Kaspersky Security Center Cloud Console

Contents

Working with Kaspersky Security Center Cloud Console in a cloud environment

This section provides information about Kaspersky Security Center Cloud Console features related to the operation and maintenance of Kaspersky Security Center Cloud Console in cloud environments, such as Amazon Web Services, Microsoft Azure, or Google Cloud.

To work within a cloud environment, you need a special license. If you do not have such a license, the interface elements related to cloud devices are not operable.

Updates functionality (including providing anti-virus signature updates and codebase updates), as well as KSN functionality may not be available in the software in the U.S.

In this section

Licensing options in a cloud environment

Preparing for work in a cloud environment through Kaspersky Security Center Cloud Console

Cloud environment configuration wizard in Kaspersky Security Center Cloud Console

Network segment polling via Kaspersky Security Center Cloud Console

Synchronization with Cloud: Configuring the moving rule

Remote installation of applications to the Azure virtual machines

Page top
[Topic 198790]

Licensing options in a cloud environment

Work in a cloud environment is possible both in trial mode and in commercial mode of Kaspersky Security Center Cloud Console:

  • In trial mode, all cloud environment features are available within the entire validity period of your workspace. No license is required.
  • In commercial mode, the cloud environment features are available only if a Kaspersky Hybrid Cloud Security license key has been added as active in the Administration Server properties.

In both cases, Vulnerability and patch management is automatically activated.

You may encounter an error when trying to activate the feature Support of the cloud environment using the license for Kaspersky Hybrid Cloud Security.

Page top
[Topic 176966]

Preparing for work in a cloud environment through Kaspersky Security Center Cloud Console

This section tells you how to prepare for working with Kaspersky Security Center Cloud Console in the following cloud environments:

  • Amazon Web Services
  • Microsoft Azure
  • Google Cloud

In this section

Working in Amazon Web Services cloud environment

Working in Microsoft Azure cloud environment

Working in Google Cloud

Page top
[Topic 215255]

Working in Amazon Web Services cloud environment

This section tells you how to prepare for working with Kaspersky Security Center Cloud Console in Amazon Web Services.

The addresses of web pages cited in this document are correct as of the Kaspersky Security Center Cloud Console release date.

In this section

About work in Amazon Web Services cloud environment

Creating IAM user accounts for Amazon EC2 instances

Page top
[Topic 148750]

About work in Amazon Web Services cloud environment

To work with the AWS platform and, in particular, to create instances, you need an Amazon Web Services account. You can create a free account at https://aws.amazon.com. You can also use an existing Amazon account.

To learn more about an AMI and how AWS Marketplace works, please visit the AWS Marketplace Help page. For more information about working with the AWS platform, using instances, and related concepts, please refer to the Amazon Web Services documentation.

The addresses of web pages cited in this document are correct as of the Kaspersky Security Center Cloud Console release date.

Page top
[Topic 150767]

Creating IAM user accounts for Amazon EC2 instances

This section describes the actions that must be performed to ensure correct operation of Kaspersky Security Center Cloud Console. These actions include work with the AWS Identity and Access Management (IAM) user accounts. Also described are the actions that must be taken on client devices to install Network Agent on them and then install Kaspersky Security for Windows Server and Kaspersky Endpoint Security for Linux.

In this section

Ensuring that Kaspersky Security Center Cloud Console has the permissions to work with AWS

Creating an IAM user account for work with Kaspersky Security Center Cloud Console

Page top
[Topic 149566]

Ensuring that Kaspersky Security Center Cloud Console has the permissions to work with AWS

To operate in the Amazon Web Services cloud environment using Kaspersky Security Center Cloud Console, you must create an IAM user account, that will be used by Kaspersky Security Center Cloud Console to work with AWS services. Before starting to work with the Administration Server, create an IAM user account with an AWS IAM access key (hereinafter also referred to as IAM access key).

Creation of an IAM user account requires the AWS Management Console. To work with the AWS Management Console, you will need a user name and password from an account in AWS.

Page top
[Topic 160141]

Creating an IAM user account for work with Kaspersky Security Center Cloud Console

An IAM user account is required for working with Kaspersky Security Center Cloud Console. You can create one IAM user account with all the necessary permissions, or you can create two separate user accounts.

An IAM access key that you will need to provide to Kaspersky Security Center Cloud Console during initial configuration is automatically created for the IAM user. An IAM access key consists of an access key ID and a secret key. For more details about the IAM service, please refer to the following AWS reference pages:

To create an IAM user account with the necessary permissions:

  1. Open the AWS Management Console and sign in under your account.
  2. In the list of AWS services, select IAM.

    A window opens containing a list of user names and a menu that lets you work with the tool.

  3. Navigate through the areas of the console dealing with user accounts, and add a new user name or names.
  4. For the user(s) you add, specify the following AWS properties:
    • Access type: Programmatic Access.
    • Permissions boundary not set.
    • Permission: ReadOnlyAccess.

      After you add the permission, view it for accuracy. In case of a mistaken selection, go back to the previous screen and make the selection again.

  5. After you create the user account, a table appears containing the IAM access key of the new IAM user. The access key ID is displayed in the Access key ID column. The secret key is displayed as asterisks in the Secret access key column. To view the secret key, click Show.

The newly created account is displayed in the list of IAM user accounts that corresponds to your account in AWS.

The addresses of web pages cited in this document are correct as of the Kaspersky Security Center Cloud Console release date.

Page top
[Topic 149021]

Working in Microsoft Azure cloud environment

This section provides information about Kaspersky Security Center Cloud Console operation and maintenance in a cloud environment provided by Microsoft Azure, as well as details of protection deployment on virtual machines in this cloud environment.

In this section

About work in Microsoft Azure

Creating a subscription, Application ID, and password

Assigning a role to the Azure Application ID

Page top
[Topic 173508]

About work in Microsoft Azure

To work with the Microsoft Azure platform and, in particular, to purchase apps at the Azure Marketplace and create virtual machines, you will need an Azure subscription. Before starting to work with Microsoft Azure in Kaspersky Security Center Cloud Console, create an Azure Application ID with permissions required for installation of applications on virtual machines.

Page top
[Topic 173515]

Creating a subscription, Application ID, and password

To work with Kaspersky Security Center Cloud Console in the Microsoft Azure environment, you need an Azure subscription, Azure Application ID, and Azure Application password. You can use an existing subscription, if you already have one.

An Azure subscription grants its owner access to the Microsoft Azure Platform Management Portal and to Microsoft Azure services. The owner can use the Microsoft Azure Platform to manage services such as Azure SQL and Azure Storage.

To create a Microsoft Azure subscription,

Go to https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/create-subscription and follow the instructions there.

More information about creating a subscription is available on the Microsoft website. You will get a subscription ID, which you will later provide to Kaspersky Security Center Cloud Console together with Application ID and password.

To create and save Azure Application ID and password:

  1. Go to https://portal.azure.com and make sure that you are logged in.
  2. Following the instructions on the reference page, create your Application ID.
  3. Go to the Keys section of the application settings.
  4. In the Keys section, fill in the Description and Expires fields and leave the Value field empty.
  5. Click Save.

    When you click Save, the system automatically fills the Value field with a long sequence of characters. This sequence is your Azure Application password (for example, yXyPOy6Tre9PYgP/j4XVyJCvepPHk2M/UYJ+QlfFvdU=). The description is displayed as you entered it.

  6. Copy the password and save it, so that you can later provide the Application ID and password to Kaspersky Security Center Cloud Console.

    You can copy the password only when it has been created. Later, the password will no longer be displayed and you cannot restore it.

The addresses of web pages cited in this document are correct as of the Kaspersky Security Center Cloud Console release date.

Page top
[Topic 173604]

Assigning a role to the Azure Application ID

If you only want to detect virtual machines using device discovery, your Azure Application ID must have the Reader role. If you want not only to detect virtual machines, but also to deploy protection by means of the Azure API, your Azure Application ID must have the Virtual Machine Contributor role.

Follow the instructions on the Microsoft website to assign a role to your Azure Application ID.

Page top
[Topic 176476]

Working in Google Cloud

Expand all | Collapse all

This section provides information about work with Kaspersky Security Center Cloud Console in a cloud environment provided by Google.

You can use the Google API to work with Kaspersky Security Center Cloud Console in Google Cloud Platform. A Google account is required. Please refer to the Google documentation at https://cloud.google.com for more information.

You will need to create and provide Kaspersky Security Center Cloud Console with the following credentials:

  • Client email

    Client email is the email address that you used for registering your project at Google Cloud.

  • Project ID

    Project ID is the ID that you received when you registered your project at Google Cloud.

  • Private key

    Private key is the sequence of characters that you received as your private key when you registered your project at Google Cloud. You might want to copy and paste this sequence to avoid mistakes.

Page top
[Topic 193319]

Cloud environment configuration wizard in Kaspersky Security Center Cloud Console

To configure Kaspersky Security Center Cloud Console using this wizard, you must have the following:

The Cloud environment configuration wizard starts automatically at the first connection to Kaspersky Security Center Cloud Console if your workspace was created by using the Kaspersky Hybrid Cloud Security license. You can also start the Cloud environment configuration wizard manually at any time.

To start the Cloud environment configuration wizard manually,

In the main menu, go to Discovery & deployment → Deployment & assignmentConfigure cloud environment.

The wizard starts.

An average work session with this wizard lasts about 15 minutes.

In this section

Step 1. Checking the required plug-ins and installation packages

Step 2. Selecting the application activation method

Step 3. Selecting the cloud environment and authorization

Step 4. Segment polling and configuring synchronization with Cloud

Step 5. Selecting an application to create a policy and tasks for

Step 6. Configuring Kaspersky Security Network for Kaspersky Security Center Cloud Console

Step 7. Creating an initial configuration of protection

Page top
[Topic 198709]

Step 1. Checking the required plug-ins and installation packages

This step is not displayed if you have all of the required web plug-ins and installation packages listed below.

To configure a cloud environment, you must have the following components:

  • Installation packages:
    • Network Agent for Windows
    • Network Agent for Linux
    • Kaspersky Endpoint Security for Linux
  • Web plug-in for Kaspersky Endpoint Security for Linux
  • At least one of the following:
    • Installation package and web plug-in for Kaspersky Endpoint Security for Windows (recommended)
    • Installation package and web plug-in for Kaspersky Security for Windows Server

      We recommend that you use Kaspersky Endpoint Security for Windows instead of Kaspersky Security for Windows Server.

Kaspersky Security Center Cloud Console automatically detects the components that you already have and lists only ones that are missing. Download the listed components by clicking the Select applications to download button, and then selecting the required plug-ins and installation packages. After you download a component, you can use the Refresh button to update the list of missing components.

See also:

Creating installation packages for Kaspersky applications

Page top
[Topic 241277]

Step 2. Selecting the application activation method

This step is displayed only if you used a license other than Kaspersky Hybrid Cloud Security during the workspace creation and never added a Kaspersky Hybrid Cloud Security license key to the activation field of Administration Server. In this case, you must activate Administration Server by using a Kaspersky Hybrid Cloud Security license.

See also:

Licensing options in a cloud environment

Page top
[Topic 148963]

Step 3. Selecting the cloud environment and authorization

Expand all | Collapse all

Specify the following settings:

  • Cloud environment

    Select the cloud environment in which you are deploying Kaspersky Security Center Cloud Console: AWS, Azure, or Google Cloud.

    If you plan to work with more than one cloud environment, select one environment and then run the wizard again.

  • Connection name

    Enter a name for the connection. The name cannot contain more than 256 characters. Only Unicode characters are permitted.

    This name will also be used as the name for the administration group for the cloud devices.

    If you plan to work with more than one cloud environment, you might want to include the name of the environment in the connection name, for example, "Azure Segment", "AWS Segment", or "Google Segment".

Enter your credentials to receive authorization in the cloud environment that you specified.

AWS

If you selected AWS as the cloud segment type, use an AWS IAM access key for further polling of the cloud segment. Enter the following key data:

  • Access key ID

    The IAM access key ID is a sequence of alphanumeric characters. You received the key ID when you created the IAM user account.

    The field is available after you selected an AWS IAM access key for authorization.

  • Secret key

    The secret key that you received with the access key ID when you created the IAM user account.

    The characters of the secret key are displayed as asterisks. After you begin entering the secret key, the Show button is displayed. Click and hold this button for the necessary amount of time to view the characters you entered.

    The field is available after you selected an AWS IAM access key for authorization.

    To see the characters that you entered, click and hold the Show button.

Azure

If you selected Azure as the cloud segment type, specify the following settings for the connection that will be used for further polling of the cloud segment:

  • Azure Application ID

    You created this application ID on the Azure portal.

    You can provide only one Azure Application ID for polling and other purposes. If you want to poll another Azure segment, you must first delete the existing Azure connection.

  • Azure Subscription ID

    You created the subscription on the Azure portal.

  • Azure Application password

    You received the password of the Application ID when you created the Application ID.

    The characters of the password are displayed as asterisks. After you begin entering the password, the Show button becomes available. Click and hold this button to view the characters you entered.

    To see the characters that you entered, click and hold the Show button.

  • Azure storage account name

    You created the name of the Azure storage account for working with Kaspersky Security Center Cloud Console.

  • Azure storage access key

    You received a password (key) when you created Azure storage account for working with Kaspersky Security Center Cloud Console.

    The key is available in section "Overview of the Azure storage account", in subsection "Keys".

    To see the characters that you entered, click and hold the Show button.

Google Cloud

If you selected Google Cloud as the cloud segment type, specify the following settings for the connection that will be used for further polling the cloud segment:

  • Client email address

    Client email is the email address that you used for registering your project at Google Cloud.

  • Project ID

    Project ID is the ID that you received when you registered your project at Google Cloud.

  • Private key

    Private key is the sequence of characters that you received as your private key when you registered your project at Google Cloud. You might want to copy and paste this sequence to avoid mistakes.

    To see the characters that you entered, click and hold the Show button.

The connection that you specified is saved in the application settings.

The Cloud environment configuration wizard enables you to specify only one segment. Later, you can specify more connections to manage other cloud segments.

Click Next to proceed.

See also:

Adding connections for cloud segment polling via Kaspersky Security Center Cloud Console

Page top
[Topic 198733]

Step 4. Segment polling and configuring synchronization with Cloud

At this step, cloud segment polling starts and a special administration group for cloud devices is automatically created. The devices found during polling are placed into this group. The cloud segment polling schedule is configured every five minutes by default (you can change this setting later).

A Synchronize with Cloud automatic moving rule is also created. For each subsequent scan of the cloud network, virtual devices that are detected will be moved to the corresponding subgroup within the Managed devices\Cloud group.

Define the Synchronize administration groups with cloud structure setting.

If this option is enabled, the Cloud group is automatically created within the Managed devices group and a cloud device discovery is started. The instances and virtual machines detected during each cloud network scan are placed into the Cloud group. The structure of the administration subgroups within this group matches the structure of your cloud segment (in AWS, availability zones and placement groups are not represented in the structure; in Azure, subnets are not represented in the structure). Devices that have not been identified as instances in the cloud environment are in the Unassigned devices group. This group structure enables you to use group installation tasks to install anti-virus applications on instances, as well as set up different policies for different groups.

If this option is disabled, the Cloud group is also created and the cloud device discovery is also started; however, subgroups matching the cloud segment structure are not created within the group. All detected instances are in the Cloud administration group so they are displayed in a single list. If your work with Kaspersky Security Center Cloud Console requires synchronization, you can modify the properties of the Synchronize with Cloud rule and enforce it. Enforcing this rule alters the structure of subgroups in the Cloud group so that it matches the structure of your cloud segment.

By default, this option is disabled.

Click Next to proceed.

See also:

Synchronization with Cloud: Configuring the moving rule

Page top
[Topic 198743]

Step 5. Selecting an application to create a policy and tasks for

This step is only displayed if you have installation packages and plug-ins for both Kaspersky Endpoint Security for Windows and Kaspersky Security for Windows Server. If you have a plug-in and an installation package for only one of those applications, this step is skipped and Kaspersky Security Center Cloud Console creates a policy and tasks for the existing application.

Select an application for which you want to create a policy and tasks:

  • Kaspersky Endpoint Security for Windows
  • Kaspersky Security for Windows Server
Page top
[Topic 241303]

Step 6. Configuring Kaspersky Security Network for Kaspersky Security Center Cloud Console

Expand all | Collapse all

This step is skipped when running Kaspersky Security Center Cloud Console in trial mode or on a virtual Administration Server.

Specify the settings for relaying information about Kaspersky Security Center Cloud Console operations to the Kaspersky Security Network (KSN) knowledge base. Select one of the following options:

  • I agree to use Kaspersky Security Network

    Kaspersky Security Center Cloud Console and managed applications installed on client devices will automatically transfer their operation details to Kaspersky Security Network. Participation in Kaspersky Security Network ensures faster updates of databases containing information about viruses and other threats, which ensures a faster response to emergent security threats.

  • I do not agree to use Kaspersky Security Network

    Kaspersky Security Center Cloud Console and managed applications will provide no information to Kaspersky Security Network.

    If you select this option, the use of Kaspersky Security Network will be disabled.

Kaspersky recommends participation in Kaspersky Security Network.

KSN agreements for managed applications may also be displayed. If you agree to use Kaspersky Security Network, the managed application will send data to Kaspersky. If you do not agree to participate in Kaspersky Security Network, the managed application will not send data to Kaspersky. You can change this setting later in the application policy.

Click Next to proceed.

Page top
[Topic 198783]

Step 7. Creating an initial configuration of protection

You can check a list of policies and tasks that are created.

Wait for the creation of policies and tasks to complete, and then click Next to proceed. On the last page of the wizard, click the Finish button to exit.

Page top
[Topic 198789]

Network segment polling via Kaspersky Security Center Cloud Console

Information about the structure of the network (and devices in it) is received through regular polling of cloud segments by using the AWS API, Azure API, or Google API tools. Kaspersky Security Center Cloud Console uses this information to update the contents of the Unassigned devices and Managed devices folders. If you have configured devices to be moved to administration groups automatically, detected devices are included in administration groups.

To allow the polling of cloud segments, you must have the corresponding rights that are provided with an IAM user account (in AWS); with an Application ID and password (in Azure); or with a Google client email, Google project ID, and private key (in Google Cloud).

You can add and delete connections, as well as set the polling schedule, for each cloud segment.

In this section

Adding connections for cloud segment polling via Kaspersky Security Center Cloud Console

Deleting a connection for cloud segment polling

Configuring the polling schedule via Kaspersky Security Center Cloud Console

Viewing the results of cloud segment polling via Kaspersky Security Center Cloud Console

Viewing the properties of cloud devices via Kaspersky Security Center Cloud Console

Page top
[Topic 198852]

Adding connections for cloud segment polling via Kaspersky Security Center Cloud Console

Expand all | Collapse all

To add a connection for cloud segment polling to the list of available connections:

  1. In the main menu, go to Discovery & deployment → DiscoveryCloud.
  2. In the window that opens, click Properties.
  3. In the Settings window that opens, click Add.

    The Cloud segment settings window opens.

  4. Specify the name of the cloud environment for the connection that will be used for further polling of the cloud segment:
    • Cloud environment

      Select the cloud environment in which you are deploying Kaspersky Security Center Cloud Console: AWS, Azure, or Google Cloud.

      If you plan to work with more than one cloud environment, select one environment and then run the wizard again.

    • Connection name

      Enter a name for the connection. The name cannot contain more than 256 characters. Only Unicode characters are permitted.

      This name will also be used as the name for the administration group for the cloud devices.

      If you plan to work with more than one cloud environment, you might want to include the name of the environment in the connection name, for example, "Azure Segment", "AWS Segment", or "Google Segment".

  5. Enter your credentials to receive authorization in the cloud environment that you specified.
    • If you selected AWS, specify the following:
      • Access key ID

        The IAM access key ID is a sequence of alphanumeric characters. You received the key ID when you created the IAM user account.

        The field is available after you selected an AWS IAM access key for authorization.

      • Secret key

        The secret key that you received with the access key ID when you created the IAM user account.

        The characters of the secret key are displayed as asterisks. After you begin entering the secret key, the Show button is displayed. Click and hold this button for the necessary amount of time to view the characters you entered.

        The field is available after you selected an AWS IAM access key for authorization.

        To see the characters that you entered, click and hold the Show button.

    • If you selected Azure, specify the following settings:
      • Azure Application ID

        You created this application ID on the Azure portal.

        You can provide only one Azure Application ID for polling and other purposes. If you want to poll another Azure segment, you must first delete the existing Azure connection.

      • Azure Subscription ID

        You created the subscription on the Azure portal.

      • Azure Application password

        You received the password of the Application ID when you created the Application ID.

        The characters of the password are displayed as asterisks. After you begin entering the password, the Show button becomes available. Click and hold this button to view the characters you entered.

        To see the characters that you entered, click and hold the Show button.

      • Azure storage account name

        You created the name of the Azure storage account for working with Kaspersky Security Center Cloud Console.

      • Azure storage access key

        You received a password (key) when you created Azure storage account for working with Kaspersky Security Center Cloud Console.

        The key is available in section "Overview of the Azure storage account", in subsection "Keys".

        To see the characters that you entered, click and hold the Show button.

    If you selected Google Cloud, specify the following settings:

    • Client email address

      Client email is the email address that you used for registering your project at Google Cloud.

    • Project ID

      Project ID is the ID that you received when you registered your project at Google Cloud.

    • Private key

      Private key is the sequence of characters that you received as your private key when you registered your project at Google Cloud. You might want to copy and paste this sequence to avoid mistakes.

      To see the characters that you entered, click and hold the Show button.

  6. If you want, click Set polling schedule and change the default settings.

The connection is saved in the application settings.

After the new cloud segment is polled for the first time, the subgroup corresponding to that segment appears in the Managed devices\Cloud administration group.

If you specify incorrect credentials, no instances will be found during cloud segment polling and a new subgroup will not appear in the Managed devices\Cloud administration group.

Page top
[Topic 198846]

Deleting a connection for cloud segment polling

If you no longer have to poll a specific cloud segment, you can delete the connection corresponding to it from the list of available connections. You can also delete a connection if, for example, permissions to poll a cloud segment have been transferred to another user who has different credentials.

To delete a connection:

  1. In the main menu, go to Discovery & deployment → DiscoveryCloud.
  2. In the window that opens, click Properties.
  3. In the Settings window that opens, click the name of the segment that you want to delete.
  4. Click Delete.
  5. In the window that opens, click the OK button to confirm your selection.

The connection is deleted. The devices in the cloud segment corresponding to this connection are automatically deleted from the administration groups.

Page top
[Topic 198901]

Configuring the polling schedule via Kaspersky Security Center Cloud Console

Expand all | Collapse all

Cloud segment polling is performed according to schedule. You can set the polling frequency.

The polling frequency is automatically set at five minutes by the Cloud environment configuration wizard. You can change this value at any time and set a different schedule. However, it is not recommended to configure polling to run more frequently than every five minutes, because this could lead to errors in the API operation.

To configure a cloud segment polling schedule:

  1. In the main menu, go to Discovery & deployment → DiscoveryCloud.
  2. In the window that opens, click Properties.
  3. In the Settings window that opens, click the name of the segment for which you want to configure a polling schedule.

    The Cloud segment settings window opens.

  4. In the Cloud segment settings window, click the Set polling schedule button.

    The Schedule window opens.

  5. In the Schedule window, define the following settings:
    • Scheduled start

      Polling schedule options:

      • Every N days

        The polling runs regularly, with the specified interval in days, starting from the specified date and time.

        By default, the polling runs every day, starting from the current system date and time.

      • Every N minutes

        The polling runs regularly, with the specified interval in minutes, starting from the specified time.

        By default, the polling runs every five minutes, starting from the current system time.

      • By days of week

        The polling runs regularly, on the specified days of week, and at the specified time.

        By default, the polling runs every Friday at 6:00:00 PM.

      • Every month on specified days of selected weeks

        The polling runs regularly, on the specified days of each month, and at the specified time.

        By default, no days of month are selected; the default start time is 6:00:00 PM.

    • Start interval (days)

      Specify what N is equal to (for minutes or days).

    • Starting from

      Specify when to start the first poll.

    • Run missed tasks

      If your workspace is unavailable during the time for which the poll is scheduled, Kaspersky Security Center Cloud Console can either start the poll immediately after the workspace is available again, or wait for the next time for which the poll is scheduled.

      If this option is enabled, Kaspersky Security Center Cloud Console starts polling immediately after the workspace is available again.

      If this option is disabled, Kaspersky Security Center Cloud Console waits for the next time for which the polling is scheduled.

      By default, this option is enabled.

  6. Click Save to save the changes.

The polling schedule for the segment is configured and saved.

Page top
[Topic 198848]

Viewing the results of cloud segment polling via Kaspersky Security Center Cloud Console

You can view the results of cloud segment polling, that is, view the list of cloud devices managed by the Administration Server.

To view the results of cloud segment polling,

In the main menu, go to Discovery & deployment → DiscoveryCloud.

The cloud segments available for polling are displayed.

Page top
[Topic 199091]

Viewing the properties of cloud devices via Kaspersky Security Center Cloud Console

You can view the properties of each cloud device.

To view the properties of a cloud device:

  1. In the main menu, go to Assets (Devices) → Managed devices.
  2. Click the name of the device whose properties you want to view.

    A properties window opens with the General section selected.

  3. If you want to view the properties specific for cloud devices, select the System section in the properties window.

    The properties are displayed depending on the cloud platform of the device.

    For devices in AWS, the following properties are displayed:

    • Device discovered using API (value: AWS)
    • Cloud region
    • Cloud VPC
    • Cloud availability zone
    • Cloud subnet
    • Cloud placement group (this unit is only displayed if the instance belongs to a placement group; otherwise, it is not displayed)

    For devices in Azure, the following properties are displayed:

    • Device discovered using API (value: Microsoft Azure)
    • Cloud region
    • Cloud subnet

    For devices in Google Cloud, the following properties are displayed:

    • Device discovered using API (value: Google Cloud)
    • Cloud region
    • Cloud VPC
    • Cloud availability zone
    • Cloud subnet

Page top
[Topic 200119]

Synchronization with Cloud: Configuring the moving rule

Expand all | Collapse all

During the Cloud environment configuration wizard operation, the Synchronize with Cloud rule is created automatically. This rule enables you to automatically move devices detected in each poll from the Unassigned devices group to the Managed devices\Cloud group, to make these devices available for centralized management. By default, the rule is active after it is created. You can disable, modify, or enforce the rule at any time.

To edit the properties of the Synchronize with Cloud rule and/or enforce the rule:

  1. In the main menu, go to Discovery & deployment → Deployment & assignmentMoving rules.

    A list of moving rules opens.

  2. In the list of moving rules, select Synchronize with cloud.

    The rule properties window opens.

  3. If necessary, specify the following settings in the Rule conditions tab, in the Cloud segments tab:
    • Device is in a cloud segment

      The rule only applies to devices that are in the selected cloud segment. Otherwise, the rule applies to all devices that have been discovered.

      By default, this option is selected.

    • Include child objects

      The rule applies to all devices in the selected segment and in all nested cloud subsections. Otherwise, the rule only applies to devices that are in the root segment.

      By default, this option is selected.

    • Move devices from nested objects to corresponding subgroups

      If this option is enabled, devices from nested objects are automatically moved to the subgroups that correspond to their structure.

      If this option is disabled, devices from nested objects are automatically moved to the root of the Cloud subgroup without any further branching.

      By default, this option is enabled.

    • Create subgroups corresponding to containers of newly detected devices

      If this option is enabled, when the structure of the Managed devices\Cloud group has no subgroups that will match the section containing the device, Kaspersky Security Center Cloud Console creates such subgroups. For example, if a new subnet is discovered during device discovery, a new group with the same name will be created under the Managed devices\Cloud group.

      If this option is disabled, Kaspersky Security Center Cloud Console does not create any new subgroups. For example, if a new subnet is discovered during network poll, a new group with the same name will not be created under the Managed devices\Cloud group, and the devices that are in that subnet will be moved into the Managed devices\Cloud group.

      By default, this option is enabled.

    • Delete subgroups for which no match is found in the cloud segments

      If this option is enabled, the application deletes from the Cloud group all the subgroups that do not match any existing cloud objects.

      If this option is disabled, subgroups that do not match any of the existing cloud objects are retained.

      By default, this option is enabled.

    If you enabled the Synchronize administration groups with cloud structure option when using the Cloud environment configuration wizard, the Synchronize with cloud rule is created with the Create subgroups corresponding to containers of newly detected devices and Delete subgroups for which no match is found in the cloud segments options enabled.

    If you did not enable the Synchronize administration groups with cloud structure option, the Synchronize with cloud rule is created with these options disabled (cleared). If your work with Kaspersky Security Center Cloud Console requires that the structure of subgroups in the Managed devices\Cloud subgroup matches the structure of cloud segments, enable the Create subgroups corresponding to containers of newly detected devices and Delete subgroups for which no match is found in the cloud segments options in the rule properties, and then enforce the rule.

  4. In the Device discovered by using the API drop-down list, select one of the following values:
    • No. The device cannot be detected by using the AWS, Azure, or Google API, that is, it is either outside the cloud environment, or it is in the cloud environment but for some reason it cannot be detected by using an API.
    • AWS. The device is discovered by using the AWS API, that is, the device is definitely in the AWS cloud environment.
    • Azure. The device is discovered by using the Azure API, that is, the device is definitely in the Azure cloud environment.
    • Google Cloud. The device is discovered by using the Google API, that is, the device is definitely in the Google cloud environment.
    • No value. This criterion cannot be applied.
  5. If necessary, set up other rule properties in the other sections.

The moving rule is configured.

See also:

Step 4. Segment polling and configuring synchronization with Cloud

Page top
[Topic 199139]

Remote installation of applications to the Azure virtual machines

Expand all | Collapse all

You must have a valid license to install applications on Microsoft Azure virtual machines.

Kaspersky Security Center Cloud Console supports the following scenarios:

  • A client device is discovered by means of Azure API; the installation is also performed by means of an API. Using the Azure API means that you can only install the following applications:
    • Kaspersky Endpoint Security for Linux
    • Kaspersky Endpoint Security for Windows
    • Kaspersky Security for Windows Server
  • A client device is discovered by means of Azure API; the installation is performed by means of a distribution point or, if there are no distribution points, manually by using standalone installation packages. You can install any application supported by Kaspersky Security Center Cloud Console in this way.

To create a task for remote installation of an application on Azure virtual machines:

  1. In the main menu, go to Assets (Devices) → Tasks.
  2. Click Add.

    The New task wizard starts.

  3. Follow the instructions of the wizard:
    1. Select Install application remotely as the task type.
    2. On the Installation packages page, select Remote installation by Microsoft Azure API.
    3. When selecting the account to access devices, use an existing Azure account, or click Add and enter the credentials of your Azure account:
      • Azure Account Name

        Enter any name for the credentials you are specifying. This name will be displayed in the list of the accounts to run the task.

      • Azure Application ID

        You created this application ID on the Azure portal.

        You can provide only one Azure Application ID for polling and other purposes. If you want to poll another Azure segment, you must first delete the existing Azure connection.

      • Azure Application password

        You received the password of the Application ID when you created the Application ID.

        The characters of the password are displayed as asterisks. After you begin entering the password, the Show button becomes available. Click and hold this button to view the characters you entered.

    4. Select the relevant devices from the Managed devices\Cloud group.

After the wizard finishes, the task for remote installation of the application appears in the list of tasks.

See also:

Scenario: Kaspersky applications initial deployment

Page top
[Topic 218327]