CD2H gitForager

sophos-iaas/aws-cf-templates

Name: aws-cf-templates

Description: CloudFormation templates for AWS

Created: 2016-07-05 07:51:58.0

Updated: 2018-02-17 14:57:18.0

Pushed: 2018-02-14 04:11:21.0

Homepage: null

Size: 117

Language: null

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

Sophos NSG CloudFormation Templates

This repository tracks the templates used within the Sophos NSG CloudFormation template S3 bucket s3://sophos-nsg-cf/

Instant Deployment

With the templates we provide, you can instantly deploy our UTM solutions on AWS using any of the Amazon 1-Click launch options below.

Sophos UTM (High Availability, Cold Standby)

Sophos UTM (High Availability, Warm Standby)

Sophos UTM (Auto Scaling)

Manual Setup using the CloudFormation templates

You can use any of the templates with CloudFormation by referencing its S3 URL.

Usage in all regions except AWS GovCloud (US)

For using the template in all regions except the AWS GovCloud (US) region prepend

s://s3.amazonaws.com/sophos-nsg-cf/

to the template filename from the Sophos NSG template repository.

As an example the URL for utm/autoscaling.template is

s://s3.amazonaws.com/sophos-nsg-cf/utm/autoscaling.template

Usage in AWS GovCloud (US) region

For GovCloud you need to use the following prefix:

s://s3-us-gov-west-1.amazonaws.com/sophos-nsg-cf/

When using utm/autoscaling.template the URL is

s://s3-us-gov-west-1.amazonaws.com/sophos-nsg-cf/utm/autoscaling.template

IAM Permissions

Autoscaling

UTM Worker instances (WorkerPolicy)

| Feature | Statement ID | Service | Action | Resources | |———|————–|———|——–|———–| | configuration synchronization and backup | ConfigSyncAndBackup | S3 | Get*
List* | S3 Bucket of the stack | | basic functionality | ReportingSync | S3 | Get*
List*
Delete*
Put* | S3 Bucket of the stack |

UTM Controller instances (UTMPolicy)

| Feature | Statement ID | Service | Action | Resources | |———|————–|———|——–|———–| | basic functionality | DisableSrcDestCheck | EC2 | ModifyInstanceAttribute | * (1) | | basic functionality | EipAssociation1 | AutoScaling | DescribeAutoScalingGroups | * (1) | | basic functionality | EipAssociation2 | CloudFormation | DescribeStackResources | * (1) | | basic functionality | EipAssociation3 | EC2 | AssociateAddress
DescribeAddresses
DisassociateAddress | * (1) | | configuration synchronization and backup | ConfigSyncAndBackup | S3 | * | S3 bucket of the stack | | ELB and SG management | WafElbManagement1 | ElasticLoadBalancing | ConfigureHealthCheck
CreateLoadBalancerListeners
DeleteLoadBalancerListeners
SetLoadBalancerPoliciesForBackendServer | ELB of the stack | | ELB and SG management | WafElbManagement2 | ElasticLoadBalancing | DescribeLoadBalancers
DescribeLoadBalancerPolicies | * (1) | | ELB and SG management | WafElbManagement3 | CloudFormation | DescribeStackResources | * (1) | | ELB and SG management | SecurityGroupManagement1 | EC2 | AuthorizeSecurityGroupEgress
AuthorizeSecurityGroupIngress
RevokeSecurityGroupEgress
RevokeSecurityGroupIngress | only this stack | | ELB and SG management | SecurityGroupManagement2 | EC2 | DescribeSecurityGroups | * (1) | | license pool | LicensePool1 | EC2 | CreateTags | UTM stack | | license pool | LicensePool2 | EC2 | DescribeInstances | * (1) | | license pool | LicensePool3 | S3 | Get*
List* | stack license pool bucket | | OGW auto recovery | OGWAutoRecovery | IAM | AttachRolePolicy
CreateRole
DeleteRole
PassRole | EC2ActionsAccess role | | remote logging | CloudWatchLogging | Logs | CreateLogGroup
CreateLogStream
PutLogEvents | * | | UTM update | UtmUpdate1 | AutoScaling | SetDesiredCapacity
TerminateInstanceInAutoScalingGroup
UpdateAutoScalingGroup | UTM stack | | UTM update | UtmUpdate2 | AutoScaling | CreateLaunchConfiguration
DeleteLaunchConfiguration
DescribeAutoScalingGroups
DescribeAutoScalingInstances
DescribeLaunchConfigurations
DescribeScalingActivities
DescribeScheduledActions | * (1) | | UTM update | UtmUpdate3 | CloudFormation | DescribeStacks | * (1) | | UTM update | UtmUpdate4 | CloudFormation | UpdateStack | UTM stack | | UTM update | UtmUpdate5 | EC2 | DescribeAvailabilityZones
DescribeInstances
DescribeImages
DescribeKeyPairs
DescribeSecurityGroups | * (1) | | UTM update | UtmUpdate6 | IAM | PassRole | UTM role | | UTM update | UtmUpdate7 | S3 | Get*
List* | Sophos template buckets |

(1) AWS does not allow restriction of these permissions on resource level.

Outbound Gateway instances (Allow-Describe-EC2-And-ReplaceRoute)

| Service | Action | Resources | Required for | |———|——–|———–|————–| | EC2 | DescribeRouteTables
DescribeSubnets
ReplaceRoute | * | updating the client network route tables |

Outbound Gateway automated management

| Feature | Statement ID | Service | Action | Resources | |———|————–|———|——–|———–| | OGW deployment and monitoring | InitiateDeployment1 | CloudFormation | CreateStack | Sophos OGW templates | | OGW deployment and monitoring | InitiateDeployment2 | EC2 | DescribeInternetGateways | * (1) | | OGW deployment and monitoring | InitiateDeployment3 | S3 | ListBucket | Sophos template bucket | | OGW deployment and monitoring | InitiateDeployment4 | S3 | GetObject | Sophos template bucket | | OGW deployment and monitoring | MonitorDeployment1 | CloudFormation | DescribeStacks | * (1) | | OGW deployment and monitoring | MonitorDeployment2 | EC2 | DescribeInstances | * (1) | | OGW deployment and monitoring | MonitorAndTerminateDeployment | CloudFormation | DeleteStack
DescribeStackResources | Stacks with OGW naming scheme | | OGW stack creation/deletion | ManageOGWStackResources1 | EC2 | AssociateRouteTable
AuthorizeSecurityGroupIngress
CreateRoute
CreateRouteTable
CreateSecurityGroup
CreateTags
DescribeInstances
DescribeKeyPairs
DescribeRouteTables
DescribeSecurityGroups
DescribeSubnets
DescribeVpcs
DisassociateRouteTable
ModifyInstanceAttribute | * (1) | | OGW stack creation/deletion | ManageOGWStackResources2 | EC2 | RunInstances | Instances with the OGW profile | | OGW stack creation/deletion | ManageOGWStackResources3 | EC2 | RunInstances | Resources required for launching an instance | | OGW stack creation/deletion | ManageOGWStackResources4 | EC2 | DeleteRoute
DeleteRouteTable
DeleteSecurityGroup
TerminateInstances | OGW stack resources | | OGW stack creation/deletion | ManageOGWStackResources5 | IAM | CreateRole
DeleteRole
DeleteRolePolicy
PassRole
PutRolePolicy | OGW IAM roles | | OGW stack creation/deletion | ManageOGWStackResources6 | IAM | AddRoleToInstanceProfile
CreateInstanceProfile
DeleteInstanceProfile
RemoveRoleFromInstanceProfile | IAM profiles with OGW naming scheme | | OGW stack creation/deletion | ManageOGWStackResources7 | CloudWatch | PutMetricAlarm
DeleteAlarms | * (1) | | OGW stack creation/deletion | RequiredForCloudWatchPutMetricAlarm | EC2 | DescribeInstanceRecoveryAttribute
DescribeInstanceStatus
RecoverInstances | * (1) | | OGW stack creation/deletion | RequiredForOGWInstancePolicy | EC2 | DescribeRouteTables
DescribeSubnets
ReplaceRoute | * (1) |

(1) AWS does not allow restriction of these permissions on resource level.

High Availability (HA Warm and Cold Standby)

All instances (UTMPolicy)

| Service | Action | Resources | Required for | |———|——–|———–|————–| | * (except IAM) | * | * | the HA feature to manage its resources. We work on limiting the permissions in the future. | | CloudFormation | UpdateStack | * | UTM update | | IAM | PassRole | * | UTM update | | Logs | CreateLogGroup
CreateLogStream
DescribeLogStreams
PutLogEvents | * | sending logs to CloudWatch |

This work is supported by the National Institutes of Health's National Center for Advancing Translational Sciences, Grant Number U24TR002306. This work is solely the responsibility of the creators and does not necessarily represent the official views of the National Institutes of Health.