Environments
The Environments page shows your CloudGuard-managed cloud accounts and Kubernetes Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. clusters.
If CloudGuard fully manages your environments, you can set the protection of your Security Groups from here.
In the Environments section, you can see all of your environments, on all platforms, in a single pane of glass. For managed accounts, you can configure and apply changes centrally to all these environments in one area.
Use Cases
Here are some typical use cases to illustrate the control of Environments from one central location.
-
Search for environments - To quickly search for specific environments across all your cloud presence, see Filter and Search.
-
Review security posture - To assess your security posture effectively and review all your security groups protection state in one view, see Security Groups.
-
Apply equal changes - To expand your cloud presence, you can change the security policies for all regions from one portal, see Cloud Security Posture Management (CSPM).
-
Respond to environment permissions behavior - To receive a notification about changes to one of your environments and then take corrective steps, see Notifications.
Actions
![Closed](transparent.gif)
The primary page shows a list of all your environments, on all cloud providers.
![Closed](transparent.gif)
To filter the list of environments, use the Filter and Search bar at the top of the page. As filter criteria, use Platform, IAM Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. Safety status, Intelligence status, the number of assets, or other available parameters.
See Filter and Search.
![Closed](transparent.gif)
In the Environments page, add (onboard) environments to CloudGuard, for cloud platforms. This adds the accounts to the CloudGuard Console. You do not create accounts on the cloud provider here (as an alternative, use the cloud provider site). When you add an environment to CloudGuard, you can select to manage it from CloudGuard (Full Protection) or monitor it (Read-Only).
-
Navigate to Assets > Environments. This shows a list of the environments added to CloudGuard.
Note - For first-time onboarding, select a cloud platform from the Environment's primary page and follow the onboarding steps. For more information, see Onboarding Cloud Environments.
-
Click Add and select the cloud platform.
-
Follow the instructions to onboard an environment to CloudGuard, for the selected cloud platform. For more details, see Onboarding Cloud Environments.
![Closed](transparent.gif)
You can view details for an environment.
From the primary page, click an environment link to show more details. The details are organized by region (based on the cloud provider regions).
They show general information for the account, with the environment number, the date of adding to CloudGuard, the number of instances, and security groups. The information varies depending on the cloud platform.
![Closed](transparent.gif)
The AWP tab shows AWP details if the environment is onboarded to AWP. For more information, see Viewing AWP Details.
![Closed](transparent.gif)
If the environment policies have missing permissions to allow CloudGuard to see or manage your environment, the warning message appears: Missing 10 permissions for CloudGuard-Connect.
These permissions relate to the CloudGuard-Connect policy (an AWS policy, which enables CloudGuard to connect and manage your AWS accounts).
-
Click Show more to see the missing permissions. The list shows the cloud resources that are missing each permission (CustomDomainName, for example), the permission type (tags), and the action for the resource that you must add (ListTags). In addition, it shows the number of resources missing this permission (# Affected Entities). Click Show Entities in the last column to see the specific resources.
-
Click Validate Permissions to add the missing permissions to your account.
-
To verify that the policies are updated for your AWS accounts, see Updating AWS Permissions.
Note - CloudGuard cannot fetch updated data for entities that have missing permissions.
![Closed](transparent.gif)
You can change the name of an environment. This changes the name as it appears on the CloudGuard portal, but not on the cloud provider.
-
Enter the environment.
-
Select Rename from the top right menu.
-
Make your changes.
-
Click Save to save the changes (or close to cancel the changes).
![Closed](transparent.gif)
It is possible to change the AWS IAM Role for an environment. The role must exist in your AWS account.
-
Click on an account from the list of accounts on the primary Environments page.
-
Select Edit Credentials from the top right menu.
-
In the AWS console, open your AWS account and navigate to the IAM page. Select Roles and copy the ARN
Amazon Resource Names (ARNs) uniquely identify AWS resources. They are required to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls. for the role to be applied to the account in CloudGuard. See AWS IAM Roles.
-
Enter (or paste) the ARN value in the Role ARN field.
-
Click Confirm.
![Closed](transparent.gif)
Click Remove to delete the selected environment from CloudGuard. This does not delete the environment or its resources on the cloud provider.
![Closed](transparent.gif)
You can select the Protection Mode that CloudGuard applies to new security groups detected in AWS environments. CloudGuard defines and applies Security Groups in AWS for each region separately.
You can select from these options:
-
Read-Only - CloudGuard includes new Security Groups in Read-Only mode, without changes to the rules
-
Full Protection - CloudGuard includes new Security Groups in Full Protection mode, without changes to the rules
-
Region Lock - CloudGuard includes new Security Groups in Full Protection mode and clears all inbound and outbound rules
You can set or change the Protection Mode for existing Security Groups, in all regions, for all of your AWS accounts.
To set or modify the Protection Mode:
-
Navigate to Assets > Environments and select an environment from the list. The Network tab shows the regions for the environment and the number of Security Groups defined for each region.
-
Click one of the regions. This shows a list of the Security Groups defined for the region.
-
Select the Protection mode to apply by default to new Security Groups in the region.
-
Select the Protection mode for each of the existing Security Groups in the region. Click select entire region to apply the mode to all Security Groups in the region.
Note - The account must have a CloudGuard-write-policy to apply Full Protection to a Security Group
A set of access control rules that acts as a virtual firewall for your virtual machine instances to control incoming and outgoing traffic. (see Setting an AWS Security Group to Full Protection).
-
Click Save.
![Closed](transparent.gif)
An organization with a large cloud environment may come close the cloud platform's maximum number of roles. The Identical Entity Roles feature identifies roles in your cloud environment with duplicate permissions. This feature is supported for AWS and Azure.
Use Case
Use the Identical Identities window to identify roles in your cloud environment that have duplicate permissions. Use this information to combine roles in your cloud environment safely and efficiently.
-
Click on an account in the list of accounts on the main Environments page.
-
In the upper right, above the table, click the three dots menu and select Show Identical Identities.
The Identical Identities window opens. Each Identities Group is a group of identities that have the same permissions.
-
Expand an Identities Group to see the identities in the group.
-
In the Permissions column, to the right of the Identities Group, click the
button to see the permissions shared by all members of the group.
-
In your AWS or Azure environment, combine identities that have the same permissions.