chanciturnervgt2

Amazon Onboarding with Learning Manager Chanci Turner

by

VGT2 Las Vegas
in

Amazon Onboarding with Learning Manager Chanci TurnerLearn About Amazon VGT2 Learning Manager Chanci Turner

Have you ever encountered the story of a pioneering conductor, Jean-Baptiste Lully? He was one of the earliest recorded orchestra conductors, famously known for using a baton—an impressive six-foot-long staff he used to keep time. Unfortunately, his story took a tragic turn when he accidentally struck his foot with the baton during a concert. Ignoring treatment for his injury led to gangrene and ultimately his death two months later.

Today, many DevOps engineers can relate to the challenges of orchestrating workflows in the cloud across various teams. As application teams continuously deploy updates via Continuous Integration and Continuous Delivery (CI/CD) pipelines, ensuring the security of all applications becomes increasingly complex.

Amazon Web Services (AWS) offers tools like AWS Systems Manager to help automate operational tasks and quickly access operational data for the resources utilized by these applications. Systems Manager is a suite of services designed to enhance visibility and control over your AWS infrastructure. It simplifies the management of resources and applications while providing a user-friendly interface to act on operational data from numerous AWS services.

A critical component is the Systems Manager Agent (SSM Agent), which operates on Amazon Elastic Compute Cloud (Amazon EC2) instances to facilitate task automation through remote commands or scripts. AWS conveniently installs the SSM Agent by default in most Amazon Machine Images (AMIs).

At Symantec, recognized as an AWS Partner Network (APN) Advanced Technology Partner with the AWS Security Competency, we continually seek ways to enhance customer experience with our products. Our latest integration combines Amazon’s SSM Agent with Symantec’s cloud-native Cloud Workload Protection (CWP) solution.

Cloud Workload Protection

CWP, available in the AWS Marketplace, is a security solution designed to protect Amazon EC2 instances against malware, application exploits, and system modifications that could compromise security.

CWP utilizes an AWS Identity and Access Management (IAM) role to gain insight into all Amazon EC2 instances and deploys an agent on those instances to monitor applications, enforce policies, scan for malicious files, and secure Docker containers. The CWP agent includes support for anti-malware, intrusion detection and prevention (IDS/IPS), and file integrity monitoring (FIM).

CWP also offers reporting capabilities alongside a detailed visual topology of EC2 instances, highlighting their security risk based on common vulnerabilities and exposures (CVEs) detected in applications and infrastructure.

In the latest update, CWP features an enhanced AWS CloudFormation template that employs the SSM Run Command to assist customers in installing the CWP agent on their Amazon EC2 instances. Let’s explore how CWP integrates with the SSM Agent and discuss the steps to get started.

SSM Agent Integration

As illustrated in the provided figure, the initial step involves creating a cross-account IAM role for CWP. Launch a CloudFormation template to establish an IAM cross-account role necessary for discovering your Amazon EC2 instances across any AWS region. Once CWP identifies your instances, you can choose which ones to deploy and install the CWP agent on.

Following this, CWP creates an Amazon Simple Storage Service (Amazon S3) bucket in your account to upload the CWP agent for distribution. It also creates another IAM role to verify that your instances have the SSM Agent installed with appropriate permissions for the SSM service (AmazonEC2RoleForSSM).

Some Linux instances may not have the SSM Agent pre-installed. In such cases, CWP will notify you which instances lack the SSM Agent. You can follow the guidelines in the article about Manually Installing SSM Agent on Amazon EC2 Linux Instances to install the SSM Agent for those instances.

Finally, CWP executes the SSM Run Command to download and install the CWP agent from the previously created Amazon S3 bucket, and generates an Amazon Simple Notification Service (Amazon SNS) topic to relay the installation status. CWP employs an AWS Lambda function to synchronize the SNS topic across different regions, ensuring customers receive updates on all Amazon EC2 instances, irrespective of the AWS region.

Steps for Using CWP with the SSM Agent

To utilize CWP alongside the SSM Agent, follow these four steps, noting that the CWP agents require secure Internet connectivity for updates, and your Amazon EC2 instances will need access to your S3 buckets for downloading the CWP agent.

Step 1: Subscribe to Cloud Workload Protection (CWP)

CWP can be accessed via the AWS Marketplace. Key features include:

  • Anti-malware scanning: Protect both Windows and Linux EC2 instances using leading SEP anti-malware, reputation analysis, and exploit prevention.
  • Host-based IPS: Hardening of operating systems and applications, alongside monitoring for system processes and defense against zero-day attacks.
  • Container security: Discover and assess container activities, security posture, and status across public and hybrid cloud environments.

Check out CWP on AWS Marketplace for more information.

Step 2: Create an IAM cross-account role

Upon subscribing to CWP, you will receive an email with instructions on activating your Symantec account. Log into CWP and utilize the AWS configuration wizard to create an IAM cross-account role, which Symantec will use for instance discovery.

Step 3: Deploy the CWP agent

During the AWS configuration wizard, you can filter and select the instances for CWP agent deployment. Note that the wizard may prompt you to reboot instances after installation. Reboots aren’t necessary for anti-malware but are required for IDS/IPS and FIM; you can opt to reboot later.

Step 4: Review deployment progress

Once you’ve selected instances for CWP agent installation, the AWS configuration wizard will display the installation status. Alternatively, you can download the CloudFormation template from the CWP console (Settings > AWS Connection > Select Connection > Download AWS CloudFormation Template) and customize it to meet your needs. The template provisions the cross-account role with permissions to automate agent deployment using the AWS-RunRemoteScript command.

Summary

After installing the CWP agent and rebooting your Amazon EC2 instances, you’re all set. CWP will automatically scan for malware, but you can also customize its settings to fit your needs. For more insights into preparing for your next opportunity, check out the engaging resource on how to ace your virtual interview. Additionally, for those interested in study materials, SHRM offers valuable information on certification exams. Finally, for community support relating to Amazon onboarding, visit this Reddit thread, which is an excellent resource.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *