Onboard an AWS VPC

To onboard an AWS VPC to Security Cloud Control, follow this procedure.

Before you begin

Note	Security Cloud Control does not support peered AWS VPCs. If you attempt to onboard a peered VPC referencing a security group that is defined on the peer VPC, the onboarding process fails.

Before onboarding your Amazon Web Services (AWS) Virtual Private Cloud (VPC) to Security Cloud Control, review these prerequisites:

To onboard an AWS VPC, you need the access key and secret access key for the VPC. Both credentials are generated using the Identity and Access Management (IAM) console. For more information about security credentials, refer to Understanding and Getting your Security Credentials.
Configure IAM permissions to allow Security Cloud Control to communicate with your AWS VPC. For more information about changing permissions for an IAM user, refer to Changing Permissions for an IAM User. See this example for required permissions.

"cloudformation:CreateStack",
"cloudformation:CreateStackInstances",
"cloudformation:DescribeStackInstance",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"ec2:AllocateAddress",
"ec2:AllocateHosts",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AssociateDhcpOptions",
"ec2:AssociateRouteTable",
"ec2:AssociateSubnetCidrBlock",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateDhcpOptions",
"ec2:CreateEgressOnlyInternetGateway",
"ec2:CreateInternetGateway",
"ec2:CreateNetworkAcl",
"ec2:CreateNetworkInterface",
"ec2:CreateNetworkInterfacePermission",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:DescribeAddresses",
"ec2:DescribeAddressesAttribute",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeDhcpOptions",
"ec2:DescribeEgressOnlyInternetGateways",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfacePermissions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroupReferences",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeTransitGateways",
"ec2:DescribeVpcs",
"ec2:DescribeVpnGateways",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifySecurityGroupRules",
"ec2:ModifySubnetAttribute",
"ec2:RunInstances",
"sts:GetCallerIdentity"

Procedure

Step 1

Choose Security Devices.

Step 2

Click to begin onboarding the device.

Step 3

Click the AWS VPC tile.

Step 4

Enter these details in the Account page.

Enter the Access Key ID and Secret Access Key to connect to the AWS account. The generated list of names is retrieved from the AWS VPC to which you supplied login credentials.
Click Connect.

Step 5

Enter these details in the VPC page.

Select a region from the drop-down menu. Choose the region where the VPC is located.
Click Select.
Use the drop-down menu to select the correct AWS VPC. The generated list of names is retrieved from the AWS VPC to which you supplied login credentials.

Note

AWS VPC IDs names are unique; there cannot be two or more instances with the same ID.
Click Select.

Step 6

Enter these details in the Name page.

Enter a name to be shown in the Security Cloud Control UI.
Click Continue.

Step 7

(Optional) Enter a label for the device in the Labels page, and click Continue.

Note	If you create labels for an AWS VPC, the tables are not automatically synchronized with your device. You must manually recreate the labels as tags in the AWS console. For more information about labels and tags in AWS VPC, refer to Labels and Tags in AWS VPC.

After successful onboarding, the Configuration Status changes to 'Synced,' and Connectivity changes to 'Online' on the Security Devices page.