Amazon Web Services (AWS) Deployment Configuration—Automatic Mode (Essentials Subscription)

Alert Logic recommends Automatic Mode for AWS deployment creation if you want Alert Logic to deploy and maintain new VPC subnets used for scanning instances.

Deployment creation requires that you be logged into your Alert Logic account and the AWS account you want this deployment to monitor and protect.

If you manage more than one Alert Logic account, be sure you are logged into the correct account.

To start creating your AWS deployment:

  1. In the Alert Logic console, click the Configure menu item, and then click Deployments.
  2. Click the add icon (), and then select Amazon Web Services (AWS).
  3. Type a name for your deployment, and then click SAVE AND CONTINUE.
  4. Select Automatic Mode, and then click SAVE & CONTINUE.

IAM policy and role creation

To protect your AWS deployment, you must set up an AWS IAM policy and role to allow Alert Logic access to your AWS account. Alert Logic provides an AWS CloudFormation template to automate creation of the correct policy and role for the deployment. You can also choose to manually set up the IAM policy and role.

Cross-account roles allow Alert Logic to access your AWS account. AWS role creation requires that you provide an AWS policy, a document that specifies the permissions assigned to the AWS role you create for Alert Logic to access to your AWS account.

Alert Logic recommends you set up AWS cross-account roles using the default procedures in the Alert Logic console, which allow Alert Logic to make all the necessary changes to your AWS account. The full permission policy documents do not allow Alert Logic to:

  • Retrieve secret keys or credentials from IAM
  • Retrieve data from data stores other than S3
  • Perform these actions from any other AWS account
  • Grant access to the protected account to any other AWS account or user
  • Modify IAM credentials or policies

IAM policy and role setup using AWS CloudFormation

Alert Logic recommends you use the Alert Logic CloudFormation template for quick, convenient IAM policy and role creation. The CloudFormation template creates the appropriate IAM role that allows your deployment access to your AWS assets.

Click CLOUDFORMATION SETUP, and then follow the instructions in the Alert Logic console and the AWS console.

IAM policy and role setup using manual IAM setup

Select manual IAM set up if your AWS account permissions allow you to create an IAM policy, but does not have the permissions to run CloudFormation.

Click MANUAL IAM SETUP, and then follow the instructions on the screen.

Enter your Role ARN

In the Alert Logic console, enter the ARN you copied from the AWS console after you created the IAM role.

If you want to configure cross-account access for centralized CloudTrail log collection, click the I want to configure centralized CloudTrail log collection for this deployment slide bar, and enter a second Role ARN you created for this purpose. For more information about centralized log collection, see Should you centralize CloudTrail log collection?.

Asset Discovery

Allow Alert Logic a moment to discover your assets. When discovery is complete, click CONTINUE. Alert Logic displays the assets discovered in your account in topology diagrams. To learn more about topology, click Topology.

Add external assets

You can add external assets by domain name or IP address. Alert Logic will scan these external assets that you define.

External assets are also used for non-PCI external scans.

To add external assets:

  1. Click the External Assets tab, click the add icon (), and then choose DNS Name or External IP.
    • If you chose DNS Name, enter your fully qualified domain name in the field.
    • If you chose External IP, name your external IP address, and then enter the IP address in the field.
  2. Click SAVE.

Scope of Protection

Alert Logic discovers and organizes deployments into a visual topology where you can select the desired levels of protection for your assets.

You can define the scope of your protection per region or network. Each network appears within its protected region. Click a region or individual network to set the service level or leave it unprotected, and then click SAVE SCOPE. You must choose one of the following levels of coverage:

  • Unprotected
  • Alert Logic Essentials coverage

The choices available for scope of protection correspond directly with your entitlement. Although a Professional subscription includes all the features of Essentials, a Professional customer cannot set the protection scope to Essentials unless the account has a separate Essentials subscription.

You can change the protection level later as needed.

Agent-Based Scanning

You have the option to enable agent-based scanning. Agent-based scanning improves the efficiency, accuracy, and usability of Alert Logic vulnerability scanning features. Agent-based scanning provides the vulnerability assessment coverage of authenticated network scanning without the need to manage credentials and with a reduction in network traffic and impact. To learn more about agent-based scanning, see Agent-Based Scanning.

Vulnerability Scanning

The next step is to configure vulnerability scans to protect your deployment.

Scan Schedules

When you create a new deployment, Alert Logic automatically creates default scan schedules to perform external and internal vulnerability scans on all non-excluded assets and ports in your AWS security groups. If agent-based scanning is enabled, the default agent-based scan schedule performs scans for vulnerabilities and missing patches on all non-excluded hosts with an Alert Logic agent installed. You can schedule when you want to perform specific scans for all or selected assets and ports from the Agent-Based Scans, Internal Network Scans, and External Network Scans tabs. For more information, see Manage Vulnerability Scan Schedules.

Port selection does not apply to agent-based scan schedules.

To initiate vulnerability scanning, review the schedules, make any changes, and then activate the schedules you want to use. Click NEXT.

Scan Exclusions

You can exclude assets from each type of vulnerability scan. You can exclude ports from internal and external network scans. You can also use AWS tags to exclude assets, including subnets, from internal network scans and agent-based scans.

Agent-based scans

To exclude assets or AWS tags from agent-based scans:

  1. On the Scan Exclusions page, click the Agent-Based Scans tab.
  2. To exclude assets, click ASSETS to search for available assets to exclude, and then click EXCLUDE for the asset you want to exclude.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click CANCEL.
  3. To exclude assets by using AWS tags, click TAGS to search for available tags to exclude, and then click EXCLUDE for the tag you want to exclude.
  4. You can remove a tag from the exclusion list at any time to include the tag in scanning. To remove a tag from the exclusion list, click CANCEL.
  5. After you apply your exclusions, click SAVE EXCLUSIONS.
If you exclude assets or tags that are selected in an active scan schedule in the Scope tab, the items remain selected but are not included in future scans.

Internal network scans

To exclude assets or ports from internal network scans:

  1. On the Scan Exclusions page, click the Internal Network Scans tab.
  2. To exclude assets, click ASSETS to search for available assets to exclude, and then click EXCLUDE for the asset you want to exclude.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click CANCEL.
  3. To exclude ports, click PORTS, and then do the following:
    1. Search for the host, subnet, or network that has the ports you want to exclude from internal scanning.
    2. In the Protocol field, select the port protocol UDP, TCP, ICMP, or select * to select all IP protocols.
    3. Enter one or more ports that you want to exclude. Use a dash or colon to indicate a range (for example, 1-10001). Separate multiple ports or port ranges with a comma (for example, 11234, 11311, 12000-12010).
    4. Click EXCLUDE AND ADD ANOTHER.
  4. You can remove ports from the exclusion list at any time to include the ports in scanning. To remove ports from the exclusion list, click REMOVE.
  5. After you apply your exclusions, click SAVE EXCLUSIONS.
If you exclude assets or ports that are selected in an active scan schedule in the Scope or Ports tab, the items remain selected but are not included in future scans.

External network scans

To exclude assets or ports from external network scans:

  1. On the Scan Exclusions page, click the External Network Scans tab.
  2. To exclude assets, click ASSETS to search for available assets to exclude, and then click EXCLUDE for the asset you want to exclude.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click CANCEL.
  3. To exclude ports, click PORTS, and then do the following:
    1. Search for the host, subnet, or network that has the ports you want to exclude from external scanning.
    2. In the Protocol field, select the port protocol UDP, TCP, ICMP, or select * to select all IP protocols.
    3. Enter one or more ports that you want to exclude. Use a dash or colon to indicate a range (for example, 1-10001). Separate multiple ports or port ranges with a comma (for example, 11234, 11311, 12000-12010).
    4. Click EXCLUDE AND ADD ANOTHER.
  4. You can remove ports from the exclusion list at any time to include the ports in scanning. To remove ports from the exclusion list, click REMOVE.
  5. After you apply your exclusions, click SAVE EXCLUSIONS.
If you exclude assets or ports that are selected in the Scope or Ports tab in an active scan schedule, the assets or ports remain selected but are not included in future scans.

Scan Credentials

You can add credentials to your regions or assets to use with internal network scans. You can add multiple credential types, but only one credential of each type. If you provide credentials, Alert Logic performs comprehensive authenticated vulnerability checks for missing patches and misconfigurations using package information and other local sources of data. For hosts on which Alert Logic performs agent-based scanning, you do not need to provide credentials. If you do not provide credentials or enable agent-based scanning, scans on your assets occur using only methods available to unauthenticated users.

To add your credentials:

  1. In the left panel, click Scan Credentials.
  2. In the list of assets, click the asset for which you want to add credentials, and then click the Credentials tab in the panel that opens.

    To filter the list, you can search for characters in your asset names.

  3. Click ADD CREDENTIAL, and then enter the required fields.
  4. Click SAVE.

The credential icon () appears in the list next to assets with credentials provided.

To delete a credential, click the asset that has credentials, click the Credentials tab in the panel that opens, and then click the X next to the name.

Scan Performance

For internal and external vulnerability scans, the maximum number of IPs scanned concurrently is ten by default.

You can choose fewer concurrent scans to reduce scan traffic. A lower number results in slower scans and a longer scan duration. For faster scans and a shorter scan duration, choose a higher number of concurrent scans. The number you choose is a maximum limit. The actual number of concurrent scans does not exceed the selected amount and depends on factors such as appliance resource availability and network bandwidth during the scan window.

To adjust scan performance:

  1. In the left panel, click Scan Performance.
  2. In the list of assets, click the region or network for which you want to adjust scan performance, and then click the Scan Settings tab in the panel that opens.
  3. In the Vulnerability area, enter a number from 1 (slower scans) through 20 (faster scans). The default is 10 maximum concurrent IPs scanned.
  4. Click SAVE to save your selections.

Configuration Topology

This topology diagram provides an overview of your scope of protection. You can see which assets are unprotected, or being scanned at the Essentials, Professional, or Enterprise levels.

The protection breakdown displays how many assets are unprotected, excluded, and protected, along with the number of protected assets in each level.

Install agent

If you enabled agent-based scanning, install the agent on each host for which you want Alert Logic to perform agent-based scans.

Click the links below for more information and to download the appropriate agent:

Update the Alert Logic agent firewall rules

Ensure the proper outbound firewall rules are in place for the node where you installed the agent. For information about firewall rules, see Alert Logic firewall rules for the US or UK/EU.

Update the Alert Logic appliance firewall rules

If you used a CloudFormation template or a Terraform template provided by Alert Logic for your appliance installation, you do not need to perform this step.

Ensure the proper inbound and outbound firewall rules are in place for the appliance. For information about firewall rules, see Alert Logic firewall rules for the US or UK/EU.

Verify the health of your deployment

After you create your deployment, access the Health console in the Alert Logic console to determine the health of your networks, appliances, and agents, and then make any necessary changes.