vSEC Controller for Amazon Web Services

vSEC Controller integrates the Amazon Web Services (AWS) cloud with Check Point security. The Check Point Data Center Server connects to the AWS cloud and retrieves object data. vSEC Controller updates IP addresses and other object properties in the Data Center Objects group.

Configuring Permissions for Amazon Web Services

AWS Authentication

User Authentication - Uses Access Key ID and Secret Access Key credentials.

Role Authentication - Uses the AWS IAM role. You can use this option only when Security Management is deployed in AWS.

Minimal permissions from the User or Role

Effect: Allow
Actions:
- ec2:DescribeInstances
- ec2:DescribeNetworkInterfaces
- ec2:DescribeSubnets
- ec2:DescribeVpcs
- ec2:DescribeSecurityGroups
Resource: All ("*")

For more information about Roles and the IAM policy, see Amazon Web Services documentation.

Connecting to the Amazon Web Services Data Center Server

To connect to an AWS Data Center server:

In SmartConsole, click Objects menu > More object types > Server > Data Center > New AWS.
Select the authentication method, User Authentication or Role Authentication.
If you choose User Authentication, enter your Access Key ID and Secret Access Key.
Select the AWS region, to which you want to connect.
Click OK.

Amazon Web Services Objects

VPC - Amazon Virtual Private Cloud enables you to launch resources into your Virtual Network.
Availability Zone - A separate geographic area of a region. There are multiple locations with regions and availability zones worldwide.
Subnet - All the IP addresses from the Network Interfaces related to this subnet.
Instance - Virtual computing environments.
Tags - Groups all the instances that have the same Tag Key and Tag Value.
Security Group - Groups all the IP addresses from all the Instances associated with this Security Group.

Use one of these options to import AWS objects to your policy:

Regions - Import AWS VPCs, subnets or instances from a certain region to your security policy.
Security Groups - Import all IP addresses that belong to a specific security group. The Security Group is used only as a container for the list of all IP addresses of Instances that are attached to this group.
Tags - Import all instances that have a specific Tag Key or Tag Value.

Notes:

Tags with Key and no Value are in vSEC Controller as: "Tag key="
Leading and trailing spaces in Tag Keys and Values will be truncated.
All changes in AWS are updated automatically with the Check Point Security Policy. Users with permissions to change resource tags in AWS may be able to change their access permissions.

Object Names

Object names are the same as those in the AWS console. VPC, subnet, instance, and Security Group are named as follows:

Tag Name exists: "Object ID (value of the Tag Name)"

Tag Name does not exist or is empty: "ObjectID"

Imported Properties	Description
Name	Resource name as shown in the AWS console. User can edit the name after importing the object.
Name in Server	Resource name as shown in the AWS console.
Type in Server	Resource type.
IP	Associated private and public IP addresses.
Note	CIDR for subnets and VPC objects.
URI	Object path.
Tags	Tags (Keys and Values) that are attached to the object.

Auto Scaling in Amazon Web Services

The AWS Auto Scaling service with the Check Point Auto Scaling group can increase or decrease the number of vSEC Gateways according to the current load.

vSEC Controller for AWS works with the Check Point Auto Scaling Group. The Check Point Security Management Server updates Data Center objects automatically on the Check Point Auto Scaling group.

Enable the Identity Awareness Blade as explained in Auto Scaling in AWS (Amazon Web Services), sk112575, Section 5-E - Enabling additional Software Blades.