Manage AWS VPCs with Security Cloud Control

Use Security Cloud Control to manage AWS VPCs

Security Cloud Control provides a simplified management interface for your Amazon Web Services (AWS) Virtual Private Clouds (VPCs). You can manage your AWS VPCs and their components in the same interface you manage your other devices.

Use Security Cloud Control to perform these tasks:

• Onboard an AWS VPC

• View VPC Details

• Work with Security Groups

• Share AWS Objects with other Managed Device

• Monitor AWS Site-to-Site VPN Connections

• Monitoring Changes to AWS Devices

These are common AWS features that Security Cloud Control expects to support in the future:

• Showing the relationship of load balancers (elastic, network, and application load balancers) to the security group.

• Showing the relationship of autoscaling groups to a security group.

You cannot manage these aspects of security groups with Security Cloud Control:

• Creating Security Groups.

• Linking Security Groups to instances.

• Assigning Security Groups to load balancers.

• VPC peering.

Onboard AWS VPCs

Start by onboarding the AWS VPC using the onboarding wizard for Security Cloud Control. For more information about onboarding an AWS VPC, refer to Onboard an AWS VPC .

Note that if an AWS VPC contains tags, these tags are imported into Security Cloud Control when you onboard the device. Security Cloud Control represents the tags as labels. Unlike security cloud objects or rules, labels are not automatically synchronized to the AWS VPC. For more information about labels and filtering, refer to Labels and Filtering.

Handle AWS VPC login credentials and permissions through the Security Cloud Control console. Without the correct credentials or permissions, Security Cloud Control cannot communicate with the AWS VPC. For more information, refer to Update AWS VPC Connection Credentials and Changing Permissions for an IAM User .

View AWS VPC details

After onboarding the AWS VPC, you can view its ID, region, security groups, and the rules and objects assigned to those security groups.

Work with Security Groups

Security groups are a collection of rules that govern inbound and outbound network traffic for all AWS instances and other entities associated with the security group. When you onboard an AWS VPC to Security Cloud Control, the security groups are stored in Security Cloud Control as security group objects.

Using Security Cloud Control you can perform these tasks:

• Create new rules in a security group.

• Check for changes, edit, and delete rules in a security group.

At this time, you cannot create new security groups in a VPC.

For more information, refer to these topics:

• AWS VPC Security Groups and Instances

• Manage AWS VPC Security Groups Rules

• Sharing Objects Between AWS and other Managed Devices

Share Objects between AWS and other managed devices

Security Cloud Control supports the use of objects in rules. Objects are containers for values. For example, you can create a network object containing the IP address of a resource and assign it a meaningful name. You can then use that object in access rules as part of the source or destination, instead of using the resource's literal IP address. You can also reuse that object in different rules. If you change the value of the object once, any rule that uses that object starts using the new value.

After onboarding an AWS VPC, Security Cloud Control translates AWS concepts into security group objects, network objects, and service objects found in existing security group rules.

Network objects and service objects (also called port objects) can be shared between AWS VPCs and other devices managed using Security Cloud Control. Security group objects are unique to AWS.

For more information about sharing objects between AWS and other managed devices, refer to Sharing Objects Between AWS and other Managed Devices.

Monitor Changes to AWS VPCs and AWS Security Groups

The change log continuously captures configuration changes as they are made in Security Cloud Control. This view includes changes across all supported devices and services. The change log offers these features:

• Side-by-side comparison of changes made to device configuration.

• Plain English labels for all change log entries.

• Records onboarding and removal of devices.

• Detection of policy change conflicts occurring outside of Security Cloud Control.

• Answers who, what, and when during an incident investigation or troubleshooting.

Change request management allows you to associate a change request and its business justification, opened in a third-party ticketing system, with an event in the Change Log. Use change request management to create a change request in Security Cloud Control, identify it with a unique name, enter a description of the change, and associate the change request with change log events. You can later search the Change Log for the change request name.

Support for common managerial tasks

Security Cloud Control supports these common management tasks for AWS security groups:

• Bulk Deploy Device Configurations

• Read All Device Configurations

• Detecting Out-of-Band Changes

• Conflict Detection

• Resolve Configuration Conflicts