AWS Deployment Guide

This guide provides detailed instructions and reference information for deploying the Cloud Connector with Amazon Web Services (AWS). It covers prerequisites, supported AWS resource types, important deployment considerations, and the AWS services leveraged during setup. Use this document as a comprehensive resource to ensure your environment is properly prepared and aligned with best practices for a secure and efficient deployment.

Prerequisites

Before you can use the Cloud Connector with AWS, ensure you have:

• Active AWS account with administrative access
• An IAM principal (user/role) with permissions to create and manage:
  • IAM roles and policies
  • CloudFormation stacks (if using a template-driven onboarding)
  • VPC Flow Logs configuration (recommended)
• VPC Flow Logs enabled for the VPCs you want to monitor (recommended for traffic visibility)
• AWS X-Ray enabled for workloads where tracing visibility is desired (optional)
• Active Xshield account and access to the management portal

Supported AWS Resource Types

The Cloud Connector supports discovery and visibility for a set of AWS resource types. Support may vary by release.

• Amazon EC2
• Amazon RDS
• Amazon API Gateway
• AWS Lambda
• Amazon S3
• Amazon DynamoDB

Note: Refer to AWS Resource Management for the current list of supported AWS resource types and how they are represented and managed in Xshield.

Important Considerations

• Flow log dependency: Network traffic visualization requires VPC Flow Logs to be enabled and accessible.
• X-Ray dependency: Application trace visibility requires AWS X-Ray to be enabled and accessible.
• Costs: Enabling VPC Flow Logs and storing/exporting logs can incur AWS costs (CloudWatch Logs, S3, Kinesis/Firehose, and inter-region transfer depending on your setup).

VPC Flow Logs (S3 Bucket)

Xshield can use VPC Flow Logs to provide network traffic visibility. If you choose to publish flow logs to Amazon S3, complete the steps below.

Step 1: Create or select an S3 bucket for flow logs

1. Open Amazon S3 in the AWS Console.
2. Create a new bucket (recommended) or select an existing bucket.
3. Use an S3 bucket in the same AWS account and region where possible to reduce complexity and costs.

Step 2: Enable VPC Flow Logs and deliver to S3

1. Open VPC in the AWS Console.

2. Select Your VPCs.

3. Select the VPC you want to monitor.

4. Open the Flow logs tab.

5. Click Create flow log.

6. Configure the flow log:

   • Filter: choose All (recommended) or Reject depending on your requirements.
   • Destination: select Send to an Amazon S3 bucket.
   • S3 bucket ARN: select or paste the ARN of your bucket (for example, arn:aws:s3:::my-flowlogs-bucket).
   • Log format: keep the default unless you have a specific format requirement.

7. Click Create flow log.

Step 3: Confirm log delivery

1. After the flow log is created, wait a few minutes for delivery to start.
2. In S3, confirm that new objects are being written under the prefix used by VPC Flow Logs.

Notes

• The VPC Flow Logs service must be able to write to the bucket. If your bucket policy is restrictive (or you enforce encryption with a customer-managed KMS key), ensure your configuration allows VPC Flow Logs delivery.
• If you use the Read-Only with Storage Access onboarding template, the IAM role includes S3 permissions such as s3:ListBucket and s3:GetObject, which are required to read flow log objects.

AWS Services Used

The Cloud Connector integrates with AWS using these services (depending on the features enabled):

• AWS IAM: For authentication and authorization using roles and policies
• Amazon VPC: For discovery of networking constructs and workload placement
• VPC Flow Logs: For traffic flow visibility and analytics
• AWS X-Ray: For application trace visibility (optional). See AWS X-Ray Enablement Guide.
• AWS CloudFormation: To simplify permission and resource setup when using templates (if applicable)

IAM Role Permissions

The AWS onboarding process creates an IAM role in your AWS account that Xshield uses for discovery and (optionally) management actions. The exact permissions depend on the template variant you use.

For the Read-Only with Storage Access template, the policy includes the following permissions:

• S3 (bucket metadata + object read)

  • s3:ListAllMyBuckets
  • s3:GetBucketLocation
  • s3:GetBucketAcl
  • s3:GetBucketPolicy
  • s3:GetBucketVersioning
  • s3:GetBucketPublicAccessBlock
  • s3:GetBucketNotification
  • s3:GetBucketTagging
  • s3:ListBucket
  • s3:GetObject

• Lambda

  • lambda:ListFunctions
  • lambda:GetFunction
  • lambda:GetFunctionConfiguration
  • lambda:GetPolicy
  • lambda:ListTags
  • lambda:ListEventSourceMappings

• DynamoDB

  • dynamodb:ListTables
  • dynamodb:DescribeTable
  • dynamodb:ListTagsOfResource

• EC2 / VPC (discovery)

  • ec2:DescribeInstances
  • ec2:DescribeTags
  • ec2:DescribeSecurityGroups
  • ec2:DescribeNetworkAcls
  • ec2:DescribeSubnets
  • ec2:DescribeVpcs
  • ec2:DescribeVolumes
  • ec2:DescribeSnapshots
  • ec2:DescribeAddresses
  • ec2:DescribeNetworkInterfaces
  • ec2:DescribeRegions
  • ec2:DescribeAvailabilityZones
  • ec2:DescribeFlowLogs
  • ec2:DescribeNatGateways
  • ec2:DescribeInternetGateways
  • ec2:DescribeTransitGateways
  • ec2:DescribeVpcEndpoints
  • ec2:DescribeVpcEndpointServices

• RDS

  • rds:DescribeDBInstances
  • rds:DescribeDBClusters
  • rds:DescribeDBClusterEndpoints
  • rds:DescribeDBSecurityGroups
  • rds:DescribeDBSubnetGroups
  • rds:DescribeDBParameterGroups
  • rds:ListTagsForResource

• Elastic Load Balancing

  • elasticloadbalancing:DescribeLoadBalancers
  • elasticloadbalancing:DescribeTags
  • elasticloadbalancing:DescribeTargetGroups
  • elasticloadbalancing:DescribeListeners
  • elasticloadbalancing:DescribeTargetHealth

• API Gateway

  • apigateway:GET

• Managed Prefix Lists

  • ec2:DescribeManagedPrefixLists
  • ec2:GetManagedPrefixListEntries

• X-Ray (read-only)

  • xray:GetRetrievedTracesGraph
  • xray:GetGroups
  • xray:GetSamplingStatisticSummaries
  • xray:CancelTraceRetrieval
  • xray:GetTraceGraph
  • xray:GetServiceGraph
  • xray:GetInsightImpactGraph
  • xray:GetTraceSegmentDestination
  • xray:GetInsightSummaries
  • xray:GetSamplingTargets
  • xray:GetGroup
  • xray:BatchGetTraceSummaryById
  • xray:StartTraceRetrieval
  • xray:GetTimeSeriesServiceStatistics
  • xray:GetEncryptionConfig
  • xray:GetSamplingRules
  • xray:GetInsight
  • xray:GetDistinctTraceGraphs
  • xray:GetInsightEvents
  • xray:GetTraceSummaries
  • xray:GetIndexingRules
  • xray:BatchGetTraces
  • xray:ListResourcePolicies
  • xray:ListRetrievedTraces
  • xray:ListTagsForResource

Getting Started

To begin using the Cloud Connector with your AWS environment:

• AWS Onboarding - Choose an onboarding approach for AWS
• AWS Resource Management - Guide to AWS resources and how they are managed in Xshield
• AWS X-Ray Enablement Guide - Enable tracing for application visibility

Related Guides

• AWS Interactive Onboarding - Guided onboarding flow
• AWS Script-based Onboarding - Script-based onboarding flow
• AWS Manual Onboarding - Console-based onboarding flow
• AWS Decommissioning - Remove an AWS Cloud Connector from Xshield