Print Download PDF Send Feedback

Previous

Next

CloudGuard Controller for Amazon Web Services

The CloudGuard Controller integrates the Amazon Web Services (AWS) cloud with Check Point security.

The Check Point Data Center Server connects to the AWS cloud and retrieves object data.

The CloudGuard Controller updates IP addresses and other object properties in the Data Center Objects group.

Connecting to an Amazon Web Services Data Center Server

Step

Description

1

In SmartConsole, create a new Data Center object in one of these ways:

  • In the top left corner, click Objects menu > More object types > Server > Data Center > New AWS.
  • In the top right corner, click Objects Pane > New > More > Server > Data Center > AWS.

2

In the Enter Object Name field, enter the desired name.

3

Select the applicable authentication method:

  • User Authentication
  • Role Authentication

4

If you choose User Authentication, enter your Access key ID and Secret access key.

5

In the Region field, select the AWS region, to which you want to connect.

6

Click Test Connection.

7

Click OK.

8

Publish the session.

Amazon Web Services Objects

Objects

Object

Description

VPC

Amazon Virtual Private Cloud enables you to launch resources into your Virtual Network.

Availability Zone

A separate geographic area of a region.

There are multiple locations with regions and availability zones worldwide.

Subnet

All the IP addresses from the Network Interfaces related to this subnet.

Instance

Virtual computing environments.

Tags

Groups all the instances that have the same Tag Key and Tag Value.

Security Group

Groups all the IP addresses from all the Instances associated with this Security Group.

Importing AWS objects

Use one of these options to import AWS objects to your policy:

Import Option

Description

Regions

Import AWS VPCs, subnets or instances from a certain region to your security policy.

Security Groups

Import all IP addresses that belong to a specific security group.

The Security Group is used only as a container for the list of all IP addresses of Instances that are attached to this group.

Tags

Import all instances that have a specific Tag Key or Tag Value.

Notes:

Object Names

Object names are the same as those in the AWS console.

VPC, Subnet, Instance, and Security Group are named as follows:

Tag Name

Object Name

Tag Name exists

"<Object ID> (<Value of the Tag Name>)"

Tag Name does not exist

"<Object ID>"

Tag Name is empty

"<Object ID>"

Imported Properties

Imported Property

Description

Name

Resource name as shown in the AWS console. User can edit the name after importing the object.

Name in Server

Resource name as shown in the AWS console.

Type in Server

Resource type.

IP

Associated private and public IP addresses.

Note

CIDR for subnets and VPC objects.

URI

Object path.

Tags

Tags (Keys and Values) that are attached to the object.

Configuring Permissions for Amazon Web Services

AWS Authentication

Authentication Method

Description

User Authentication

Uses Access Key ID and Secret Access Key credentials.

Role Authentication

Uses the AWS IAM role. You can use this option only when Security Management is deployed in AWS.

Minimal permissions for the User or Role

Item

Value

Effect

Allow

Actions

  • ec2:DescribeInstances
  • ec2:DescribeNetworkInterfaces
  • ec2:DescribeSubnets
  • ec2:DescribeVpcs
  • ec2:DescribeSecurityGroups

Resource

All ("*")

For more information about Roles and the IAM policy, see Amazon Web Services documentation.

Auto Scaling in Amazon Web Services

The AWS Auto Scaling service with the Check Point Auto Scaling group can increase or decrease the number of CloudGuard Gateways according to the current load.

CloudGuard Controller for AWS works with the Check Point Auto Scaling Group. The Check Point Security Management Server updates Data Center objects automatically on the Check Point Auto Scaling group.

Enable the Identity Awareness Software Blade as explained in Auto Scaling in AWS (Amazon Web Services), sk112575, Section 5-E - Enabling additional Software Blades.