Cloud environment configuration wizard in Kaspersky Security Center Cloud Console

To configure Kaspersky Security Center Cloud Console using this wizard, you must have the following:

• Specific credentials for a cloud environment:
  • An IAM user account that has been granted the right to poll the cloud segment (for work with Amazon Web Services)
  • Azure Application ID, password, and subscription (for work with Microsoft Azure)
  • Google client email, Project ID, and private key (for work with Google Cloud)
• Installation packages:
  • Network Agent for Windows
  • Network Agent for Linux
  • Kaspersky Endpoint Security for Linux
• Web plug-in for Kaspersky Endpoint Security for Linux
• At least one of the following:
  • Installation package and web plug-in for Kaspersky Endpoint Security for Windows (recommended)
  • Installation package and web plug-in for Kaspersky Security for Windows Server

The Cloud environment configuration wizard starts automatically at the first connection to Kaspersky Security Center Cloud Console if your workspace was created by using the Kaspersky Hybrid Cloud Security license. You can also start the Cloud environment configuration wizard manually at any time.

To start the Cloud environment configuration wizard manually,

In the main menu, go to Discovery & deployment → Deployment & assignment → Configure cloud environment.

The wizard starts.

An average work session with this wizard lasts about 15 minutes.

Step 1. Checking the required plug-ins and installation packages

This step is not displayed if you have all of the required web plug-ins and installation packages listed below.

To configure a cloud environment, you must have the following components:

• Installation packages:
  • Network Agent for Windows
  • Network Agent for Linux
  • Kaspersky Endpoint Security for Linux
• Web plug-in for Kaspersky Endpoint Security for Linux
• At least one of the following:
  • Installation package and web plug-in for Kaspersky Endpoint Security for Windows (recommended)
  • Installation package and web plug-in for Kaspersky Security for Windows Server

    We recommend that you use Kaspersky Endpoint Security for Windows instead of Kaspersky Security for Windows Server.

Kaspersky Security Center Cloud Console automatically detects the components that you already have and lists only ones that are missing. Download the listed components by clicking the Select applications to download button, and then selecting the required plug-ins and installation packages. After you download a component, you can use the Refresh button to update the list of missing components.

Step 2. Selecting the application activation method

This step is displayed only if you used a license other than Kaspersky Hybrid Cloud Security during the workspace creation and never added a Kaspersky Hybrid Cloud Security license key to the activation field of Administration Server. In this case, you must activate Administration Server by using a Kaspersky Hybrid Cloud Security license.

Step 3. Selecting the cloud environment and authorization

Expand all | Collapse all

Specify the following settings:

• Cloud environment

  Select the cloud environment in which you are deploying Kaspersky Security Center Cloud Console: AWS, Azure, or Google Cloud.

  If you plan to work with more than one cloud environment, select one environment and then run the wizard again.

• Connection name

  Enter a name for the connection. The name cannot contain more than 256 characters. Only Unicode characters are permitted.

  This name will also be used as the name for the administration group for the cloud devices.

  If you plan to work with more than one cloud environment, you might want to include the name of the environment in the connection name, for example, "Azure Segment", "AWS Segment", or "Google Segment".

Enter your credentials to receive authorization in the cloud environment that you specified.

AWS

If you selected AWS as the cloud segment type, use an AWS IAM access key for further polling of the cloud segment. Enter the following key data:

• Access key ID

  The IAM access key ID is a sequence of alphanumeric characters. You received the key ID when you created the IAM user account.

  The field is available after you selected an AWS IAM access key for authorization.

• Secret key

  The secret key that you received with the access key ID when you created the IAM user account.

  The characters of the secret key are displayed as asterisks. After you begin entering the secret key, the Show button is displayed. Click and hold this button for the necessary amount of time to view the characters you entered.

  The field is available after you selected an AWS IAM access key for authorization.

  To see the characters that you entered, click and hold the Show button.

Azure

If you selected Azure as the cloud segment type, specify the following settings for the connection that will be used for further polling of the cloud segment:

• Azure Application ID

  You created this application ID on the Azure portal.

  You can provide only one Azure Application ID for polling and other purposes. If you want to poll another Azure segment, you must first delete the existing Azure connection.

• Azure Subscription ID

  You created the subscription on the Azure portal.

• Azure Application password

  You received the password of the Application ID when you created the Application ID.

  The characters of the password are displayed as asterisks. After you begin entering the password, the Show button becomes available. Click and hold this button to view the characters you entered.

  To see the characters that you entered, click and hold the Show button.

• Azure storage account name

  You created the name of the Azure storage account for working with Kaspersky Security Center Cloud Console.

• Azure storage access key

  You received a password (key) when you created Azure storage account for working with Kaspersky Security Center Cloud Console.

  The key is available in section "Overview of the Azure storage account", in subsection "Keys".

  To see the characters that you entered, click and hold the Show button.

Google Cloud

If you selected Google Cloud as the cloud segment type, specify the following settings for the connection that will be used for further polling the cloud segment:

• Client email address

  Client email is the email address that you used for registering your project at Google Cloud.

• Project ID

  Project ID is the ID that you received when you registered your project at Google Cloud.

• Private key

  Private key is the sequence of characters that you received as your private key when you registered your project at Google Cloud. You might want to copy and paste this sequence to avoid mistakes.

  To see the characters that you entered, click and hold the Show button.

The connection that you specified is saved in the application settings.

The Cloud environment configuration wizard enables you to specify only one segment. Later, you can specify more connections to manage other cloud segments.

Click Next to proceed.

Step 4. Segment polling and configuring synchronization with Cloud

At this step, cloud segment polling starts and a special administration group for cloud devices is automatically created. The devices found during polling are placed into this group. The cloud segment polling schedule is configured every five minutes by default (you can change this setting later).

A Synchronize with Cloud automatic moving rule is also created. For each subsequent scan of the cloud network, virtual devices that are detected will be moved to the corresponding subgroup within the Managed devices\Cloud group.

Define the Synchronize administration groups with cloud structure setting.

If this option is enabled, the Cloud group is automatically created within the Managed devices group and a cloud device discovery is started. The instances and virtual machines detected during each cloud network scan are placed into the Cloud group. The structure of the administration subgroups within this group matches the structure of your cloud segment (in AWS, availability zones and placement groups are not represented in the structure; in Azure, subnets are not represented in the structure). Devices that have not been identified as instances in the cloud environment are in the Unassigned devices group. This group structure enables you to use group installation tasks to install anti-virus applications on instances, as well as set up different policies for different groups.

If this option is disabled, the Cloud group is also created and the cloud device discovery is also started; however, subgroups matching the cloud segment structure are not created within the group. All detected instances are in the Cloud administration group so they are displayed in a single list. If your work with Kaspersky Security Center Cloud Console requires synchronization, you can modify the properties of the Synchronize with Cloud rule and enforce it. Enforcing this rule alters the structure of subgroups in the Cloud group so that it matches the structure of your cloud segment.

By default, this option is disabled.

Click Next to proceed.

Step 5. Selecting an application to create a policy and tasks for

This step is only displayed if you have installation packages and plug-ins for both Kaspersky Endpoint Security for Windows and Kaspersky Security for Windows Server. If you have a plug-in and an installation package for only one of those applications, this step is skipped and Kaspersky Security Center Cloud Console creates a policy and tasks for the existing application.

Select an application for which you want to create a policy and tasks:

• Kaspersky Endpoint Security for Windows
• Kaspersky Security for Windows Server

Step 6. Configuring Kaspersky Security Network for Kaspersky Security Center Cloud Console

Expand all | Collapse all

This step is skipped when running Kaspersky Security Center Cloud Console in trial mode or on a virtual Administration Server.

Specify the settings for relaying information about Kaspersky Security Center Cloud Console operations to the Kaspersky Security Network (KSN) knowledge base. Select one of the following options:

• I agree to use Kaspersky Security Network

  Kaspersky Security Center Cloud Console and managed applications installed on client devices will automatically transfer their operation details to Kaspersky Security Network. Participation in Kaspersky Security Network ensures faster updates of databases containing information about viruses and other threats, which ensures a faster response to emergent security threats.

• I do not agree to use Kaspersky Security Network

  Kaspersky Security Center Cloud Console and managed applications will provide no information to Kaspersky Security Network.

  If you select this option, the use of Kaspersky Security Network will be disabled.

Kaspersky recommends participation in Kaspersky Security Network.

KSN agreements for managed applications may also be displayed. If you agree to use Kaspersky Security Network, the managed application will send data to Kaspersky. If you do not agree to participate in Kaspersky Security Network, the managed application will not send data to Kaspersky. You can change this setting later in the application policy.

Click Next to proceed.

Step 7. Creating an initial configuration of protection

You can check a list of policies and tasks that are created.

Wait for the creation of policies and tasks to complete, and then click Next to proceed. On the last page of the wizard, click the Finish button to exit.