Cisco Edge security solution with AWS Control Tower Account Factory customizations
Many AWS and Cisco customers use multiple accounts to isolate resources and workloads across their AWS environment. Using multiple accounts helps customers meet regulatory and compliance needs, track operational costs, and add an extra layer of security. AWS Control Tower uses AWS best practices to establish a well-architected, multi-account baseline across your AWS accounts. For more information about managing multi-account AWS environments with AWS Control Tower, see Getting Started with AWS Control Tower. With Account Factory Customization for AWS Control Tower, you can customize your AWS account during account provisioning natively in AWS Control Tower. You can enroll and update accounts that are managed by AWS Control Tower as well as those that are not. You can customize your AWS account provisioning according to the requirements of your organization with your own or a predefined customer or partner blueprint that is available in the AWS Service Catalog Getting Started Library.
Cisco Systems, Inc. is a member of the AWS Partner Network (APN) and offers multiple solutions available in AWS Marketplace, including Cisco Secure Firewall Threat Defense Virtual. Cisco Secure Firewall Threat Defense Virtual delivers consistent security, deep visibility, and advanced threat defense options to help customers maintain business continuity amidst unpredictable threats and change.
In this post, Shiva, Muffadal, and I show you how to use the Cisco Edge Security Blueprint for AWS Control Tower Account Factory Customization. Using this solution, you can provision customized AWS accounts in AWS Control Tower that are enabled for network security inspection use cases with Cisco Secure Firewall Threat Defense Virtual (FTDv). The solution uses Account Factory Customization for AWS Control Tower to deploy blueprints in a hub-and-spoke architecture to achieve unified inspection across ingress, egress, and east-west traffic flows. Cisco cloud-delivered FMC (cdFMC) SaaS manages the cisco firewall instances. cdFMC is configured to send supported Cisco FTDv events as incidents in Cisco SecureX. The solution is further enhanced by Cisco’s Secure Dynamic Attribute Connector to automatically create dynamic objects based on AWS tags in cdFMC. These objects can be used to build a dynamic policy that is constantly up-to-date with the changes in your elastic cloud environment.
You must complete the following prerequisites before implementing the Cisco Edge Security Solution with AWS Control Tower Account Factory customizations solution:
- Create a Cisco secureX account. On the secureX landing page, select the Cisco Defense Orchestrator (CDO) Region in which to provision a CDO tenant and then select Request CDO Trial.
- Once the CDO tenant is spun up, select the cdFMC trial button. It can take up to 24 hours to provision your cdFMC tenant.
- Subscribe to Cisco Secure Firewall Threat Defense Virtual AWS Marketplace license. From the management account AWS Control Tower console:
- Navigate to AWS License Manager. If not done already, grant AWS License Manager permissions to manage licenses used by AWS resources.
- Select Settings. Link AWS License Manager with AWS Organizations.
- Navigate to AWS Marketplace. Select Settings and then select AWS Organizations Integration. Enable both check boxes under Enable AWS Marketplace in your organization.
- Select Configure Integration in the AWS Billing Integration panel. Enable the check box under Enable AWS Marketplace for your billing.
- Select Discover products. Search for Cisco Secure Firewall Threat Defense Virtual – PAYG. Select Continue to Subscribe and Accept Terms.
- Navigate to AWS License Manager. Select Granted Licenses. Select My Licenses and then select the license ID corresponding to Cisco Secure Firewall Threat Defense Virtual – PAYG. Under the Grants tab, select Create grant. Enter the AWS organization ID of the management account and give the grant a name. Select Create grant. From the grants tab, select the grant you recently created and select Activate.
- Add Cisco Edge Security Solution with AWS Control Tower Account Factory customizations blueprints to an AWS Service Catalog Portfolio. To do that, from the management account AWS Control Tower console:
- Navigate to AWS Service Catalog. Select Portfolios and Create portfolio.
- Enter portfolio details and select Create.
- Select Getting started library. Search for Cisco Edge Security Firewall – Inspection. Select Add to portfolio. Select the portfolio created in step D.2.
- Search for Cisco Edge Security – Workload. Select Add to portfolio. Select the portfolio created in step D.2.
- Enable Resource Access Manager in AWS Organizations to retrieve information about the accounts, root, OUs, and policies for your organization. To do that, from the management account AWS Organizations console:
- Select Services.
- Under Integrated services, select RAM and enable trusted access.
- Enable sharing with Organizations in AWS Resource Access Manager. To do that, from the management account AWS Resource Access Manager console:
- Select Settings. Choose the check box next to Enable sharing with AWS Organizations.
Cisco Edge Security Solution with AWS Control Tower Account Factory customizations enables you to automatically protect existing and newly enrolled accounts through a series of automated actions. These actions are triggered by AWS Control Tower lifecycle events. The lifecycle events trigger Lambda functions that deploy the solution blueprints across AWS accounts and Regions.
The solution is composed of two blueprints.
- Hub blueprint: The hub blueprint deploys the AWS Transit Gateway stack, the centralized east-west inspection stack and the centralized inspection stacks.
- AWS Transit Gateway stack: This stack creates a transit gateway with transit gateway route tables for egress, spoke, and east-west traffic. It also creates Lambda automation that associates and propagates the attachments to appropriate transit gateway route tables.
- East-west inspection stack: This stack creates a VPC with Gateway Load Balancer (GWLB) and a fleet of Cisco Secure Firewall Threat Defense Virtual instances for inspecting traffic between spoke VPCs.
- Ingress/egress inspection stack: This stack creates a VPC with GWLB, Network Address Translation (NAT) gateways, and a fleet of Cisco Secure Firewall Threat Defense Virtual instances for inspecting egress internet traffic as well as ingress traffic (into a spoke VPC).
- Spoke blueprint: The spoke blueprint deploys the spoke VPC environment where the application workload resides. This includes subnets, routing configuration, transit gateway attachments, and GWLB endpoints for ingress inspection.
The hub blueprint is deployed first followed by one or more spoke blueprints. Setup and configuration of all components, including routing tables, default security policies, and management and monitoring, thereby significantly accelerating the deployment and decreasing complexity.
The following architecture diagram illustrates the components of Cisco Edge Security Solution with AWS Control Tower Account Factory customizations. These components can be broken down into:
- Management account: This is the account that you created specifically for your managing landing zone. This account is used for billing for everything in your landing zone. It’s also used for Account Factory provisioning of accounts, as well as to manage organizational units and controls.
- AWS Service Catalog hub account: This is the account that you created for creating blueprints for AWS Service Catalog products that you want to provision as part of Account Factory customizations.
- Network hub account: This is the account that you created for deploying network services and features. The network account manages the gateways and hosts perimeter network security controls between your application and the broader internet.
- Spoke account(s): This is the account that you created for workloads. A workload is a collection of resources and code that delivers business value, such as a customer-facing application or a backend process.
The custom account provisioning workflow for AWS Control Tower Account Factory customizations is as follows:
- A user makes a new AWS custom account creation request to AWS Control Tower in the management account.
- Upon this request, the AWS Control Tower lifecycle instantiates the blueprint that creates hub-and-spoke products in the AWS Service Catalog hub account and shares the product portfolio across the organization.
- Account Factory customizations first provisions the hub product in the network hub account, using AWS CloudFormation.
- Next, Account Factory customizations provisions the Spoke product in one or more Spoke Account(s) using AWS CloudFormation. This solution uses AWS Resource Access Manager to share resources across accounts. Refer to the following diagram.
Solution walkthrough: Cisco Edge Security Solution with AWS Control Tower Account Factory customizations
Step 1: Deploying the solution
You can deploy the Cisco Edge Security Solution from your management account on the AWS Control Tower Custom Account Factory UI. Deploy the hub blueprint first, followed by one or more spoke blueprints.
To deploy a blueprint from AWS Account Factory customization, perform the following steps:
- On the AWS Control Tower console, select the Organization tab and then Create Account.
- Enter the correct information in the Account details, Network and Access Configuration, and Organizational Unit fields.
- Enter the Account ID of the account that contains the AWS Service Catalog blueprints and select the appropriate Cisco Edge Security Firewall blueprint.
- Enter the Blueprint Parameters required to launch the solution.
- Select the Deployment Regions as either the home Region or all governed Regions.
Step 2: Verifying your cdFMC tenant Configuration
- Log in to Cisco SecureX account.
- Under Tools & Services, select Firewall Management Center.
- Select your cdFMC tenant and choose Configuration.
- Under Policies and then Access Control, verify and optionally customize the pre-created EWAutoScaleACP and NSAutoScaleACP policies.
- Under Devices and then Device Management, verify and optionally customize the pre-created EWAutoscale and NSAutoScale device groups.
Step 3: Configuring Cisco Secure Dynamic Attribute Connector:
The Cisco Secure Dynamic Attributes Connector uses AWS tags to enable the collection of data (such as networks and IP addresses) from AWS. This information is sent to the cdFMC so it can be used in access control rules. To configure Cisco Secure Dynamic Attribute Connector, do the following.
- Log in to your CDO tenant.
- Under Tools & Services, select the Dynamic Attributes Connector Then choose Adapters and add a Cloud-Delivered Firewall Management Center adapter.
- Choose Connectors and add your AWS Account (API Access).
- Under Dynamic Attributes Filters, define your Attributes filters. All the AWS tags will automatically be created under dynamic objects in your cdFMC.
- Under Objects, then Object Management, then External Attributes and then Dynamic Objects, confirm that the objects appear.
You can now add the dynamic objects to your Access Control Policy without needing to worry about the IP addresses.
Step 4: Investigating Firewall security incidents in Cisco SecureX:
At this point, you can generate and tag test traffic from workloads and validate that the correct security policy is dynamically getting enforced on the traffic based on the tag. You can also investigate any security findings using Cisco SecureX. For a detailed walkthrough of each of the ingress, egress and east-west traffic flow, refer to the documentation.
In this blog post, Shiva, Muffadal and I showed you how to protect your AWS workloads across multiple AWS accounts using the Cisco Edge Security Solution with AWS Control Tower Account Factory customizations. This solution automatically provisions new accounts with the resources required to protect, manage, and monitor your workloads for ingress, egress and east/west inspection use cases. In doing so, you can accelerate implementation and improve security posture of your AWS environments that are compliant with the needs of your organization.
About the authors
Pal is a Security Product Manager in the Cloud and Network Security Organization under Cisco’s Security Business Group responsible for the Cloud and Virtual Firewall portfolio. Pal is a seasoned security professional with 14 years of experience with a strong customer facing skills and deep technical knowledge. Pal has joined to Cisco in 2016 and worked in variety of roles through CX and Engineering. Prior to joining Cisco, Pal worked with major service providers focusing on Mobile Core Network Security.
Shiva Vaidyanathan is a Senior Cloud Infrastructure Architect at AWS. He provides technical guidance, design and lead implementation projects to customers ensuring their success on AWS. He works towards making cloud networking secure and simple. Prior to joining AWS, he has worked on several NSF funded research initiatives on how to perform secure computing in public cloud infrastructures. He holds a MS in Computer Science from Rutgers University and a MS in Electrical Engineering from New York University.
Muffadal Quettawala is a Partner Solutions Architect at AWS. He helps technology ISV partners bring new solutions to market for the benefit of joint customers, thereby driving incremental and new revenue streams.