload Security and click on the AWS Instances tab area within the Sophos Central Admin console. If you have not connected your AWS account, the list will only display servers running in AWS that have a Sophos Server Protection Agent installed.
When your AWS account is connected, the list is extended to show ALL EC2 instances, identifying whether each instance has a Sophos Server Protection Agent installed or not or is a Sophos UTM. Connecting your AWS account to Sophos Central will also augment the list with additional EC2 metadata including Lifecycle state, AMI ID, Region, and more.
You can also view all instances by clicking on the Map tab. Using the Map you can obtain information on your instances Globally, by Location and by Region.
To connect your AWS account with Sophos Central, you need to create an IAM Role for your AWS account with the permissions required for the service. By providing your AWS IAM Role credentials, you are explicitly granting Sophos permission to connect to your AWS account for read-only access to information relating to EC2 instances and Auto Scaling Groups. This connection from Sophos Central will enable EC2 instance information to be displayed, server policies to be assigned to Auto Scaling Groups, and terminated EC2 instances to be removed automatically.
The IAM credentials are stored with AES 256 encryption (using a unique key), within a key store. These credentials are removed automatically when the AWS account association is removed from Sophos Central.
Other non-personally identifiable data, such as EC2 instance and Auto Scaling Group data stored for the purposes of providing this Sophos Central AWS service are stored in a separate database. In more detail, this data includes, although is not limited to, the AWS account identity, EC2 instance identities, AMI identities, EC2 life-cycle states, VPC identities, availability zones and Auto Scaling Group names and ARNs. Account data is automatically removed when the AWS account association is removed from Sophos Central.
When an EC2 instance is terminated in AWS, for example due to Auto Scaling, the server will be removed from the Sophos Central console automatically within a few minutes. License usage information in Sophos Central will also be updated automatically
Sophos Server Protection can be installed onto AWS EC2 instances using your preferred deployment tool, such as Chef or Puppet, using ready-made scripts provided by Sophos. Simply grab the link to the installer from the Protect Devices area of your Sophos Central Admin console and embed it into a deployment script, or host the installer in an AWS S3 bucket if you prefer. Alternatively, create an AMI with Sophos Server Protection installed. When new AWS instances are launched with the Sophos agent installed, the agent will register your Sophos Central console and apply policy automatically.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.