Steps for AWS (CWPP) Integration
The CWPP integration process is similar to CSPM integration.
- On the AWS Add Integration, Select the required capabilities: Cloud Workload Protection Platform (CWPP) and Click Next.
-
Ensure that you have already signed in to your target AWS Account Management Console and then choose the 'Automated' (Recommended) or 'Manual' mode to create an IAM role that grants Plerion access to your AWS Account.
-
All of the process till CWPP integration is the same as CSPM.
Workload Configuration
On the Workload Configuration page, select the applicable workloads. The available options are: Amazon EC2, AWS Lambda, and Amazon ECS
Appliance Configuration
On the Appliance Configuration page, regions with the selected workloads will be displayed with details of VPC, Subnet, and Security Group if already configured, otherwise those fields will be empty and will require configuration. Each workload region requires a networking configuration that allows egress access to the internet. At least one region with workloads should be enabled for the integration to be added successfully.
Users can use the Example CloudFormation Template for Network Configuration to create a VPC, Subnet, Internet Gateway, Route Table, and Network ACL. If you choose to manually deploy the provided template or use an existing VPC, Subnet, and Security Group, the corresponding Subnet Id(s) and Security Group Id(s) must be manually set in the desired region(s). Use the Validate button to initiate a network validation test to ensure network functionality.
Users have the option to utilize a Plerion-managed version of this template and delegate the configuration of their desired region(s) to Plerion. Through this process, the system will automatically configure your region details based on the deployed resources from the CloudFormation Stack. The Plerion-managed configuration feature is currently limited to single region deployments, the option to delegate multi-region deployments is coming in a future update. Multi-region deployments using the Example CloudFormation Template for Network Configuration can be done manually via CloudFormation StackSets.
- Advanced Settings - The advanced Settings section displays other AWS regions without any workloads. Users can turn on any of the regions within the Advanced Settings section.
- For integrations with CWPP, a scan will be triggered for CSPM, followed by another for CWPP.
- For every CWPP scan, an appliance EC2 Instance will be created in your AWS Account in every region enabled during integration creation. The appliance/EC2 Instance will complete the scan of workloads and then terminate itself. Details of the workloads and appliances can be seen on the Integration information page.
Example CloudFormation Template for Network Configuration
The following is an example CloudFormation template for network configuration. This template can be used to create a VPC, Subnet, Internet Gateway, Route Table, and Network ACL.
Users can create a Stack following Creating a Stack (opens in a new tab) or deploy to multiple regions using StackSets (opens in a new tab).
Copy the following template and save it as a YAML file or
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
CidrBlockParameter:
Type: String
Default: '192.168.0.0/24'
Description: 'CIDR block for Plerion Appliance VPC'
Resources:
PlerionApplianceVPC:
Type: AWS::EC2::VPC
Properties:
Tags:
- Key: Owner
Value: Plerion
- Key: Purpose
Value: PlerionCWPPAppliance
CidrBlock: !Ref CidrBlockParameter
EnableDnsSupport: true
EnableDnsHostnames: true
PlerionApplianceInternetGateway:
Type: 'AWS::EC2::InternetGateway'
Properties:
Tags:
- Key: Owner
Value: Plerion
- Key: Purpose
Value: PlerionCWPPAppliance
PlerionApplianceVPCGatewayAttachment:
Type: 'AWS::EC2::VPCGatewayAttachment'
Properties:
InternetGatewayId: !Ref PlerionApplianceInternetGateway
VpcId: !Ref PlerionApplianceVPC
PlerionAppliancePublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
Tags:
- Key: Owner
Value: Plerion
- Key: Purpose
Value: PlerionCWPPAppliance
VpcId: !Ref PlerionApplianceVPC
PlerionAppliancePublicRoute:
DependsOn: PlerionApplianceVPCGatewayAttachment
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PlerionAppliancePublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref PlerionApplianceInternetGateway
PlerionAppliancePublicSubnet01:
Type: AWS::EC2::Subnet
Properties:
Tags:
- Key: Owner
Value: Plerion
- Key: Purpose
Value: PlerionCWPPAppliance
MapPublicIpOnLaunch: true
CidrBlock: !Ref CidrBlockParameter
AvailabilityZone: !Select
- 0
- Fn::GetAZs: !Ref 'AWS::Region'
VpcId: !Ref PlerionApplianceVPC
PlerionAppliancePublicSubnet01RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PlerionAppliancePublicSubnet01
RouteTableId: !Ref PlerionAppliancePublicRouteTable
PlerionApplianceNACL:
Type: AWS::EC2::NetworkAcl
Properties:
Tags:
- Key: Owner
Value: Plerion
- Key: Purpose
Value: PlerionCWPPAppliance
VpcId: !Ref PlerionApplianceVPC
PlerionApplianceNACLPublicSubnet01Association:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
NetworkAclId: !Ref PlerionApplianceNACL
SubnetId: !Ref PlerionAppliancePublicSubnet01
PlerionApplianceNACLOutbound:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref PlerionApplianceNACL
RuleNumber: 100
Protocol: -1
Egress: true
RuleAction: allow
CidrBlock: 0.0.0.0/0
PlerionApplianceNACLInbound:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref PlerionApplianceNACL
RuleNumber: 100
Protocol: -1
RuleAction: allow
CidrBlock: 0.0.0.0/0
PlerionApplianceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
Tags:
- Key: Owner
Value: Plerion
- Key: Purpose
Value: PlerionCWPPAppliance
GroupDescription: Allow HTTPS egress
VpcId: !Ref PlerionApplianceVPC
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0