Amazon Web Services Deployment Configuration—Automatic Mode (Essentials Subscription)

Alert Logic recommends Automatic Mode for AWS deployment creation if you want Alert Logic to deploy and maintain new VPC subnets used for scanning instances.

Deployment creation requires that you be logged into your Alert Logic account and the AWS account you want this deployment to monitor and protect.

If you manage more than one Alert Logic account, be sure you are logged into the correct account.

To start creating your AWS deployment:

  1. From the Alert Logic console, click CONFIGURATION, and then click Deployments.
  2. Click the add icon (), and then select Amazon Web Services.
  3. Type a name for your deployment, and then click SAVE AND CONTINUE.
  4. Select Automatic Mode, and then click SAVE & CONTINUE.

IAM policy and role creation

To protect your AWS deployment, you must set up an AWS IAM policy and role to allow Alert Logic access to your AWS account. Alert Logic provides an AWS CloudFormation template to automate creation of the correct policy and role for the deployment. You can also choose to manually set up the IAM policy and role.

Cross-account roles allow Alert Logic to access your AWS account. AWS role creation requires that you provide an AWS policy, a document that specifies the permissions assigned to the AWS role you create for Alert Logic to access to your AWS account.

Alert Logic recommends you set up AWS cross-account roles using the default procedures in the Alert Logic console, which allow Alert Logic to make all the necessary changes to your AWS account. The full permission policy documents do not allow Alert Logic to:

  • Retrieve secret keys or credentials from IAM
  • Retrieve data from data stores other than S3
  • Perform these actions from any other AWS account
  • Grant access to the protected account to any other AWS account or user
  • Modify IAM credentials or policies

IAM policy and role setup using AWS CloudFormation

Alert Logic recommends you use the Alert Logic CloudFormation template for quick, convenient IAM policy and role creation. The CloudFormation template creates the appropriate IAM role that allows your deployment access to your AWS assets.

Click CLOUDFORMATION SETUP, and then follow the instructions in the Alert Logic console and the AWS console.

IAM policy and role setup using manual IAM setup

Select manual IAM set up if your AWS account permissions allow you to create an IAM policy, but does not have the permissions to run CloudFormation.

Click MANUAL IAM SETUP, and then follow the instructions on the screen.

Enter your Role ARN

In the Alert Logic console, enter the ARN you copied from the AWS console after you created the IAM role.

Asset Discovery

Allow Alert Logic a moment to discover your assets. When discovery is complete, click CONTINUE. Alert Logic displays the assets discovered in your account in topology diagrams. To learn more about topology, click Topology.

Add external assets

You can add external assets by domain name or IP address.

External assets are also used for non-PCI external scans.

To add external assets:

  1. Click the Add icon () and choose the DNS name or IP address.
    • If you chose the DNS name, enter your fully-qualified domain name in the field.
    • If you chose IP address, name your external IP address, and then enter the IP address in the field.
  2. Click SAVE.

Scope of protection

Alert Logic discovers and organizes deployments into a visual topology where you can select the desired levels of protection for your assets.

You can define the scope of your protection per VPC or per region. Each VPC appears within its protected region. Click a region or individual VPC to set the service level or leave it unprotected, and then click SAVE. You must choose one of the following levels of coverage:

  • Unprotected
  • Alert Logic Essentials coverage

Exclusions

Click EXCLUSIONS to exclude assets or AWS tags from external and internal scanning.

External scanning

To exclude assets for external scanning:

  1. Select the External Scanning tab to view assets available to exclude.
  2. Click EXCLUDE for the asset you want to exclude.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click CANCEL.
  3. After you apply your exclusions, close the Exclusions window.
  4. On the Scope of Protection page, click SAVE.

Internal scanning

To exclude assets or AWS tags for internal scanning:

  1. Select the Internal Scanning tab, and then click ASSETS or TAGS to search for assets or tags available to exclude.
  2. Click EXCLUDE for the asset or tag you want to exclude.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click CANCEL.
  3. After you apply your exclusions, close the Exclusions window.
  4. On the Scope of Protection page, click SAVE.

Scheduling

Alert Logic automatically performs certain scans. You can schedule how often and when you want Alert Logic to scan for vulnerabilities from the Internal Scans and External Scans tabs.

Internal scans and External scans

To schedule how often you want Alert Logic to scan for vulnerabilities, choose one of the following options:

  • Scan as often as necessary—Select this option if you want Alert Logic to scan known assets for vulnerabilities once a day, or twice a day, if significant changes are detected to an asset.
  • Scan once a day
  • Scan once a week
  • Scan once a month

To schedule when you want Alert Logic to scan for vulnerabilities, choose one of the following options:

  • Scan whenever necessary—Select this option if you do not want to limit Alert Logic scans to particular days or times.
  • Scan only during certain hours on certain days
  • Scan only on a certain day (AWS and Azure deployments only)

Click SAVE, and then click NEXT.

Configuration Topology

This topology diagram provides an overview of your scope of protection. You can see which assets are unprotected, or being scanned at the Essentials, Professional, or Enterprise levels.

The protection breakdown displays how many assets are unprotected, excluded, and protected, along with the number of protected assets in each level.

Update the Alert Logic appliance firewall rules

If you used a CloudFormation template or a Terraform template provided by Alert Logic for your appliance installation, you do not need to perform this step.

Ensure the proper inbound and outbound firewall rules are in place for the appliance. For information about firewall rules, see Alert Logic Firewall Rules.

Configure ports for scanning

For internal scanning, Alert Logic recommends that the appliance IP should be able to communicate with target assets for scanning over ports 1-65535 to validate any open service running on any port on the assets. This configuration also allows Alert Logic to test for vulnerabilities that may exist for those services.

Verify the health of your deployment

After you create your deployment, access the Health console in the Alert Logic console to determine the health of your networks, appliances, and agents, and then make any necessary changes.