CloudOptics Documentation

Please follow the instructions to install & configure the product.

Introduction

CloudOptics has the ability to manage a single cloud account or multiple clouds. Product also has the capaility to onboard multiple customers at the same time, having various cloud accounts of their own.

Following guide will help choose the right product edition to get started.

Trial version of the product comes with a no obligation 2-weeks entitlement. Trial version comes fully fnctional with all modules of CloudOptics to secure your critiical infrastructure.

Please select the target environment where you want to install the product for detailed steps.

Subscribing CloudOptics as SaaS

CloudOptics is available as SaaS for organiztions to subscribe online and consume. Please follow instructionsd below to use SaaS -

  1. Please visit https://app.cloudoptics.io/#/setup & register
_images/saas_register1.png
  1. Please follow on screen instructions to complete the registration

Install CloudOptics on a Server

In order to install CloudOptics on any machine of your choice in any environment, please follow these instructions.

Elibility

1. CloudOptics platform license can be procured by a Managed Service Provider (MSP) by writing to sales@cloudoptics.io Post email, download authorization will be provided along with a license key.

MSP version allows a company to host CloudOptics platform in a multi-tenant mode so all of their customer can be serviced directly by the MSP

2. CloudOptics platform license can also be procured by an end customer for its own use, by writing to sales@cloudoptics.io Post email, download authorization will be provided along with a license key.

End user version allows a company to host CloudOptics platform in a their account in a single tenant mode, so all of their cloud accounts can be onboarded and monitored.

Pre-Requisite

We recommend following machine configuration for installing CloudOptics

Networking Requirement

  • Inbound access on port 8080 to access Platform console
  • Outbound access to connect with various target clouds & Licensing Server

Quick Installation

Please execute following command to get the required script.

curl -sO http://remote.cloudoptics.io/install.sh

chmod +x install.sh

Execute following command to start the installation

./install.sh

Installation script will configure public IP of the machine for accessing product console.

Procuring CloudOptics from AWS Marketplace

You could also launch CloudOptics from AWS Marketplace.

Initial Configuration Of CloudOptics

Before you begin, please collect SMTP server details from you administator.

In your browser, please open url http://<public ip>:8080/#/setup

  1. You should see following screen.
_images/lic_request.png

Please fill the information correctly as the license generated will be against the entity. This information may not be edited afterwards.

  1. Successful license generation will present following screen.
_images/admin_account.png
  1. Next you need to configure SMTP server details to receive emails
_images/smtp_server.png

Thats it!!! You should be greeted with the login page.

_images/login_page.png

Prepare & Onboard Cloud Accounts

CloudOptics supports various types of cloud integrations. Before onboarding cloud accounts need to be prepared for CloudOptics. Please use specific guide for integrating your cloud.

Prepare AWS Account for Onboarding (Access Key)

Please follow the instruction to prepare your AWS account for onboardiing into the product. This uses AccessKey method. Please note, CWPP features will not be accessible usingthis approach.

  1. Sign-in to AWS Console & go to IAM Service to create a new group “CloudOpticsGroup”
_images/iam_group_1.png
  1. Please use following IAM Permissions to add to group
    • ReadOnlyAccess
    • AWSCloudTrailReadOnlyAcccess
    • CloudWatchReadOnlyAccess
_images/iam_group_2.png
  1. Verify the name & permissions in next screen to create the group
_images/iam_group_3.png
  1. Go to AddUser in AWS IAM Console
_images/iam_user_1.png
  1. Add user CloudOptics with ProgrammaticAccess
_images/iam_user_2.png
  1. Next we will add this user to “CloudOpticsGroup”
_images/iam_user_3.png
  1. Copy Access Key ID & Secrete Access Key in a notepad as shown in screen below. We will need it to onboard AWS account into CloudOptics

Warning

The Secret Key will not be shown again. So it is important to make a note of it.

_images/iam_user_4.png

Prepare AWS Account for Onboarding (Cross Account)

Please follow the instruction to prepare your AWS account for onboardiing into the product.

  1. Sign-in to AWS Console & go to IAM Service to create a new role “CloudOpticsRole” Please follow the actions in the screenshot below.

    Please note account number (673199402158) and external id (cloudoptics) needs to exactly match.

_images/x_account_create_role_1.png
  1. Please use following IAM Permissions to add to the role being created
    • ReadOnlyAccess
    • SecurityAudit
    • AWSCloudTrailReadOnlyAcccess
    • CloudWatchReadOnlyAccess
_images/x_account_create_role_2.png
  1. Verify the name to create the role
_images/x_account_create_role_3.png
  1. After creating the role, go the role and create inline policy
_images/x_account_create_role_4.png
  1. Download cloudoptics_policy.json from here.
  1. Add cloudoptics_policy.json as per the image
_images/x_account_create_role_5.png
  1. Make a note of role ARN. It will be needed to onboard account into CloudOptics.

Please follow further instructions for CNAPP

  1. Download co_kms_key_policy.json from link.

  1. Create a KMS key in the region of your workloads as per the image

    • KMS Key Alias : CloudOptics-KMS-Key
    • Key Administrator : CloudOpticsRole
    • AWS Account to be added : 673199402158
_images/cwpp_key_5.png
  1. Edit the KMS Key policy as per the image and insert co_kms_key_policy.json contents here
_images/cwpp_key_6.png

Prepare AWS Account Billing for Onboarding

Please follow the instruction to prepare your AWS account billing for onboardiing into the product.

  1. Sign-in to AWS Console & create a S3 bucket to export billing data
  1. Please navigate to AWS Billing dashboard and click on create report
_images/aws_billing_1.png
  1. Provide the bill report name & select Resource Id
_images/aws_billing_2.png

4. Configure S3 target bucket for report delivery and select rest of the options as shown below.

_images/aws_billing_3.png
  1. Go to IAM section and create a policy named “CostExplorerAPI”
{
        "Version": "2012-10-17",
        "Statement": [
                {
                        "Effect": "Allow",
                        "Action": [
                                "ce:*",
                                "cur:DescribeReportDefinitions"
                        ],
                        "Resource": [
                                "*"
                        ]
                }
        ]
}
  1. Go to “CloudOptics” user and attach “CostExplorerAPI” policy to the user.
_images/aws_billing_4.png

Prepare Azure Account for Onboarding

Please follow the instruction to prepare your Azure account for onboardiing into the product.

  1. Sign-in to https://portal.azure.com/ Console & click as directed in screen below
_images/Azure_app_reg1.png
  1. Register a new application, with following information
    • Display Name - CloudOptics
    • Home Page - Intended login URL for CloudOptics

Once created, copy Application Id value in a notepad as “Client Id”

_images/Azure_app_reg2.png
  1. Click on “Settings” then further on “Keys” as per screen below
_images/Azure_app_reg3.png

4. Create a new key with name “CloudOptics Key”, expiry date as “Never Expires” and hit save. Once saved value filed will be shown. Please copy the value field in a notepad as “Azure Secret Key”

Warning

This value will not be shown again. So it is important to make a note of it.

_images/Azure_app_reg4.png
  1. Go back to portal home and follow the sequence as directed below and copy the Directory ID as “Tenant Id”
_images/Azure_app_reg5.png
  1. From the portal, find out “Subscription ID”
_images/Azure_app_reg6.png

  1. You should now have 4 values in the notes. These values will be used in CloudOptics to onboard this Azure account

    • Client ID
    • Secret Key
    • Tenant Id
    • Subscription Id
  1. Go to relevant Azure subscription and open Access Control (IAM) and click “Add”
_images/Azure_subs2.png
  1. Add the permissions of a “Reader” role to “CloudOptics” Application
_images/Azure_subs1.png

Your Azure Account is now ready to be added in CloudOptics

Prepare Google Cloud Account for Onboarding

Please follow the instruction to prepare your Google Cloud Account for onboardiing into the product.

  1. Sign-in to https://console.cloud.google.com Console & select the project, you want rto onboard
  2. Start with creating a custom ‘Viewer’ role for CloudOptics. This role will be created from Google default role ‘Viewer’
_images/gcp_create_role_1.png

  1. Search and add following permissions for the role

    • storage.buckets.get
    • storage.buckets.getIamPolicy
    • storage.buckets.list
    • storage.objects.getIamPolicy
    • storage.objects.list

    Verify the permission as per screen below.

_images/gcp_create_role_2.png
  1. Create a Service Account for the project
_images/gcp_create_acc_1.png
  1. Add custom role created in step #2 above to the service account
_images/gcp_create_acc_2.png
  1. Create a JSON key for the service account and save it on your local computer.
_images/gcp_create_acc_3.png
_images/gcp_create_acc_4.png

Warning

This JSON will not be shown again. So it is important to save it.

  1. Navigate to API & Access area of the dashboard for the project
_images/gcp_api_enable_1.png
_images/gcp_api_enable_2.png
  1. Enable Compute API & verify access as per screenshot below
_images/gcp_compute_api_enable_verif.png
  1. Enable IAM API & verify access as per screenshot below
_images/gcp_iam_enable_api_verif.png
  1. Enable KMS API & verify access as per screenshot below
_images/gcp_kms_enable_api_verif.png
  1. Enable Resource Manager API & verify access as per screenshot below
_images/gcp_resmgr_enable_verify.png
  1. Enable Storage API & verify access as per screenshot below
_images/gcp_storage_enable_api_verif.png

Your Google Cloud Account is now ready to be added in CloudOptics

Prepare OpenStack Account for Onboarding

Please follow the instruction to prepare your OpenStack account for onboardiing into the product.

Add Cloud Accounts to CloudOptics

Before onboarding, cloud accounts need to be prepared for CloudOptics. If you have not prepared yor AWS/Azure accounts yet, please come back after making those changes.

After preparing the target cloud accounts, login to https://app.cloudoptics.io/#/login as Administrator

Adding an AWS Account

  1. Click on + “Create Account” under “Security Monitoring”, select “AWS” from account type and provide requested information
_images/co_aws_create_account.png

Adding an Azure Account

  1. Click on + “Create Account” under “Security Monitoring”, select “Azure” from account type and provide requested information
_images/co_azure_create_account.png

Adding Google Cloud Account

  1. Click on + “Create Account” under “Security Monitoring”, select “Azure” from account type and provide requested information
_images/co_gcp_create_account.png

Advisory Assessment

Using CloudOptics, you could do one time assessments for your cloud accounnt. Various assement options such as Security, Cost, Compliance assessments are available.

At high level following steps need to be followed -

  1. Place an order
  2. Add a cloud account to order
  3. Download Sample Report (Optional)
  4. Pay for the assessment
  5. Download Report(s)

Placing An Assessment Order

  1. Open the order dialog box by clicking on + icon in “Advisory Assessment” product selection
_images/aa_1.png
  1. Complete the order wizard by entering estimated VMs and selecting assessment options
_images/aa_2.png
  1. You should receive an email indicating successful order placement within 10 minutes.

Adding Cloud Account To Order

1. On the newly placed order, click on + icon to add cloud account. Account preparation instructions link is there in the popup.

_images/aa_3.png

2. As soon as account is added, assessment begins and an email notification is issued indicating successful addition to assessment order.

Download Sample Report

On completion of assessment, an email notification is sent. Most accounts finish assessments within 30 minutes. It may take longer depending on number of resources discovered in your account.

Using following button, all sample reports may be downloaded. Sample reports contain only a subset of assessment results and PSD exports are watermarked with text “Sample”.

_images/aa_4.png

Pay For Report

Completed order display line items and prices based on resources detected in the account. All major credit cards are accepted for payment. We use Stripe payment system.

Download Report(s)

After payment order status changes to “Download Report” and all ordered assessment reports can be reviewed/download by clicking report icon.

_images/aa_5.png

Threat Intel Contextualization (AWS Only)

Using CloudOptics, you could be aware of virtual machines affected by latest vulnerabilities as they become known. Users of cloudOptics need to subscribe to threat intel feed and hunt for machines where they might be present. CloudOptics does it for you, automatically.

This service is available only for AWS account right now.

Follow these steps to enable your AWS account for onboarding into this service.

Configure Systems Manager

Please follow these steps for each of the regions in use.

  1. Open the “Systems Manager” service and go to quick setup.
_images/ssm_1.png
  1. Choose the options as suggested in the guide below.

Warning

We recommend using tags to select assets, however if VMs are not tagged correctly then manual addition may be required.

_images/ssm_2.png

After enabling AWS account add this service to your account from subscription panel in CloudOptics.

Infra Vulnerability Assessment (AWS Only)

Using CloudOptics, you could scan each of your AWS virtual machines and create an actionable report. Users of cloudOptics need to order suitable assessment to use this service.

This service is available only for AWS account right now.

This is one time activity. Follow these steps to enable your AWS account for onboarding into this service. These steps need to be repeated for each of the regions in use.

  1. Open the “Systems Manager” service and go to quick setup.
_images/ssm_1.png
  1. Choose the options as suggested in the guide below.

Warning

We recommend using tags to select assets, however if VMs are not tagged correctly then manual addition may be required.

_images/ssm_2.png
  1. Go to CloudOpticsGroup and add following permission to the group
  • AmazonInspectorFullAccess

Post addition group should like below.

_images/ssm_3.png

After enabling AWS account go to Advisory Assessment panel in CloudOptics and order the scan.