Note: It may take up to 10 mins to deploy IAM roles (stack) for the Basic security level and up to 15 mins for the Advanced security level. Cloudxray is deployed with the latter.
1. Introduction #
In this guide, we cover the types of deployment for the Cloudnosys AWS CloudFormation template. Cloudnosys is offering Basic and Advanced modes of deployment. The Basic deployment will provide just misconfigurations detection whereas the Advanced deployment option will provide Malwares detection, OS vulnerabilities & Real-time Monitoring as well.
Cloudxray is a single-region deployment and you will be asked to select the region using a drop-down list to deploy Cloudxray. Hence, the solution should ONLY be deployed in one region, where StackSet deployment is offered by AWS.
Note: Cloudxray scanning is supported in all the regions enabled in customer’s AWS cloud account however deployment of Cloudxray is ONLY supported in regions, where StackSets are supported
Caution: When adding the AWS cloud account on Cloudnosys, please ensure that you are not reaching the limits (11 EC2 instances capacity required at max.) of AWS services quotas in the region you are looking to deploy the resources. This will help you avoid the failure of AWS CloudFormation template deployment. (Please find the list of resources that the AWS CloudFormation template will deploy, under section 3 – ‘Architecture’)
Recommendation: Cloudnosys recommends the Advanced mode of deployment since this will give you more coverage of risks and vulnerabilities in your AWS account via our Agentless Cloudxray and EagleEye (real-time detection) features.
2. Prerequisites & Requirements #
In this section, we detail the prerequisites and requirements to run and operate our solution.
Cloudxray supports malware detection and posture management (misconfiguration detection) of Linux, Windows, and Mac. Vulnerability scanning (CVE) is currently supported on Linux-based operating systems only.
2.1 Time to Deploy Cloudxray #
The deployment will take about 8-10 minutes for Basic Mode and about 10-15 minutes for Advanced mode deployment, but configuration and testing could take up to 15 minutes in total.
2.2 AWS Account #
You must have an AWS account set up already. If you don’t, we recommend that you visit the following site and set up an account first: https://aws.amazon.com/getting-started/
2.3 AWS Identity & Access Management (IAM) #
Your IAM user should have a policy that allows AWS CloudFormation actions. Do not use your root account to deploy the CloudFormation template. In addition to AWS CloudFormation actions, IAM users who create or delete stacks will also require additional permissions that depend on the stack template. We recommend you make sure that your AWS console user for stack deployment must have Administrator privileges so that the operation will be performed without any failure.
Note: Cloud Administrator should have a sufficient depth of knowledge to deploy the resources specified in this guide
3. Architecture #
Cloudxray will require some resources to be deployed in your AWS account. Firstly, when you onboard your AWS cloud account onto Cloudnosys, you will be asked to create roles (AdministrationRole, ExecutionRole, and Cloudnosys Misconfigurations Detection Role). Once the roles are deployed, you will proceed to the deployment of the Cloudxray Stack. The Cloudxray Stack will deploy the following resources in your AWS account:
|
Resource |
Type |
Purpose |
|
|
1 |
VPC |
Permanent |
A virtual private cloud where all the Cloudxray resources are provisioned |
|
2 |
IGW |
Permanent |
Internet Gateway to attach with the VPC for internet access, required to update definitions of viruses |
|
3 |
Subnet |
Permanent |
A public subnet in the VPC |
|
4 |
EC2 |
Permanent |
Orchestrator Instance for orchestration of Cloudxray |
|
5 |
EC2 Spot Instance |
On-demand |
Scanning Instance which will be provisioned when the scan volumes will be attached to this instance for scanning |
|
6 |
REST API |
Permanent |
API gateway to authorize the incoming request and proxy them to the Request Reciever Lambda |
|
7 |
API Gateway Authorizer |
Permanent |
Authorizes incoming requests by forwarding them to the Authorizer Lambda |
|
8 |
Lambda (Authorizer) |
Permanent |
Checks for the correct authorization code and allows or denies the request |
|
9 |
Lambda (Receiver) |
Permanent |
Request Reciever Lambda to proxy requests to the orchestrator EC2 |
|
10 |
Lambda (Forwarder) |
Permanent |
Will Recieve Data from the Orchestrator and forward it to Cloudnosys Platform |
|
11 |
SG (Orchestrator SG) |
Permanent |
Security Group attached to the Orchestrator which will only receive requests from Request Reciever Lambda Security Group |
|
12 |
SG (Scanner SG) |
Permanent |
Security Group attached to the Scanning Instance which will only receive requests from Orchestrator Security Group |
|
13 |
SG (Reciever Lambda SG) |
Permanent |
Has rules to block all incoming requests. No outgoing rules defined |
|
14 |
SG (Forwarder Lambda SG) |
Permanent |
Allow incoming requests from Orchestrator SG. Outgoing open to all |
On every scan, snapshots of the instances and their AMIs, of all the discovered instances in a region, will be created using AWS API calls within the same region and then sent to the region where the orchestration instance has been deployed. After the scan is completed, the snapshots, volumes, and images will be deleted as a result of the cleanup operation.
4. Security #
The CloudFormation template creates a service-linked IAM role “orch-instance-profile” that attaches with the EC2 instance (Orchestrator) and allows the Orchestrator to initiate AMIs creation/deletion, Snapshots creation/deletion, volumes creation/deletion, and decrypt the encrypted volumes using KMS keys, as per need. After we decrypt the encrypted volume, we re-encrypt the copied volume with our keys, immediately. We also encrypt data at rest and in transit within this architecture.
The trust policy associated with this IAM role, allows the Orchestrator to assume the role. The inline embedded policy of the role provides limited access to perform the required tasks like creating, attaching, detaching, scanning, and deleting etc.
In your environment, Cloudnosys will ONLY be able to delete the resources that get created by Cloudnosys itself. Our fine-grained access policy of the instance profile role will make sure that this will be the case (please review the policy snippet above).
Note: Cloudxray deployment neither requires root privileges nor the operation requires it. Do NOT use your root account to deploy the CloudFormation template. We recommend you create and use a new user with Administrator privileges so that the operation will be performed without any failure.
5. Cost #
This guide will create the AWS resources outlined in the Deployment Assets section of this guide. The following assets are required to provide a functional platform:
- 1 EC2 Instance for the Orchestrator – permanent
- 1-10 EC2 Instance(s) for the Scanner – deployed for Agentless scanning only
- 1 API Gateway
- 3 Lambda Functions for an Authorizer, a Receiver, & a Sender
NOTE: As we are deploying a “t2.Large” instance type for the Orchestrator, its idle cost will be ~ USD66 per month (including 50GB attached EBS storage).
Example (use case) #
Suppose, you have 5 Instances (with a single attached EBS volume each) running in your AWS cloud account and you want to run Cloudxray scan, once daily, for the whole month. Considering that the daily scan takes 60 minutes to complete, the estimated Cloudxray scanning cost (for 5 instances/volumes), would be as follows:
Let,
x = Hourly cost of the scanning Instance/(s)
So,
x = $66 / 730
x = $ 0.09041 per hour
Where,
1 Scanner instance (t2.Large) monthly cost = $ 66
Total number of hours per month = 730
For 30 days,
0.09041 x 30 = $2.75 ~ $3 (estimated scanning cost of 60 mins scan, once daily).
Therefore, the total cost of Cloudxray (including 1 daily scan of 5 instances/volumes for a month, considering 60 mins of daily scan time duration) would be:
$66 (Orchestrator) + $3 (Scanner) = $69 ~$70 per month
Note: Agentless Cloudxray scanning cost will mainly depend on the total number of attached EBS volumes, on EC2 instances, in your AWS cloud account and the total time duration of Cloudxray scan.
Please visit AWS Pricing for the latest pricing information.
6. Deployment Assets #
The CloudFormation template will deploy two types of assets in your (client’s) AWS environment:
- On-demand Assets
- Standard Assets
On-demand Assets include a bunch of EC2 instances (maximum 10), deployed when the scan is run. Each EC2 instance will scan 1 – 5 volumes in parallel (called “batch size”), at the same time. The snapshots of the volumes attached in all the discovered EC2 instances are created, and thereby creating AMIs from the snapshots to get the volumes attached with each of the EC2 instances, to perform the scanning. Example, if you have 50 volumes, then ten EC2 instances will be created to process 50 volumes, then deleted immediately, as the scan finishes.
Standard Assets include the resources that are permanently deployed in your (client’s) AWS environment through the AWS CloudFormation template, required to perform the orchestration and virus definition updates of the agentless scanning system. The list of the provisioned assets will be as follows:
- VPC
- Public Subnet
- Internet Gateway
- Instance Profile IAM Role
- EC2 Instance (Orchestrator)
- Rest API deployed on API Gateway
- Lambda Functions
7. Monitoring (Health Check) #
To make sure that the application is functioning normally, the following steps can be taken:
- You will receive email and platform system notifications if there’s an issue detected in the system
- You can check logs (AWS/Azure/GCP) for any errors generated by Cloudnosys deployed resources
- Check to see if the last scanned date is NOT older than expected.
8. Maintenance #
Routine- Cloudxray is required to be redeployed via the AWS CloudFormation template when there is an architectural change. For that, the Cloudnosys team will notify you and provide an updated AWS CloudFormation template with instructions. Other components within Cloudxray such as virus definitions are auto-updated through trusted sources.
Emergency- In case of an emergency with respect to the functioning of Cloudxray, you may need to get in touch with our support team via email at [email protected], and your account manager will make the arrangements to get it fixed for you asap.
9. Support #
Cloudnosys is a SaaS solution and is self-servicing. However, our enterprise package comes with 4 weeks of onboarding & training. For all other matters, assistance is available via live chat on the platform or via email at [email protected].
