CloudGuard Controller for Amazon Web Services (AWS)

The CloudGuard ControllerClosed Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. integrates the Amazon Web Services (AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services.) cloud with Check Point security.

Important - The CloudGuard Controller server clock must be synchronized with the current, local time. Use of a NTP server is recommended. Time synchronization issues can cause polling information from the cloud to fail.

Connecting to an Amazon Web Services Data Center Server from SmartConsole

Step

Instructions

1

In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., create a new Data CenterClosed Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. object in one of these ways:

  • In the top left corner, click Objects menu > More object types > Server > Data Center > New AWS.

  • In the top right corner, click Objects Pane > New > More > Server > Data Center > AWS.

2

In the Enter Object Name field, enter a name.

3

Select the applicable authentication method:

4

If you choose User Authentication, enter your Access key ID and Secret access key.

5

In the Region field, select the AWS region to which you want to connect.

6

Click Test Connection.

7

Click OK.

8

Publish the SmartConsole session.

9

Install the Access Control policy on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.

Connecting to an Amazon Web Services Data Center Server with Management API

Go to Management API Reference > Click on see arguments per Data Center Server type and select AWS.

Connecting to an Amazon Web Services Data Center Server with Terraform

See checkpoint_management_aws_data_center_server.

AWS Objects and Properties

AWS Imported Objects

Object

Description

VPC

Amazon Virtual Private Cloud enables you to launch resources into your Virtual NetworkClosed Environment of logically connected Virtual Machines..

Availability Zone

A separate geographic area of a region.

There are multiple locations with regions and availability zones worldwide.

Subnet

All the IP addresses from the Network Interfaces related to this subnet.

Instance

Virtual computing environments.

Tags

Groups all the instances that have the same Tag Key and Tag Value.

Security Group

Groups all the IP addresses and Security Groups from all objects associated with this Security Group.

Load Balancers

Load Balancer distributes incoming traffic across multiple targets such as EC2 Instances and IP addresses.

Only Application and Network Load Balancers are supported.

VPC Endpoint

A VPC endpoint enables connections between a VPC and supported services, without requiring that you use an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

VPN Gateways

VPN Connections

Customer Gateway

For VPN site-to-site connections.

ENI

Elastic Network Interface. Supported starting R81.20 Jumbo Hotfix Accumulator Take 70.

Note - This object is disabled by default. To enable it:

  1. Edit the vsec.conf file on the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. ($FWDIR/conf/ on Security Management Server, $MDSDIR/conf/ on Multi-Domain Management Server) and add the line:

    aws.enableShowAwsENIs=true

  2. Restart the CloudGuard Controller with the command: vsec stop;vsec start

AWS Import Options

Use one of these options to import AWS objects to your policy:

Option

Description

Regions

Import AWS VPCs, Load Balancers, Subnets, or Instances from a certain region to your Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..

Security Groups

Import all IP addresses that belong to a specific Security Group.

The Security Group is used only as a container for the list of all IP addresses of Instances that are attached to this group.

Tags

Import all instances and Security Groups that have a specific Tag Key or Tag Value.

Notes:

  • CloudGuard Controller saves the Tags with Key and no Value as: "Tag key="

  • CloudGuard Controller truncates leading and trailing spaces in Tag Keys and Tag Values.

  • All changes in AWS are updated automatically with the Check Point Security Policy. Users with permissions to change resource tags in AWS can change their access permissions.

AWS Object Names (Tags)

Object names are the same as those in the AWS console.

VPC, Subnet, Instance, and Security Group use these names:

Tag Name

Object Name

Tag Name exists

"<Object ID> (<Value of the Tag Name>)"

Tag Name does not exist

"<Object ID>"

Tag Name is empty

"<Object ID>"

AWS Imported Properties

Property

Description

Name

Resource name as shown in the AWS console.

User can edit the name after importing the object.

Name in Server

Resource name as shown in the AWS console

Type in Server

Resource type

IP

Associated private and public IP addresses

Note

CIDR for subnets and VPC objects

URI

Object path

Tags

Tags (Keys and Values) that are attached to the object

Configuring Permissions for Amazon Web Services

Minimal permissions for the User or Role

Item

Value

Effect

Allow

Actions

  • ec2:DescribeInstances

  • ec2:DescribeNetworkInterfaces

  • ec2:DescribeSubnets

  • ec2:DescribeVpcs

  • ec2:DescribeSecurityGroups

Resource

All ("*")

Additional optional permissions for the User or Role

Item

Value

Used for

Effect

Allow

 

Actions

"elasticloadbalancing:DescribeLoadBalancers",

"elasticloadbalancing:DescribeTags"

Using Load Balancers tags and using them in the policy.

Actions

"ec2:DescribeVpnGateways",

"ec2:DescribeVpnConnections",

"ec2:DescribeCustomerGateways"

Automatic configuration of Site-to-site VPN.

Actions

"ec2:DescribeVpcEndpoints"

Describes VPC endpoints.

For more information about Roles and the IAM policy, see Amazon Web Services documentation.

AWS STS Assume Role

AWS's Security Token Service (STS) Assume Role allows administrators to give access to AWS resources across different AWS user accounts.

Use Case

This feature is especially helpful for CloudGuard Controller administrators who manage multiple data centers.

Instead of the need for administrators to create multiple AWS user accounts and configure access permissions to AWS resources for each account, the STS Assume Role, allows them to create the necessary permissions once for use across multiple AWS accounts. For the CloudGuard Controller, this means that it connects to a specific AWS account from a different AWS user account, which has the correct credentials configured.

For more information, see Amazon's IAM documentation or watch a short video here.

Configuring the STS Assume Role

The CloudGuard Controller AWS Data Center authentication supports STS Assume Role, in addition to user and IAM authentication.

In R81 and lower, the only options for authentication were the Access key and Secret access key or Role Authentication.

In R81.10 and higher, authentication includes the addition of the STS Assume Role checkbox, which allows these:

  • Access key and Secret access key with or without STS Assume Role.

  • Role Authentication with or without STS Assume Role.

To use the STS Assume Role in SmartConsole:

  1. Create a new AWS Data Center object.

  2. Select the authentication type (User or Role).

  3. Select the checkbox STS Assume Role.

  4. Enter the Role and ID as you configured during the creation of the STS Assume Role.

Auto Scaling in Amazon Web Services

The AWS Auto Scaling service with the Check Point Auto Scaling group can increase or decrease the number of CloudGuard Gateways according to the current load.

The CloudGuard Controller for AWS works with the Check Point Auto Scaling Group.

The Check Point Security Management Server updates Data Center objects automatically on the Check Point Auto Scaling group.

CloudGuard CME for Amazon Web Services automatically configures CloudGuard Gateways in Auto Scaling group to support updates of Data Center Objects from the CloudGuard Controller.