Security Orchestration with Symantec Cloud Workload Protection and AWS Systems Manager
By Constancio Fernandes, Sr. Director Development at Symantec
By Sameer Kumar Vasanthanpuram, Partner Solutions Architect at AWS
Have you ever heard of Jean-Baptiste Lully? He was one of the first documented orchestra conductors and the first musician to use a baton. His baton was a heavy, six-foot-long staff that he pounded on the ground in time to the music.
Unfortunately, this baton proved to be his demise as one day in a concert he accidentally struck the staff on his foot. Refusing treatment for the injury, he contracted gangrene and died two months later.
Fast forward to today and many DevOps engineers can recount stories about how challenging it is to orchestrate cloud workflows between teams. With application teams pushing out new code through Continuous Integration and Continuous Delivery (CI/CD) pipelines, it can be a daunting task to ensure all your applications are protected.
Amazon Web Services (AWS) provides tools like AWS Systems Manager that can help you automate operational actions and quickly view operational data for the resources used by these applications. Systems Manager is a set of services that gives you visibility and control of your infrastructure on AWS. It simplifies resource and application management and provides a user interface to view and act on operational data from multiple AWS services.
Specifically, the Systems Manager Agent (SSM Agent), which is Amazon software running on Amazon Elastic Compute Cloud (Amazon EC2) instances, allows you to automate tasks using remote commands or scripts. To make it even easier, Amazon has installed the SSM Agent by default in most Amazon Machine Images (AMIs).
At Symantec, an AWS Partner Network (APN) Advanced Technology Partner with the AWS Security Competency, we’re always looking for ways to help customers enjoy the full benefit of our products by making them easier to use. We did just that by integrating Amazon’s SSM Agent with our cloud-native Symantec Cloud Workload Protection (CWP) solution.
This latest integration streamlines deployment of the CWP agent on Amazon EC2 instances, taking the orchestration of code and security to a whole new level of simplicity. Customers can now deploy the CWP agent directly from the CWP console or just use a simple REST API call.
Cloud Workload Protection
CWP is a security solution available in AWS Marketplace that helps customers protect Amazon EC2 instances from malware, application exploits, and system changes that can result in security compromises.
CWP does this by using an AWS Identity and Access Management (IAM) role to gain visibility into all Amazon EC2 instances and then deploys an agent on those instances to identify applications, enforce policies, scan for malicious files, and secure Docker containers. The CWP agent supports anti-malware, intrusion detection and prevention (IDS/IPS), and file integrity monitoring (FIM).
CWP provides reporting capabilities along with a comprehensive visual topology of EC2 instances—ranking and highlighting them according to security risk against common vulnerability and exposures (CVEs) detected in your applications and infrastructure.
In Symantec’s latest release, CWP has an updated AWS CloudFormation template that uses the SSM Run Command to help customers install the CWP agent on their Amazon EC2 instances. Let’s see how CWP integrates with the SSM Agent and discuss how to get up and going with CWP.
SSM Agent Integration
As outlined in Figure 1, the first step is to create a cross-account IAM role for CWP. Do this by launching a CloudFormation template that creates an IAM cross-account role used to discover your Amazon EC2 instances in any AWS region. Once CWP identifies your instances, select which instances (or all of them) to deploy and install the CWP agent.
From there, CWP creates an Amazon Simple Storage Service (Amazon S3) bucket in your account and uploads the CWP agent to the bucket for distribution. CWP then creates another IAM role that checks to make sure your instances have the SSM Agent installed with the correct permissions for the SSM service (AmazonEC2RoleForSSM).
Some Linux instances do not have the SSM Agent installed by default. If this is the case, CWP will respond with a message indicating which instances don’t have the SSM Agent. You can follow the steps outlined in Manually Install SSM Agent on Amazon EC2 Linux Instances to install the SSM Agent for those instances.
Finally, CWP issues the SSM Run Command to download and install the CWP agent from the Amazon S3 bucket that was created earlier and creates an Amazon Simple Notification Service (Amazon SNS) topic to report back the status of the installation. CWP uses an AWS Lambda function to replicate the SNS topic to different regions so customers receive status updates on all Amazon EC2 instances, regardless of AWS region.
Figure 1 – CWP integration with SSM Agent.
Steps for Using CWP with the SSM Agent
Follow these four steps to use CWP with the SSM Agent. Note the CWP agents require secure Internet access for updates and your Amazon EC2 instances will need access to your S3 buckets to download the CWP agent.
Step 1: Subscribe to Cloud Workload Protection (CWP)
CWP is available for download via AWS Marketplace. Key features of CWP include:
- Anti-malware scanning: Protect both Windows and Linux EC2 instances using industry-leading SEP anti-malware, reputation analysis, and exploit prevention.
- Host-based IPS: Operating system and application hardening, as well as network and application monitoring for system processes and protection against zero-day attacks.
- Container security: Discover and gain insight into container activities, security posture, and status across your public and hybrid cloud environments.
Step 2: Create an IAM cross-account role
As part of your subscription to CWP, you’ll receive an email with instructions on how to activate your Symantec account. Log in to CWP and use the AWS configuration wizard to create an IAM cross-account role, which Symantec uses to discover instances.
Figure 2 – AWS configuration wizard.
Step 3: Deploy the CWP agent
During the AWS configuration wizard, you can filter and select which instances to deploy the CWP agent.
Please note the AWS configuration wizard also gives you a prompt to reboot the instances after installing the CWP agent. Reboots are not required for anti-malware but are required for IDS/IPS, and FIM. You can choose to reboot later.
Figure 3 – Select which instances to install the CWP agent.
Step 4: Review deployment progress
After selecting which instances to install the CWP agent, the AWS configuration wizard will post the status of the installation.
Alternatively, you can download the CloudFormation template from the CWP console (Settings > AWS Connection > Select Connection > Download AWS CloudFormation Template) and make adjustments to fit your needs. The template provisions the cross-account role with permissions to automatically deploy the agent using AWS-RunRemoteScript command.
Figure 4 – SSM Agent deployment status.
Once you’ve installed the CWP agent and rebooted your Amazon EC2 instances, you’re ready to go. By default, CWP will automatically scan for malware, but you can configure CWP to recognize software services (including OS, applications, and Docker containers) running on your Amazon EC2 instances and apply security policies.
These policies can be based on CWP recommendations or unique attributes in your environment like Auto Scaling Groups, Amazon EC2 tags, image IDs, Virtual Private Cloud (VPC) IDs, subnets IDs, and more. For an overview on creating policies, refer to the Policy Group Recommendations Overview.
By automatically discovering software services and applying recommended policies to your Amazon EC2 instances, this should be one less baton wave for you to remember as you coordinate security between application teams and orchestrate your CI/CD pipeline.
Like Jean-Baptiste Lully at the end of an exquisite orchestra performance, you’ll get a standing ovation by using CWP automatic security and AWS Systems Manager integration—while saving your foot in the process, of course.
Get started using CWP with an 89-day free trial or 20,000 hours, and then pay only for what you use. There are no contracts or long-term commitments and you can cancel anytime.
Here are some links to help answer questions you may have, as well as other products Symantec has in AWS Marketplace:
- Cloud Workload Protection website
- Quick Start Checklist for CWP
- Cloud Workload Protection for Storage
If you would like to see how Symantec can help further secure your workloads on AWS, please contact us.
Symantec – APN Partner Spotlight
Symantec is an APN Advanced Technology Partner with the AWS Security Competency. Symantec Cloud Workload Protection (CWP) automates core security controls for AWS workloads, enabling business agility, risk reduction, and cost savings for organizations, while easing DevOps and administrative burdens.
*Already worked with Symantec? Rate this Partner
*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.