Cloud Environment Configuration Wizard in Kaspersky Security Center 13.1 Web Console

To configure Kaspersky Security Center by using this Wizard, you must have the following:

• Specific credentials for a cloud environment:
  • An IAM role that has been granted the right to poll the cloud segment or an IAM user account that has been granted the right to poll the cloud segment (for work with Amazon Web Services)
  • Azure Application ID, password, and subscription (for work with Microsoft Azure)
  • Google client email, Project ID, and private key (for work with Google Cloud)
• Plug-in for Kaspersky Endpoint Security for Linux (Web Console plug-in)
• Plug-in for Kaspersky Endpoint Security for Windows (Web Console plug-in)
• Network Agent for Windows
• Network Agent for Linux
• Installation package for Kaspersky Endpoint Security for Linux
• Installation package for Kaspersky Security for Windows Server

The Cloud Environment Configuration Wizard starts automatically at the first connection to Administration Server through Administration Console if you deploy Kaspersky Security Center from a ready-to-use image. You can also start the Cloud Environment Configuration Wizard manually at any time.

To start the Cloud Environment Configuration Wizard manually,

In the main menu, go to DISCOVERY & DEPLOYMENT → DEPLOYMENT & ASSIGNMENT → Cloud Environment Configuration Wizard.

The Wizard starts.

An average work session with this Wizard lasts about 15 minutes.

Step 1. Reading information about the Wizard

Read about the Cloud Environment Configuration Wizard on the Welcome page and click Next to proceed.

Step 2. Licensing the application

This step is displayed only if you are using a BYOL AMI and you have not activated the application with a Kaspersky Security for Virtualization license or a Kaspersky Hybrid Cloud Security license.

Specify the license key and click Next to proceed.

The license key is added to the Administration Server storage.

If you run the Wizard again, this step is not displayed.

Page top

Step 3. Selecting the cloud environment and authorization

Expand all | Collapse all

This section describes features applicable only to Kaspersky Security Center 12.1 or a later version.

Specify the following settings:

• Cloud environment

  Select the cloud environment in which you are deploying Kaspersky Security Center: AWS, Azure, or Google Cloud.

  If you plan to work with more than one cloud environment, select one environment and then run the Wizard again.

• Connection name

  Enter a name for the connection. The name cannot contain more than 256 characters. Only Unicode characters are permitted.

  This name will also be used as the name for the administration group for the cloud devices.

  If you plan to work with more than one cloud environment, you might want to include the name of the environment in the connection name, for example, "Azure Segment", "AWS Segment", or "Google Segment".

Enter your credentials to receive authorization in the cloud environment that you specified.

AWS

If you selected AWS as the cloud segment type, you need an IAM role or an AWS IAM access key for further polling of the cloud segment.

• AWS IAM role assigned to an EC2 instance

  Select this option if you have an IAM role with the required rights for the Administration Server.

• AWS IAM user

  Select this option if you have an AWS IAM access key. Enter your key data:

  • Access key ID

    The IAM access key ID is a sequence of alphanumeric characters. You received the key ID when you created the IAM user account.

    The field is available if you selected an AWS IAM access key for authorization instead of an IAM role.

  • Secret key

    The secret key that you received with the access key ID when you created the IAM user account.

    The characters of the secret key are displayed as asterisks. After you begin entering the secret key, the Show button is displayed. Click and hold this button for the necessary amount of time to view the characters you entered.

    The field is available if you selected an AWS IAM access key for authorization instead of an IAM role.

    To see the characters that you entered, click and hold the Show button.

Azure

If you selected Azure as the cloud segment type, specify the following settings for the connection that will be used for further polling of the cloud segment:

• Azure Application ID

  You created this application ID on the Azure portal.

  You can provide only one Azure Application ID for polling and other purposes. If you want to poll another Azure segment, you must first delete the existing Azure connection.

• Azure Subscription ID

  You created the subscription on the Azure portal.

• Azure Application password

  You received the password of the Application ID when you created the Application ID.

  The characters of the password are displayed as asterisks. After you begin entering the password, the Show button becomes available. Click and hold this button to view the characters you entered.

  To see the characters that you entered, click and hold the Show button.

• Azure storage account name

  You created the name of the Azure storage account for working with Kaspersky Security Center.

• Azure storage access key

  You received a password (key) when you created Azure storage account for working with Kaspersky Security Center.

  The key is available in section "Overview of the Azure storage account," in subsection "Keys."

  To see the characters that you entered, click and hold the Show button.

Google Cloud

If you selected Google Cloud as the cloud segment type, specify the following settings for the connection that will be used for further polling the cloud segment:

• Client email address

  Client email is the email address that you used for registering your project at Google Cloud.

• Project ID

  Project ID is the ID that you received when you registered your project at Google Cloud.

• Private key

  Private key is the sequence of characters that you received as your private key when you registered your project at Google Cloud. You might want to copy and paste this sequence to avoid mistakes.

  To see the characters that you entered, click and hold the Show button.

The connection that you specified is saved in the application settings.

The Cloud Environment Configuration Wizard allows you to specify only one segment. Later, you can specify more connections to manage other cloud segments.

Click Next to proceed.

Step 4. Segment polling, configuring synchronization with Cloud and choosing further actions

Expand all | Collapse all

At this step, cloud segment polling starts, and a special administration group for cloud devices is automatically created. The devices found during polling are placed into this group. The cloud segment polling schedule is configured (every 5 minutes by default; you can change this setting later).

A Synchronize with Cloud automatic moving rule is also created. For each subsequent scan of the cloud network, virtual devices detected will be moved to the corresponding subgroup within the Managed devices\Cloud group.

Define the following settings:

• Synchronize administration groups with cloud structure

  If this option is enabled, the Cloud group is automatically created within the Managed devices group and a cloud device discovery is started. The instances and virtual machines detected during each cloud network scan are placed into the Cloud group. The structure of the administration subgroups within this group matches the structure of your cloud segment (in AWS, availability zones and placement groups are not represented in the structure; in Azure, subnets are not represented in the structure). Devices that have not been identified as instances in the cloud environment are in the Unassigned devices group. This group structure allows you to use group installation tasks to install anti-virus applications on instances, as well as set up different policies for different groups.

  If this option is disabled, the Cloud group is also created and the cloud device discovery is also started; however, subgroups matching the cloud segment structure are not created within the group. All detected instances are in the Cloud administration group so they are displayed in a single list. If your work with Kaspersky Security Center requires synchronization, you can modify the properties of the Synchronize with Cloud rule and enforce it. Enforcing this rule alters the structure of subgroups in the Cloud group so that it matches the structure of your cloud segment.

  By default, this option is disabled.

• Deploy protection

  If this option is selected, the Wizard creates a task to install security applications on instances. After the Wizard finishes, the Protection Deployment Wizard automatically starts on the devices in your cloud segments, and you will be able to install Network Agent and security applications on those devices.

  Kaspersky Security Center can perform the deployment with its native tools. If you do not have permissions to install the applications on EC2 instances or Azure virtual machines, you can configure the Remote installation task manually and specify an account with the required permissions. In this case, the Remote installation task will not work for the devices discovered using AWS API or Azure. This task will only work for the devices discovered using Active Directory polling, Windows domains polling, or IP range polling.

  If this option is not selected, the Protection Deployment Wizard is not started and tasks for installing security applications on instances are not created. You can manually perform both actions later.

If you select the Deploy protection option, the Restarting devices section becomes available. In this section, you must choose what to do when the operating system of a target device has to be restarted. Select whether to restart instances if the device operating system has to be restarted during installation of applications:

• Do not restart

  If this option is selected, the device will not be restarted after the security application installation.

• Restart

  If this option is selected, the device will be restarted after the security application installation.

Click Next to proceed.

For Google Cloud, you can only perform deployment with Kaspersky Security Center native tools. If you selected Google Cloud, the Deploy protection option is not available.

Step 5. Configuring Kaspersky Security Network for Kaspersky Security Center

Expand all | Collapse all

Specify the settings for relaying information about Kaspersky Security Center operations to the Kaspersky Security Network (KSN) knowledge base. Select one of the following options:

• I agree to use Kaspersky Security Network

  Kaspersky Security Center and managed applications installed on client devices will automatically transfer their operation details to Kaspersky Security Network. Participation in Kaspersky Security Network ensures faster updates of databases containing information about viruses and other threats, which ensures a faster response to emergent security threats.

• I do not agree to use Kaspersky Security Network

  Kaspersky Security Center and managed applications will provide no information to Kaspersky Security Network.

  If you select this option, the use of Kaspersky Security Network will be disabled.

Kaspersky recommends participation in Kaspersky Security Network.

KSN agreements for managed applications may also be displayed. If you agree to use Kaspersky Security Network, the managed application will send data to Kaspersky. If you do not agree to participate in Kaspersky Security Network, the managed application will not send data to Kaspersky. (You can change this setting later in the application policy.)

Click Next to proceed.

Step 6. Creating an initial configuration of protection

You can check a list of policies and tasks that are created.

Wait for the creation of policies and tasks to complete, and then click Next to proceed. On the last page of the Wizard, click the Finish button to exit.