Over the first quarter of 2020, a host of great enhancements have been added to the Cloud Optix service to enable organizations to harden their cloud security posture for AWS, Azure and Google Cloud platform. Check out these latest updates below – all included with your existing Cloud Optix license.


Container Security

  • Azure AKS support
    Support for Azure Kubernetes Service (AKS) has now landed, adding to recent launches of Google’s managed Kubernetes Engine (GKE) in late 2019, and Amazon’s managed Elastic Kubernetes Service (EKS) in February 2020. This allows organizations to track container inventory and view complete topology visualizations.

 CIS Certification

  • CIS Benchmarks certification for AWS, Azure, and GCP
    Sophos Cloud Optix has now been certified by CIS (Center for Internet Security) to accurately assess AWS, Azure and GCP environments based on best practices for secure configuration.

Cloud Optix API Enhancements

  • New GET APIs for environments, hosts and user inventory
    The Cloud Optix REST API can now be used to fetch inventory information (Environments, Hosts and Users) for AWS, Azure and GCP Platforms. View Cloud Optix API documentation here

AWS and Azure Integrations

  • Amazon Inspector integration
    Now view Amazon EC2 security findings detected by Amazon Inspector from Cloud Optix, including CVEs.

    Starting on the Cloud Optix Host Inventory, a new “Amazon Inspector” filter is now available. This will filter the inventory list to show EC2 instances for which there are Amazon Inspector findings. Click the Inspector icon in the "Actions" column to view findings for the last assessment run for that EC2 instance.

    While from the Network Topology Visualization page, a new "CVEs" filter allows customers to highlight EC2 instances that have CVEs discovered by Amazon Inspector, based on severity. Further details are presented in the right-hand column i.e. number of CVEs of each severity level, with links to see details of the CVEs on the findings page for the EC2 instance.

  • AWS IAM Access Analyzer integration
    Visibility of cross-account and external access to AWS resources such as S3 buckets is now available via the cloud Optix console thanks to a new integration with the free AWS IAM Access Analyzer service. Go to Inventory > IAM > External Access (new tab). This further extends Cloud Optix IAM security monitoring announced earlier in 2020.

  • Change the default region for Azure on-boarding
    Cloud Optix creates resources (e.g. Azure Function App) in the customer's default Azure region. Now, within 'Custom Settings' on the 'Add your cloud environment' page, customers can choose to use a different Azure region if they prefer.

Cloud Optix Management Enhancements

  • Search for instances with outbound traffic to a specified IP or port 
    Now use the Cloud Optix global search bar to find virtual machines that Cloud Optix has monitored communicating outbound to a specified IP address or port.
  • Configurable tables 
    Key lists and tables in the Cloud Optix console can now be configured by the customer to hide/show columns. Look for the 'cogs' icon at the top of the table. 
  • Partner ability to hide Spend Monitoring
    Partners now can now hide the Spend Monitor from selected accounts if required. This is a manual setting that should be requested via your Sophos account contact.


Lastly, a change to Admin roles for non-Central accounts
Customers with Cloud Optix accounts not yet managed via Sophos Central previously had 'Admin' and 'Read-only' administrator roles in the Cloud Optix console. Consistent with Sophos Central, we have added a new 'Super Admin' role for these non-Central accounts.

Now, only an administrator with the 'Super Admin' role can invite new users to the account and assign roles to users. All existing users with the 'Admin' role previously, have been promoted to the 'Super Admin' role to avoid any loss of functionality for existing administrators.

In addition, when a new user is invited to join an account, the default role selected is now 'Read only'. However, the administrator (with Super Admin role) can choose to change this to 'Admin' or 'Super Admin' when inviting the user.


Coming Soon!

There’s plenty to get excited about next quarter (spoiler alert!). Here are just a few examples of exciting new features up our sleeve:

  • Sophos MSPs can soon co-brand Cloud Optix exportable compliance reports with their own company logo. Now in Preview.
  • IaC scanning detection of secrets in templates. New policies will check for static secrets/credentials in Terraform templates for AWS and Azure. Now in Preview.
  • Azure Logic Apps in the Serverless area of the inventory for Azure. Details will include: Name, Resource Group, Region, Last Modified, Trigger type, and State. Now in Preview.