Contents
- Working with Kaspersky Security Center Cloud Console in a cloud environment
- Licensing options in a cloud environment
- Preparing for work in a cloud environment through Kaspersky Security Center Cloud Console
- Cloud environment configuration wizard in Kaspersky Security Center Cloud Console
- Step 1. Checking the required plug-ins and installation packages
- Step 2. Selecting the application activation method
- Step 3. Selecting the cloud environment and authorization
- Step 4. Segment polling and configuring synchronization with Cloud
- Step 5. Selecting an application to create a policy and tasks for
- Step 6. Configuring Kaspersky Security Network for Kaspersky Security Center Cloud Console
- Step 7. Creating an initial configuration of protection
- Network segment polling via Kaspersky Security Center Cloud Console
- Adding connections for cloud segment polling via Kaspersky Security Center Cloud Console
- Deleting a connection for cloud segment polling
- Configuring the polling schedule via Kaspersky Security Center Cloud Console
- Viewing the results of cloud segment polling via Kaspersky Security Center Cloud Console
- Viewing the properties of cloud devices via Kaspersky Security Center Cloud Console
- Synchronization with Cloud: Configuring the moving rule
- Remote installation of applications to the Azure virtual machines
Working with Kaspersky Security Center Cloud Console in a cloud environment
This section provides information about Kaspersky Security Center Cloud Console features related to the operation and maintenance of Kaspersky Security Center Cloud Console in cloud environments, such as Amazon Web Services, Microsoft Azure, or Google Cloud.
To work within a cloud environment, you need a special license. If you do not have such a license, the interface elements related to cloud devices are not operable.
Updates functionality (including providing anti-virus signature updates and codebase updates), as well as KSN functionality may not be available in the software in the U.S.
Licensing options in a cloud environment
Work in a cloud environment is possible both in trial mode and in commercial mode of Kaspersky Security Center Cloud Console:
- In trial mode, all cloud environment features are available within the entire validity period of your workspace. No license is required.
- In commercial mode, the cloud environment features are available only if a Kaspersky Hybrid Cloud Security license key has been added as active in the Administration Server properties.
In both cases, Vulnerability and patch management is automatically activated.
You may encounter an error when trying to activate the feature Support of the cloud environment using the license for Kaspersky Hybrid Cloud Security.
Page topPreparing for work in a cloud environment through Kaspersky Security Center Cloud Console
This section tells you how to prepare for working with Kaspersky Security Center Cloud Console in the following cloud environments:
- Amazon Web Services
- Microsoft Azure
- Google Cloud
Working in Amazon Web Services cloud environment
This section tells you how to prepare for working with Kaspersky Security Center Cloud Console in Amazon Web Services.
The addresses of web pages cited in this document are correct as of the Kaspersky Security Center Cloud Console release date.
About work in Amazon Web Services cloud environment
To work with the AWS platform and, in particular, to create instances, you need an Amazon Web Services account. You can create a free account at https://aws.amazon.com. You can also use an existing Amazon account.
To learn more about an AMI and how AWS Marketplace works, please visit the AWS Marketplace Help page. For more information about working with the AWS platform, using instances, and related concepts, please refer to the Amazon Web Services documentation.
The addresses of web pages cited in this document are correct as of the Kaspersky Security Center Cloud Console release date.
Page topCreating IAM user accounts for Amazon EC2 instances
This section describes the actions that must be performed to ensure correct operation of Kaspersky Security Center Cloud Console. These actions include work with the AWS Identity and Access Management (IAM) user accounts. Also described are the actions that must be taken on client devices to install Network Agent on them and then install Kaspersky Security for Windows Server and Kaspersky Endpoint Security for Linux.
Ensuring that Kaspersky Security Center Cloud Console has the permissions to work with AWS
To operate in the Amazon Web Services cloud environment using Kaspersky Security Center Cloud Console, you must create an IAM user account, that will be used by Kaspersky Security Center Cloud Console to work with AWS services. Before starting to work with the Administration Server, create an IAM user account with an AWS IAM access key (hereinafter also referred to as IAM access key).
Creation of an IAM user account requires the AWS Management Console. To work with the AWS Management Console, you will need a user name and password from an account in AWS.
Page topCreating an IAM user account for work with Kaspersky Security Center Cloud Console
An IAM user account is required for working with Kaspersky Security Center Cloud Console. You can create one IAM user account with all the necessary permissions, or you can create two separate user accounts.
An IAM access key that you will need to provide to Kaspersky Security Center Cloud Console during initial configuration is automatically created for the IAM user. An IAM access key consists of an access key ID and a secret key. For more details about the IAM service, please refer to the following AWS reference pages:
- https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html.
- https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UseCases.html#UseCase_EC2.
To create an IAM user account with the necessary permissions:
- Open the AWS Management Console and sign in under your account.
- In the list of AWS services, select IAM.
A window opens containing a list of user names and a menu that lets you work with the tool.
- Navigate through the areas of the console dealing with user accounts, and add a new user name or names.
- For the user(s) you add, specify the following AWS properties:
- Access type: Programmatic Access.
- Permissions boundary not set.
- Permission: ReadOnlyAccess.
After you add the permission, view it for accuracy. In case of a mistaken selection, go back to the previous screen and make the selection again.
- After you create the user account, a table appears containing the IAM access key of the new IAM user. The access key ID is displayed in the Access key ID column. The secret key is displayed as asterisks in the Secret access key column. To view the secret key, click Show.
The newly created account is displayed in the list of IAM user accounts that corresponds to your account in AWS.
The addresses of web pages cited in this document are correct as of the Kaspersky Security Center Cloud Console release date.
Page topWorking in Microsoft Azure cloud environment
This section provides information about Kaspersky Security Center Cloud Console operation and maintenance in a cloud environment provided by Microsoft Azure, as well as details of protection deployment on virtual machines in this cloud environment.
About work in Microsoft Azure
To work with the Microsoft Azure platform and, in particular, to purchase apps at the Azure Marketplace and create virtual machines, you will need an Azure subscription. Before starting to work with Microsoft Azure in Kaspersky Security Center Cloud Console, create an Azure Application ID with permissions required for installation of applications on virtual machines.
Page topCreating a subscription, Application ID, and password
To work with Kaspersky Security Center Cloud Console in the Microsoft Azure environment, you need an Azure subscription, Azure Application ID, and Azure Application password. You can use an existing subscription, if you already have one.
An Azure subscription grants its owner access to the Microsoft Azure Platform Management Portal and to Microsoft Azure services. The owner can use the Microsoft Azure Platform to manage services such as Azure SQL and Azure Storage.
To create a Microsoft Azure subscription,
Go to https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/create-subscription and follow the instructions there.
More information about creating a subscription is available on the Microsoft website. You will get a subscription ID, which you will later provide to Kaspersky Security Center Cloud Console together with Application ID and password.
To create and save Azure Application ID and password:
- Go to https://portal.azure.com and make sure that you are logged in.
- Following the instructions on the reference page, create your Application ID.
- Go to the Keys section of the application settings.
- In the Keys section, fill in the Description and Expires fields and leave the Value field empty.
- Click Save.
When you click Save, the system automatically fills the Value field with a long sequence of characters. This sequence is your Azure Application password (for example, yXyPOy6Tre9PYgP/j4XVyJCvepPHk2M/UYJ+QlfFvdU=). The description is displayed as you entered it.
- Copy the password and save it, so that you can later provide the Application ID and password to Kaspersky Security Center Cloud Console.
You can copy the password only when it has been created. Later, the password will no longer be displayed and you cannot restore it.
The addresses of web pages cited in this document are correct as of the Kaspersky Security Center Cloud Console release date.
Page topAssigning a role to the Azure Application ID
If you only want to detect virtual machines using device discovery, your Azure Application ID must have the Reader role. If you want not only to detect virtual machines, but also to deploy protection by means of the Azure API, your Azure Application ID must have the Virtual Machine Contributor role.
Follow the instructions on the Microsoft website to assign a role to your Azure Application ID.
Page topWorking in Google Cloud
This section provides information about work with Kaspersky Security Center Cloud Console in a cloud environment provided by Google.
You can use the Google API to work with Kaspersky Security Center Cloud Console in Google Cloud Platform. A Google account is required. Please refer to the Google documentation at https://cloud.google.com for more information.
You will need to create and provide Kaspersky Security Center Cloud Console with the following credentials:
Page topCloud environment configuration wizard in Kaspersky Security Center Cloud Console
To configure Kaspersky Security Center Cloud Console using this wizard, you must have the following:
- Specific credentials for a cloud environment:
- An IAM user account that has been granted the right to poll the cloud segment (for work with Amazon Web Services)
- Azure Application ID, password, and subscription (for work with Microsoft Azure)
- Google client email, Project ID, and private key (for work with Google Cloud)
- Installation packages:
- Network Agent for Windows
- Network Agent for Linux
- Kaspersky Endpoint Security for Linux
- Web plug-in for Kaspersky Endpoint Security for Linux
- At least one of the following:
- Installation package and web plug-in for Kaspersky Endpoint Security for Windows (recommended)
- Installation package and web plug-in for Kaspersky Security for Windows Server
The Cloud environment configuration wizard starts automatically at the first connection to Kaspersky Security Center Cloud Console if your workspace was created by using the Kaspersky Hybrid Cloud Security license. You can also start the Cloud environment configuration wizard manually at any time.
To start the Cloud environment configuration wizard manually,
In the main menu, go to Discovery & deployment → Deployment & assignment → Configure cloud environment.
The wizard starts.
An average work session with this wizard lasts about 15 minutes.
Step 1. Checking the required plug-ins and installation packages
This step is not displayed if you have all of the required web plug-ins and installation packages listed below.
To configure a cloud environment, you must have the following components:
- Installation packages:
- Network Agent for Windows
- Network Agent for Linux
- Kaspersky Endpoint Security for Linux
- Web plug-in for Kaspersky Endpoint Security for Linux
- At least one of the following:
- Installation package and web plug-in for Kaspersky Endpoint Security for Windows (recommended)
- Installation package and web plug-in for Kaspersky Security for Windows Server
We recommend that you use Kaspersky Endpoint Security for Windows instead of Kaspersky Security for Windows Server.
Kaspersky Security Center Cloud Console automatically detects the components that you already have and lists only ones that are missing. Download the listed components by clicking the Select applications to download button, and then selecting the required plug-ins and installation packages. After you download a component, you can use the Refresh button to update the list of missing components.
Step 2. Selecting the application activation method
This step is displayed only if you used a license other than Kaspersky Hybrid Cloud Security during the workspace creation and never added a Kaspersky Hybrid Cloud Security license key to the activation field of Administration Server. In this case, you must activate Administration Server by using a Kaspersky Hybrid Cloud Security license.
Step 3. Selecting the cloud environment and authorization
Specify the following settings:
Enter your credentials to receive authorization in the cloud environment that you specified.
AWS
If you selected AWS as the cloud segment type, use an AWS IAM access key for further polling of the cloud segment. Enter the following key data:
- Access key ID
- Secret key
To see the characters that you entered, click and hold the Show button.
Azure
If you selected Azure as the cloud segment type, specify the following settings for the connection that will be used for further polling of the cloud segment:
- Azure Application ID
- Azure Subscription ID
- Azure Application password
To see the characters that you entered, click and hold the Show button.
- Azure storage account name
- Azure storage access key
To see the characters that you entered, click and hold the Show button.
Google Cloud
If you selected Google Cloud as the cloud segment type, specify the following settings for the connection that will be used for further polling the cloud segment:
- Client email address
- Project ID
- Private key
To see the characters that you entered, click and hold the Show button.
The connection that you specified is saved in the application settings.
The Cloud environment configuration wizard enables you to specify only one segment. Later, you can specify more connections to manage other cloud segments.
Click Next to proceed.
Step 4. Segment polling and configuring synchronization with Cloud
At this step, cloud segment polling starts and a special administration group for cloud devices is automatically created. The devices found during polling are placed into this group. The cloud segment polling schedule is configured every five minutes by default (you can change this setting later).
A Synchronize with Cloud automatic moving rule is also created. For each subsequent scan of the cloud network, virtual devices that are detected will be moved to the corresponding subgroup within the Managed devices\Cloud group.
Define the Synchronize administration groups with cloud structure setting.
If this option is enabled, the Cloud group is automatically created within the Managed devices group and a cloud device discovery is started. The instances and virtual machines detected during each cloud network scan are placed into the Cloud group. The structure of the administration subgroups within this group matches the structure of your cloud segment (in AWS, availability zones and placement groups are not represented in the structure; in Azure, subnets are not represented in the structure). Devices that have not been identified as instances in the cloud environment are in the Unassigned devices group. This group structure enables you to use group installation tasks to install anti-virus applications on instances, as well as set up different policies for different groups.
If this option is disabled, the Cloud group is also created and the cloud device discovery is also started; however, subgroups matching the cloud segment structure are not created within the group. All detected instances are in the Cloud administration group so they are displayed in a single list. If your work with Kaspersky Security Center Cloud Console requires synchronization, you can modify the properties of the Synchronize with Cloud rule and enforce it. Enforcing this rule alters the structure of subgroups in the Cloud group so that it matches the structure of your cloud segment.
By default, this option is disabled.
Click Next to proceed.
Step 5. Selecting an application to create a policy and tasks for
This step is only displayed if you have installation packages and plug-ins for both Kaspersky Endpoint Security for Windows and Kaspersky Security for Windows Server. If you have a plug-in and an installation package for only one of those applications, this step is skipped and Kaspersky Security Center Cloud Console creates a policy and tasks for the existing application.
Select an application for which you want to create a policy and tasks:
- Kaspersky Endpoint Security for Windows
- Kaspersky Security for Windows Server
Step 6. Configuring Kaspersky Security Network for Kaspersky Security Center Cloud Console
This step is skipped when running Kaspersky Security Center Cloud Console in trial mode or on a virtual Administration Server.
Specify the settings for relaying information about Kaspersky Security Center Cloud Console operations to the Kaspersky Security Network (KSN) knowledge base. Select one of the following options:
Kaspersky recommends participation in Kaspersky Security Network.
KSN agreements for managed applications may also be displayed. If you agree to use Kaspersky Security Network, the managed application will send data to Kaspersky. If you do not agree to participate in Kaspersky Security Network, the managed application will not send data to Kaspersky. You can change this setting later in the application policy.
Click Next to proceed.
Page topStep 7. Creating an initial configuration of protection
You can check a list of policies and tasks that are created.
Wait for the creation of policies and tasks to complete, and then click Next to proceed. On the last page of the wizard, click the Finish button to exit.
Page topNetwork segment polling via Kaspersky Security Center Cloud Console
Information about the structure of the network (and devices in it) is received through regular polling of cloud segments by using the AWS API, Azure API, or Google API tools. Kaspersky Security Center Cloud Console uses this information to update the contents of the Unassigned devices and Managed devices folders. If you have configured devices to be moved to administration groups automatically, detected devices are included in administration groups.
To allow the polling of cloud segments, you must have the corresponding rights that are provided with an IAM user account (in AWS); with an Application ID and password (in Azure); or with a Google client email, Google project ID, and private key (in Google Cloud).
You can add and delete connections, as well as set the polling schedule, for each cloud segment.
Adding connections for cloud segment polling via Kaspersky Security Center Cloud Console
To add a connection for cloud segment polling to the list of available connections:
- In the main menu, go to Discovery & deployment → Discovery → Cloud.
- In the window that opens, click Properties.
- In the Settings window that opens, click Add.
The Cloud segment settings window opens.
- Specify the name of the cloud environment for the connection that will be used for further polling of the cloud segment:
- Enter your credentials to receive authorization in the cloud environment that you specified.
- If you selected AWS, specify the following:
- Access key ID
- Secret key
To see the characters that you entered, click and hold the Show button.
- If you selected Azure, specify the following settings:
- Azure Application ID
- Azure Subscription ID
- Azure Application password
To see the characters that you entered, click and hold the Show button.
- Azure storage account name
- Azure storage access key
To see the characters that you entered, click and hold the Show button.
If you selected Google Cloud, specify the following settings:
- Client email address
- Project ID
- Private key
To see the characters that you entered, click and hold the Show button.
- If you selected AWS, specify the following:
- If you want, click Set polling schedule and change the default settings.
The connection is saved in the application settings.
After the new cloud segment is polled for the first time, the subgroup corresponding to that segment appears in the Managed devices\Cloud administration group.
If you specify incorrect credentials, no instances will be found during cloud segment polling and a new subgroup will not appear in the Managed devices\Cloud administration group.
Page topDeleting a connection for cloud segment polling
If you no longer have to poll a specific cloud segment, you can delete the connection corresponding to it from the list of available connections. You can also delete a connection if, for example, permissions to poll a cloud segment have been transferred to another user who has different credentials.
To delete a connection:
- In the main menu, go to Discovery & deployment → Discovery → Cloud.
- In the window that opens, click Properties.
- In the Settings window that opens, click the name of the segment that you want to delete.
- Click Delete.
- In the window that opens, click the OK button to confirm your selection.
The connection is deleted. The devices in the cloud segment corresponding to this connection are automatically deleted from the administration groups.
Page topConfiguring the polling schedule via Kaspersky Security Center Cloud Console
Cloud segment polling is performed according to schedule. You can set the polling frequency.
The polling frequency is automatically set at five minutes by the Cloud environment configuration wizard. You can change this value at any time and set a different schedule. However, it is not recommended to configure polling to run more frequently than every five minutes, because this could lead to errors in the API operation.
To configure a cloud segment polling schedule:
- In the main menu, go to Discovery & deployment → Discovery → Cloud.
- In the window that opens, click Properties.
- In the Settings window that opens, click the name of the segment for which you want to configure a polling schedule.
The Cloud segment settings window opens.
- In the Cloud segment settings window, click the Set polling schedule button.
The Schedule window opens.
- In the Schedule window, define the following settings:
- Scheduled start
Polling schedule options:
- Start interval (days)
- Starting from
- Run missed tasks
- Scheduled start
- Click Save to save the changes.
The polling schedule for the segment is configured and saved.
Page topViewing the results of cloud segment polling via Kaspersky Security Center Cloud Console
You can view the results of cloud segment polling, that is, view the list of cloud devices managed by the Administration Server.
To view the results of cloud segment polling,
In the main menu, go to Discovery & deployment → Discovery → Cloud.
The cloud segments available for polling are displayed.
Page topViewing the properties of cloud devices via Kaspersky Security Center Cloud Console
You can view the properties of each cloud device.
To view the properties of a cloud device:
- In the main menu, go to Assets (Devices) → Managed devices.
- Click the name of the device whose properties you want to view.
A properties window opens with the General section selected.
- If you want to view the properties specific for cloud devices, select the System section in the properties window.
The properties are displayed depending on the cloud platform of the device.
For devices in AWS, the following properties are displayed:
- Device discovered using API (value: AWS)
- Cloud region
- Cloud VPC
- Cloud availability zone
- Cloud subnet
- Cloud placement group (this unit is only displayed if the instance belongs to a placement group; otherwise, it is not displayed)
For devices in Azure, the following properties are displayed:
- Device discovered using API (value: Microsoft Azure)
- Cloud region
- Cloud subnet
For devices in Google Cloud, the following properties are displayed:
- Device discovered using API (value: Google Cloud)
- Cloud region
- Cloud VPC
- Cloud availability zone
- Cloud subnet
Synchronization with Cloud: Configuring the moving rule
During the Cloud environment configuration wizard operation, the Synchronize with Cloud rule is created automatically. This rule enables you to automatically move devices detected in each poll from the Unassigned devices group to the Managed devices\Cloud group, to make these devices available for centralized management. By default, the rule is active after it is created. You can disable, modify, or enforce the rule at any time.
To edit the properties of the Synchronize with Cloud rule and/or enforce the rule:
- In the main menu, go to Discovery & deployment → Deployment & assignment → Moving rules.
A list of moving rules opens.
- In the list of moving rules, select Synchronize with cloud.
The rule properties window opens.
- If necessary, specify the following settings in the Rule conditions tab, in the Cloud segments tab:
- Device is in a cloud segment
- Include child objects
- Move devices from nested objects to corresponding subgroups
- Create subgroups corresponding to containers of newly detected devices
- Delete subgroups for which no match is found in the cloud segments
If you enabled the Synchronize administration groups with cloud structure option when using the Cloud environment configuration wizard, the Synchronize with cloud rule is created with the Create subgroups corresponding to containers of newly detected devices and Delete subgroups for which no match is found in the cloud segments options enabled.
If you did not enable the Synchronize administration groups with cloud structure option, the Synchronize with cloud rule is created with these options disabled (cleared). If your work with Kaspersky Security Center Cloud Console requires that the structure of subgroups in the Managed devices\Cloud subgroup matches the structure of cloud segments, enable the Create subgroups corresponding to containers of newly detected devices and Delete subgroups for which no match is found in the cloud segments options in the rule properties, and then enforce the rule.
- In the Device discovered by using the API drop-down list, select one of the following values:
- No. The device cannot be detected by using the AWS, Azure, or Google API, that is, it is either outside the cloud environment, or it is in the cloud environment but for some reason it cannot be detected by using an API.
- AWS. The device is discovered by using the AWS API, that is, the device is definitely in the AWS cloud environment.
- Azure. The device is discovered by using the Azure API, that is, the device is definitely in the Azure cloud environment.
- Google Cloud. The device is discovered by using the Google API, that is, the device is definitely in the Google cloud environment.
- No value. This criterion cannot be applied.
- If necessary, set up other rule properties in the other sections.
The moving rule is configured.
Remote installation of applications to the Azure virtual machines
You must have a valid license to install applications on Microsoft Azure virtual machines.
Kaspersky Security Center Cloud Console supports the following scenarios:
- A client device is discovered by means of Azure API; the installation is also performed by means of an API. Using the Azure API means that you can only install the following applications:
- Kaspersky Endpoint Security for Linux
- Kaspersky Endpoint Security for Windows
- Kaspersky Security for Windows Server
- A client device is discovered by means of Azure API; the installation is performed by means of a distribution point or, if there are no distribution points, manually by using standalone installation packages. You can install any application supported by Kaspersky Security Center Cloud Console in this way.
To create a task for remote installation of an application on Azure virtual machines:
- In the main menu, go to Assets (Devices) → Tasks.
- Click Add.
The New task wizard starts.
- Follow the instructions of the wizard:
- Select Install application remotely as the task type.
- On the Installation packages page, select Remote installation by Microsoft Azure API.
- When selecting the account to access devices, use an existing Azure account, or click Add and enter the credentials of your Azure account:
- Select the relevant devices from the Managed devices\Cloud group.
After the wizard finishes, the task for remote installation of the application appears in the list of tasks.