Cloud Environment Configuration Wizard

To configure Kaspersky Security Center by using this Wizard, you must have the following:

• Specific credentials for a cloud environment:
  • An IAM role that has been granted the right to poll the cloud segment or an IAM user account that has been granted the right to poll the cloud segment (for work with Amazon Web Services)
  • Azure Application ID, password, and subscription (for work with Microsoft Azure)
  • Google client email, Project ID, and private key (for work with Google Cloud)

If you do not want to use cloud environment capabilities (if, for example, you want to manage protection of physical client devices only), you can close the Cloud Environment Configuration Wizard and run the standard Administration Server Quick Start Wizard manually.

The Cloud Environment Configuration Wizard starts automatically at the first connection to Administration Server through Administration Console if you are deploying Kaspersky Security Center from a ready-to-use image. You can also start the Cloud Environment Configuration Wizard manually at any time.

To start the Cloud Environment Configuration Wizard manually:

1. In the console tree, select the Administration Server node.
2. In the context menu of the node, select All Tasks → Cloud Environment Configuration Wizard.

The average work session with this Wizard lasts about 15 minutes.

About the Cloud Environment Configuration Wizard

This Wizard allows you to configure Kaspersky Security Center while taking into account the specifics of working in a cloud environment.

The Wizard creates the following objects:

• Network Agent policy with default settings
• Policy for Kaspersky Endpoint Security for Linux
• Policy for Kaspersky Security for Windows Server
• Administration group for instances and a rule for automatically moving instances to this administration group
• Administration Server data backup task
• Tasks for installing protection on devices running Linux and Windows
• Tasks for each managed device:
  • Quick Virus Scan
  • Update download

If you selected the BYOL licensing option, the Wizard also activates Kaspersky Security Center with a key file or activation code and places the key file or activation code in the license storage.

Step 1. Selecting the application activation method

This step is not displayed if you signed up for one of the ready-to-use AMIs (at the AWS Marketplace), or for a Usage-based monthly billed SKU (at the Azure Marketplace). In this case, the Wizard immediately proceeds to the next step. However, you cannot purchase a ready-to-use AMI for Google Cloud.

If you selected BYOL licensing option for Kaspersky Security Center, the Wizard prompts you to select the application activation method.

Activate the application with an activation code (or a key file) for Kaspersky Security for Virtualization or for Kaspersky Hybrid Cloud Security.

You can activate the application in one of the following ways:

• By entering an activation code.

  Online activation will start. This process involves verification of the specified activation code, as well as issuance and activation of a key file.

• By specifying a key file.

  The application will check the key file and either activate it if it contains the correct information, or prompt you to specify another key file.

Kaspersky Security Center places the license key in the license storage and marks it as automatically distributed on managed devices.

If you connect to an instance using standard Remote Desktop Connection in Microsoft Windows or a similar application, in the remote connection properties you must specify the drive of the physical device that you are using to connect. This ensures access from the instance to the files on your physical device, and lets you select and specify the key file.

When working with Kaspersky Security Center deployed from a paid AMI or for a Usage-based monthly billed SKU, you cannot add key files or activation codes to the license storage.

Step 2. Selecting the cloud environment

Select the cloud environment in which you are deploying Kaspersky Security Center: AWS, Azure, or Google Cloud.

Step 3. Authorization in the cloud environment

Expand all | Collapse all

AWS

If you selected AWS, either specify that you have an IAM role with the required rights, or provide Kaspersky Security Center with an AWS IAM access key. Cloud segment polling is not possible without an IAM role or an AWS IAM access key.

Specify the following settings for the connection that will be used for further polling of the cloud segment:

• Connection name

  Enter a name for the connection. The name cannot contain more than 256 characters. Only Unicode characters are permitted.

  This name will also be used as the name for the administration group for the cloud devices.

  If you plan to work with more than one cloud environment, you might want to include the name of the environment in the connection name, for example, "Azure Segment", "AWS Segment", or "Google Segment".

• Use AWS IAM role

  Select this option if you have already created an IAM role for the Administration Server to use AWS services.

• Use AWS IAM user account

  Select this option if you have an IAM user account with the necessary permissions and you can enter a key ID and secret key.

  • Access key ID

    The IAM access key ID is a sequence of alphanumeric characters. You received the key ID when you created the IAM user account.

    The field is available if you selected an AWS IAM access key for authorization instead of an IAM role.

  • Secret key

    The secret key that you received with the access key ID when you created the IAM user account.

    The characters of the secret key are displayed as asterisks. After you begin entering the secret key, the Show button is displayed. Click and hold this button for the necessary amount of time to view the characters you entered.

    The field is available if you selected an AWS IAM access key for authorization instead of an IAM role.

This connection is saved in the application settings. The Cloud Environment Configuration Wizard allows you to create only a single AWS IAM access key. Subsequently, you can specify more connections to manage other cloud segments.

If you want to install applications on instances through Kaspersky Security Center, you must make sure that your IAM role (or the IAM user whose account is associated with the key that you are entering) has all the necessary permissions.

Azure

If you selected Azure, specify the following settings for the connection that will be used for further polling the cloud segment:

• Connection name

  Enter a name for the connection. The name cannot contain more than 256 characters. Only Unicode characters are permitted.

  This name will also be used as the name for the administration group for the cloud devices.

  If you plan to work with more than one cloud environment, you might want to include the name of the environment in the connection name, for example, "Azure Segment", "AWS Segment", or "Google Segment".

• Azure Application ID

  You created this application ID on the Azure portal.

  You can provide only one Azure Application ID for polling and other purposes. If you want to poll another Azure segment, you must first delete the existing Azure connection.

• Azure Subscription ID

  You created the subscription on the Azure portal.

• Azure Application password

  You received the password of the Application ID when you created the Application ID.

  The characters of the password are displayed as asterisks. After you begin entering the password, the Show button becomes available. Click and hold this button to view the characters you entered.

• Azure storage account name

  You created the name of the Azure storage account for working with Kaspersky Security Center.

• Azure storage access key

  You received a password (key) when you created Azure storage account for working with Kaspersky Security Center.

  The key is available in section "Overview of the Azure storage account," in subsection "Keys."

This connection is saved in the application settings.

Google Cloud

If you selected Google Cloud, specify the following settings for the connection that will be used for further polling the cloud segment:

• Connection name

  Enter a name for the connection. The name cannot contain more than 256 characters. Only Unicode characters are permitted.

  This name will also be used as the name for the administration group for the cloud devices.

  If you plan to work with more than one cloud environment, you might want to include the name of the environment in the connection name, for example, "Azure Segment", "AWS Segment", or "Google Segment".

• Client email

  Client email is the email address that you used for registering your project at Google Cloud.

• Project ID

  Project ID is the ID that you received when you registered your project at Google Cloud.

• Private key

  Private key is the sequence of characters that you received as your private key when you registered your project at Google Cloud. You might want to copy and paste this sequence to avoid mistakes.

This connection is saved in the application settings.

Step 4. Configuring synchronization with Cloud and choosing further actions

Expand all | Collapse all

At this step, cloud segment polling starts and a special administration group for instances is created. The instances found during polling are placed into this group. The cloud segment polling schedule is configured (every 5 minutes by default).

A Synchronize with Cloud automatic moving rule is also created. For each subsequent scan of the cloud network, virtual devices detected will be moved to the corresponding subgroup within the Managed devices\Cloud group.

On the Synchronization with the cloud segment page, you can define the following settings:

• Synchronize administration group structure with the cloud segment

  If this option is enabled, the Cloud group is automatically created within the Managed devices group and a cloud device discovery is started. The instances and virtual machines detected during each cloud network scan are placed into the Cloud group. The structure of the administration subgroups within this group matches the structure of your cloud segment (in AWS, availability zones and placement groups are not represented in the structure; in Azure, subnets are not represented in the structure). Devices that have not been identified as instances in the cloud environment are in the Unassigned devices group. This group structure allows you to use group installation tasks to install anti-virus applications on instances, as well as set up different policies for different groups.

  If this option is disabled, the Cloud group is also created and the cloud device discovery is also started; however, subgroups matching the cloud segment structure are not created within the group. All detected instances are in the Cloud administration group so they are displayed in a single list. If your work with Kaspersky Security Center requires synchronization, you can modify the properties of the Synchronize with Cloud rule and enforce it. Enforcing this rule alters the structure of subgroups in the Cloud group so that it matches the structure of your cloud segment.

  By default, this option is disabled.

• Deploy protection

  If this option is selected, the Wizard creates a task to install security applications on instances. After the Wizard finishes, the Protection Deployment Wizard automatically starts on the devices in your cloud segments, and you will be able to install Network Agent and security applications on those devices.

  Kaspersky Security Center can perform the deployment with its native tools. If you do not have permissions to install the applications on EC2 instances or Azure virtual machines, you can configure the Remote installation task manually and specify an account with the required permissions. In this case, the Remote installation task will not work for the devices discovered using AWS API or Azure. This task will only work for the devices discovered using Active Directory polling, Windows domains polling, or IP range polling.

  If this option is not selected, the Protection Deployment Wizard is not started and tasks for installing security applications on instances are not created. You can manually perform both actions later.

For Google Cloud, you can only perform the deployment with Kaspersky Security Center native tools. If you selected Google Cloud, the Deploy protection option is not available.

Step 5. Configuring Kaspersky Security Network in the cloud environment

Expand all | Collapse all

Specify the settings for relaying information about Kaspersky Security Center operations to the Kaspersky Security Network knowledge base. Select one of the following options:

• I agree to use Kaspersky Security Network

  Kaspersky Security Center and managed applications installed on client devices will automatically transfer their operation details to Kaspersky Security Network. Participation in Kaspersky Security Network ensures faster updates of databases containing information about viruses and other threats, which ensures a faster response to emergent security threats.

• I do not agree to use Kaspersky Security Network

  Kaspersky Security Center and managed applications will provide no information to Kaspersky Security Network.

  If you select this option, the use of Kaspersky Security Network will be disabled.

Kaspersky recommends participation in Kaspersky Security Network.

Step 6. Configuring email notifications in the cloud environment

Expand all | Collapse all

Configure the delivery of notifications about events registered during the operation of Kaspersky applications on virtual client devices. These settings will be used as the default settings for application policies.

To configure the delivery of notifications about events occurring in Kaspersky applications, use the following settings:

• Recipients (email addresses)

  The email addresses of users to whom the application will send notifications. You can enter one or more addresses; if you enter more than one address, separate them with a semicolon.

• SMTP servers

  The address or addresses of your organization's mail servers.

  If you enter more than one address, separate them with a semicolon. You can use the IP address or the Windows network name (NetBIOS name) of a device as the address.

• SMTP server port

  Communication port number of the SMTP server. If you use several SMTP servers, the connection to them is established through the specified communication port. The default port number is 25.

• Use ESMTP authentication

  Enables support of ESMTP authentication. When the check box is selected, in the User name and Password fields you can specify the ESMTP authentication settings. By default, this check box is cleared.

You can test the new email notification settings by clicking the Send test message button. If the test message was successfully received at the addresses specified in the Recipients (email addresses) field, the settings have been correctly configured.

Step 7. Creating an initial configuration of the protection of the cloud environment

Expand all | Collapse all

At this step, Kaspersky Security Center automatically creates policies and tasks. The Configure initial protection window displays a list of policies and tasks created by the application.

If you use an RDS database in the AWS cloud environment, you have to provide IAM access key pair to Kaspersky Security Center when the Administration Server backup task is being created. In this case, fill in the following fields:

• S3 bucket name

  The name of the S3 bucket that you created for the Backup.

• Access key ID

  You received the key ID (sequence of alphanumeric characters) when you created the IAM user account for working with S3 bucket storage instance.

  The field is available if you selected RDS database on an S3 bucket.

• Secret key

  The secret key that you received with the access key ID when you created the IAM user account.

  The characters of the secret key are displayed as asterisks. After you begin entering the secret key, the Show button is displayed. Click and hold this button for the necessary amount of time to view the characters you entered.

  The field is available if you selected an AWS IAM access key for authorization instead of an IAM role.

If you use an Azure SQL database in the Azure cloud environment, you have to provide information about your Azure SQL Server to Kaspersky Security Center when the Administration Server backup task is being created. In this case, fill in the following fields:

• Azure storage account name

  You created the name of the Azure storage account for working with Kaspersky Security Center.

• Azure Subscription ID

  You created the subscription on the Azure portal.

• Azure Application password

  You received the password of the Application ID when you created the Application ID.

  The characters of the password are displayed as asterisks. After you begin entering the password, the Show button becomes available. Click and hold this button to view the characters you entered.

• Azure Application ID

  You created this application ID on the Azure portal.

  You can provide only one Azure Application ID for polling and other purposes. If you want to poll another Azure segment, you must first delete the existing Azure connection.

• Azure SQL server name

  The name and the resource group are available in your Azure SQL Server properties.

• Azure SQL server resource group

  The name and the resource group are available in your Azure SQL Server properties.

• Azure storage access key

  Available in the properties of your storage account, in the Access Keys section. You can use any of the keys (key1 or key2).

If you are deploying the Administration Server in the Google Cloud, you have to select a folder where the backup copies will be stored. Select a folder on your local device or a folder on a virtual machine instance.

The Next button becomes available after the creation of all policies and tasks that are necessary for minimum configuration of protection.

If a device on which the tasks are supposed to run is not visible to the Administration Server, then the tasks start only when the device becomes visible. If you create a new EC2 instance or a new Azure virtual machine, it might take some time before it becomes visible to the Administration Server. If you want Network Agent and the security applications to be installed on all the newly created devices as soon as possible, make sure that the Run missed tasks option is enabled for the Install application remotely tasks. Otherwise, a newly created instance/virtual machine will not get Network Agent and the security applications until the task starts according to its schedule.

Step 8. Selecting the action when the operating system must be restarted during installation (for the cloud environment)

Expand all | Collapse all

If you previously selected Deploy protection, you must choose what to do when the operating system of a target device has to be restarted. If you did not select the Deploy protection option, this step is skipped.

Select whether to restart instances if the device operating system has to be restarted during installation of applications:

• Do not restart the device

  If this option is selected, the device will not be restarted after the security application installation.

• Restart the device

  If this option is selected, the device will be restarted after the security application installation.

If you want to force the closing of all applications in blocked sessions on the instances before the restart, select the Force closure of applications in blocked sessions check box. If this check box is cleared, you will have to close manually all applications that are running on blocked instances.

Step 9. Receiving updates by the Administration Server

At this step, you can view the progress of downloading updates necessary for correct operation of the Administration Server. You can click the Next button, without waiting for download completion, to proceed to the final page of the Wizard.

The Wizard finishes.