AWS Deployment Configuration

Alert Logic allows you to create AWS deployments to the Alert Logic console. The Deployments page appears under the Configuration tab in the Alert Logic console. To add a deployment, click the add icon (), and then enter the requested information to provide Alert Logic with third-party access to the specified cloud environment. For more information about adding deployments for other cloud environments, see Azure Deployment Configuration and Data Center Deployment Configuration.

Name your deployment

In the Deployment Name field, type a descriptive name for the deployment you want to create, and then click SAVE.

Choose a deployment mode

To protect your AWS deployment, you must set up an AWS IAM role and policy to allow Alert Logic access to your AWS account. Alert Logic provides AWS CloudFormation templates to automate creation of the correct policy and role for the deployment mode you choose. The deployment mode you choose determines how Alert Logic deploys your scanning instances. You can also choose to employ manual setup in which you log into the AWS console and create your IAM policy and role.

Choose from automatic, guided, or manual deployment modes. Each deployment mode allows a different level of control over the creation of scanning instances and subnets.

Automatic Mode

Alert Logic recommends the Automatic Mode if you want Alert Logic to deploy and maintain new VPC subnets used for scanning instances.

Manual Mode

Select Manual Mode if you want to use your own policy and role, and manage subnets for scanning instances when you create an AWS deployment.

IAM policy and role setup

Alert Logic recommends you use the provided CloudFormation template for quick, convenient IAM policy and role creation.

Click CLOUDFORMATION SETUP to use the Alert Logic CloudFormation template to create the IAM role needed for deployment creation.

Create a policy and role with Alert Logic CloudFormation template

The CloudFormation template creates the appropriate IAM role that allows your deployment access to your AWS assets. To use the CloudFormation template:

  1. Access the AWS CloudFormation Create Stack page.

    All the information required for the Alert Logic CloudFormation template to create the appropriate IAM policy and role for this deployment type is prepopulated.

    CAUTION: Do not change any preselected items on the AWS CloudFormation Create Stack page, or this procedure will not complete successfully.

  2. Select I acknowledge that AWS CloudFormation might create IAM resources.
  3. From the AWS CloudFormation Create Stack page, click Create.
  4. When the Status is CREATE_COMPLETE, click Outputs.
  5. Copy the Role ARN Value, which you will need to create your deployment.
  6. In the Alert Logic console, click CONTINUE.

 

Enter your Role ARN

The role you created with the CloudFormation template grants only the minimum permissions required for Alert Logic to monitor your AWS environment. To maximize permissions:

  1. Enter the ARN you copied from the AWS Create Stack page.
  2. Click the I want to configure centralized CloudTrail log collection for this deployment slide bar, and then click CONTINUE.

Asset Discovery

Please wait while Alert Logic discovers your assets. When discovery is complete, click CONTINUE. Alert Logic displays the assets discovered in your account in topology diagrams. To learn more about topology, click Topology.

Add external assets

If all your assets were not discovered, you can add external assets by domain name or IP address. To add external assets:

  1. Click the add icon () and choose the DNS name or IP address.
    • If you chose the DNS name, enter your domain name system in the field.
    • If you chose IP address, name your external IP address, and then enter the IP address in the field.
  2. Click SAVE.

Scope of protection

You can define the scope of your protection per VPC basis. Each VPC appears within its protected region. Click a region or individual VPC to set the scan level or leave it unprotected, and then click SAVE.

Exclusions

You also have the option to exclude assets or AWS tags from external scanning, internal scanning, and Network IDS.

External scanning

To exclude assets for external scanning:

  1. Select the External Scanning tab to view assets available to exclude.
  2. Click EXCLUDE for the asset you want to exclude.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click CANCEL.
  3. After you apply all the necessary exclusions, click out of Exclusions, and then on the Scope of Protection page, click SAVE.

Internal scanning

To exclude assets or AWS tags for internal scanning:

  1. Select the Internal Scanning tab, and then click ASSETS or TAGS to search for assets or tags available to exclude.
  2. Click EXCLUDE for the asset or tag you want to exclude.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click CANCEL.
  3. After you apply all the necessary exclusions, click out of Exclusions, and then on the Scope of Protection page, click SAVE.

Network IDS

To exclude assets for Network IDS

  1. Select the Network IDS tab to exclude CIDRs.
  2. In the Protocol(s) field, click the drop-down menu to select a protocol. Select TCP, UDP, or ICMP, or select * to select all IP protocols.
  3. Enter the network CIDR network address you want to exclude. You must enter a range of network addresses using CIDR format.

    Enter 10.0.0.0.24 to exclude IP addresses in the range 10.0.0.0-10.0.0.255.

  4. Click the drop-down menu to select the port. You can enter a single port, a part range, or * to select all ports.

    Enter 443 for a single port. Enter 1:1024 for a part range.

  5. Click EXCLUDE AND ADD ANOTHER. Repeat the steps to add more CIDRs.
    You can remove an asset from the exclusion list at any time to include the asset in scanning. To remove an asset from the exclusion list, click CANCEL.
  6. After you apply all the necessary exclusions, click out of Exclusions, and then on the Scope of Protection page, click SAVE.

Scheduling

Alert Logic automatically performs certain scans. You can schedule how often and when you want Alert Logic to scan for vulnerabilities from the Internal Scans and External Scans tabs.

Internal scans and External scans

To schedule how often you want Alert Logic to scan for vulnerabilities, choose one of the following options:

  • Scan as often as necessary—Select this option if you want Alert Logic to scan known assets for vulnerabilities once a day, or twice a day, if significant changes are detected to an asset.
  • Scan once a day
  • Scan once a week
  • Scan once a month

To schedule when you want Alert Logic to scan for vulnerabilities, choose one of the following options:

  • Scan whenever necessary—Select this option if you do not want to limit Alert Logic scans to particular days or times.
  • Scan only during certain hours on certain days
  • Scan only on a certain day

Click SAVE, and then click NEXT.

Configuration Topology

This topology diagram provides an overview of your scope of protection. You can see which assets are unprotected, or being scanned at the Essentials, Professional, or Enterprise levels. Click a VPC in the diagram to view its subnets, instances, and hosts.

The protection breakdown displays how many assets are unprotected, excluded, and protected, along with the number of protected assets in each level.

You can search for specific assets. The protection breakdown updates as it finds specific assets.

Install agent

Alert Logic provides a single agent that collects data used for analysis, such as log messages and network traffic, metadata, and host identification information. Click the links below for more information about installing the Alert Logic agent to Install the Alert Logic agent for Linux or Install the Alert Logic agent for Windows.

Log sources

You can set up log collection. To add log sources for data you want to collect, see Log Sources.