Working with Kaspersky Security Center 13.1 Web Console in a cloud environment

This section provides information about Kaspersky Security Center 13.1 Web Console features related to deployment and maintenance of Kaspersky Security Center in cloud environments, such as Amazon Web Services, Microsoft Azure, or Google Cloud.

To work within a cloud environment, you need a special license. If you do not have such a license, the interface elements related to cloud devices are not displayed.

Cloud Environment Configuration Wizard in Kaspersky Security Center 13.1 Web Console

To configure Kaspersky Security Center by using this Wizard, you must have the following:

• Specific credentials for a cloud environment:
  • An IAM role that has been granted the right to poll the cloud segment or an IAM user account that has been granted the right to poll the cloud segment (for work with Amazon Web Services)
  • Azure Application ID, password, and subscription (for work with Microsoft Azure)
  • Google client email, Project ID, and private key (for work with Google Cloud)
• Plug-in for Kaspersky Endpoint Security for Linux (Web Console plug-in)
• Plug-in for Kaspersky Endpoint Security for Windows (Web Console plug-in)
• Network Agent for Windows
• Network Agent for Linux
• Installation package for Kaspersky Endpoint Security for Linux
• Installation package for Kaspersky Security for Windows Server

The Cloud Environment Configuration Wizard starts automatically at the first connection to Administration Server through Administration Console if you deploy Kaspersky Security Center from a ready-to-use image. You can also start the Cloud Environment Configuration Wizard manually at any time.

To start the Cloud Environment Configuration Wizard manually,

In the main menu, go to DISCOVERY & DEPLOYMENT → DEPLOYMENT & ASSIGNMENT → Cloud Environment Configuration Wizard.

The Wizard starts.

An average work session with this Wizard lasts about 15 minutes.

Step 1. Reading information about the Wizard

Read about the Cloud Environment Configuration Wizard on the Welcome page and click Next to proceed.

Step 2. Licensing the application

This step is displayed only if you are using a BYOL AMI and you have not activated the application with a Kaspersky Security for Virtualization license or a Kaspersky Hybrid Cloud Security license.

Specify the license key and click Next to proceed.

The license key is added to the Administration Server storage.

If you run the Wizard again, this step is not displayed.

Page top

Step 3. Selecting the cloud environment and authorization

Expand all | Collapse all

This section describes features applicable only to Kaspersky Security Center 12.1 or a later version.

Specify the following settings:

• Cloud environment

  Select the cloud environment in which you are deploying Kaspersky Security Center: AWS, Azure, or Google Cloud.

  If you plan to work with more than one cloud environment, select one environment and then run the Wizard again.

• Connection name

  Enter a name for the connection. The name cannot contain more than 256 characters. Only Unicode characters are permitted.

  This name will also be used as the name for the administration group for the cloud devices.

  If you plan to work with more than one cloud environment, you might want to include the name of the environment in the connection name, for example, "Azure Segment", "AWS Segment", or "Google Segment".

Enter your credentials to receive authorization in the cloud environment that you specified.

AWS

If you selected AWS as the cloud segment type, you need an IAM role or an AWS IAM access key for further polling of the cloud segment.

• AWS IAM role assigned to an EC2 instance

  Select this option if you have an IAM role with the required rights for the Administration Server.

• AWS IAM user

  Select this option if you have an AWS IAM access key. Enter your key data:

  • Access key ID

    The IAM access key ID is a sequence of alphanumeric characters. You received the key ID when you created the IAM user account.

    The field is available if you selected an AWS IAM access key for authorization instead of an IAM role.

  • Secret key

    The secret key that you received with the access key ID when you created the IAM user account.

    The characters of the secret key are displayed as asterisks. After you begin entering the secret key, the Show button is displayed. Click and hold this button for the necessary amount of time to view the characters you entered.

    The field is available if you selected an AWS IAM access key for authorization instead of an IAM role.

    To see the characters that you entered, click and hold the Show button.

Azure

If you selected Azure as the cloud segment type, specify the following settings for the connection that will be used for further polling of the cloud segment:

• Azure Application ID

  You created this application ID on the Azure portal.

  You can provide only one Azure Application ID for polling and other purposes. If you want to poll another Azure segment, you must first delete the existing Azure connection.

• Azure Subscription ID

  You created the subscription on the Azure portal.

• Azure Application password

  You received the password of the Application ID when you created the Application ID.

  The characters of the password are displayed as asterisks. After you begin entering the password, the Show button becomes available. Click and hold this button to view the characters you entered.

  To see the characters that you entered, click and hold the Show button.

• Azure storage account name

  You created the name of the Azure storage account for working with Kaspersky Security Center.

• Azure storage access key

  You received a password (key) when you created Azure storage account for working with Kaspersky Security Center.

  The key is available in section "Overview of the Azure storage account," in subsection "Keys."

  To see the characters that you entered, click and hold the Show button.

Google Cloud

If you selected Google Cloud as the cloud segment type, specify the following settings for the connection that will be used for further polling the cloud segment:

• Client email address

  Client email is the email address that you used for registering your project at Google Cloud.

• Project ID

  Project ID is the ID that you received when you registered your project at Google Cloud.

• Private key

  Private key is the sequence of characters that you received as your private key when you registered your project at Google Cloud. You might want to copy and paste this sequence to avoid mistakes.

  To see the characters that you entered, click and hold the Show button.

The connection that you specified is saved in the application settings.

The Cloud Environment Configuration Wizard allows you to specify only one segment. Later, you can specify more connections to manage other cloud segments.

Click Next to proceed.

Step 4. Segment polling, configuring synchronization with Cloud and choosing further actions

Expand all | Collapse all

At this step, cloud segment polling starts, and a special administration group for cloud devices is automatically created. The devices found during polling are placed into this group. The cloud segment polling schedule is configured (every 5 minutes by default; you can change this setting later).

A Synchronize with Cloud automatic moving rule is also created. For each subsequent scan of the cloud network, virtual devices detected will be moved to the corresponding subgroup within the Managed devices\Cloud group.

Define the following settings:

• Synchronize administration groups with cloud structure

  If this option is enabled, the Cloud group is automatically created within the Managed devices group and a cloud device discovery is started. The instances and virtual machines detected during each cloud network scan are placed into the Cloud group. The structure of the administration subgroups within this group matches the structure of your cloud segment (in AWS, availability zones and placement groups are not represented in the structure; in Azure, subnets are not represented in the structure). Devices that have not been identified as instances in the cloud environment are in the Unassigned devices group. This group structure allows you to use group installation tasks to install anti-virus applications on instances, as well as set up different policies for different groups.

  If this option is disabled, the Cloud group is also created and the cloud device discovery is also started; however, subgroups matching the cloud segment structure are not created within the group. All detected instances are in the Cloud administration group so they are displayed in a single list. If your work with Kaspersky Security Center requires synchronization, you can modify the properties of the Synchronize with Cloud rule and enforce it. Enforcing this rule alters the structure of subgroups in the Cloud group so that it matches the structure of your cloud segment.

  By default, this option is disabled.

• Deploy protection

  If this option is selected, the Wizard creates a task to install security applications on instances. After the Wizard finishes, the Protection Deployment Wizard automatically starts on the devices in your cloud segments, and you will be able to install Network Agent and security applications on those devices.

  Kaspersky Security Center can perform the deployment with its native tools. If you do not have permissions to install the applications on EC2 instances or Azure virtual machines, you can configure the Remote installation task manually and specify an account with the required permissions. In this case, the Remote installation task will not work for the devices discovered using AWS API or Azure. This task will only work for the devices discovered using Active Directory polling, Windows domains polling, or IP range polling.

  If this option is not selected, the Protection Deployment Wizard is not started and tasks for installing security applications on instances are not created. You can manually perform both actions later.

If you select the Deploy protection option, the Restarting devices section becomes available. In this section, you must choose what to do when the operating system of a target device has to be restarted. Select whether to restart instances if the device operating system has to be restarted during installation of applications:

• Do not restart

  If this option is selected, the device will not be restarted after the security application installation.

• Restart

  If this option is selected, the device will be restarted after the security application installation.

Click Next to proceed.

For Google Cloud, you can only perform deployment with Kaspersky Security Center native tools. If you selected Google Cloud, the Deploy protection option is not available.

Step 5. Configuring Kaspersky Security Network for Kaspersky Security Center

Expand all | Collapse all

Specify the settings for relaying information about Kaspersky Security Center operations to the Kaspersky Security Network (KSN) knowledge base. Select one of the following options:

• I agree to use Kaspersky Security Network

  Kaspersky Security Center and managed applications installed on client devices will automatically transfer their operation details to Kaspersky Security Network. Participation in Kaspersky Security Network ensures faster updates of databases containing information about viruses and other threats, which ensures a faster response to emergent security threats.

• I do not agree to use Kaspersky Security Network

  Kaspersky Security Center and managed applications will provide no information to Kaspersky Security Network.

  If you select this option, the use of Kaspersky Security Network will be disabled.

Kaspersky recommends participation in Kaspersky Security Network.

KSN agreements for managed applications may also be displayed. If you agree to use Kaspersky Security Network, the managed application will send data to Kaspersky. If you do not agree to participate in Kaspersky Security Network, the managed application will not send data to Kaspersky. (You can change this setting later in the application policy.)

Click Next to proceed.

Step 6. Creating an initial configuration of protection

You can check a list of policies and tasks that are created.

Wait for the creation of policies and tasks to complete, and then click Next to proceed. On the last page of the Wizard, click the Finish button to exit.

Network segment polling via Kaspersky Security Center 13.1 Web Console

Information about the structure of the network (and devices in it) is received by Administration Server through regular polling of cloud segments by using AWS API, Azure API, or Google API tools. Kaspersky Security Center uses this information to update the contents of the Unassigned devices and Managed devices folders. If you have configured devices to be moved to administration groups automatically, detected devices are included in administration groups.

To allow the Administration Server to poll cloud segments, you must have the corresponding rights that are provided with an IAM role or IAM user account (in AWS), or with Application ID and password (in Azure), or with a Google client email, Google project ID, and private key (in Google Cloud).

You can add and delete connections, as well as set the polling schedule, for each cloud segment.

Adding connections for cloud segment polling

Expand all | Collapse all

To add a connection for cloud segment polling to the list of available connections:

1. In the main menu, go to DISCOVERY & DEPLOYMENT → DISCOVERY → CLOUD.
2. In the window that opens, click Properties.
3. In the Settings window that opens, click Add.

   The Cloud segment settings window opens.

4. Specify the name of the cloud environment for the connection that will be used for further polling of the cloud segment:
   • Cloud environment

     Select the cloud environment in which you are deploying Kaspersky Security Center: AWS, Azure, or Google Cloud.

     If you plan to work with more than one cloud environment, select one environment and then run the Wizard again.

   • Connection name

     Enter a name for the connection. The name cannot contain more than 256 characters. Only Unicode characters are permitted.

     This name will also be used as the name for the administration group for the cloud devices.

     If you plan to work with more than one cloud environment, you might want to include the name of the environment in the connection name, for example, "Azure Segment", "AWS Segment", or "Google Segment".

5. Enter your credentials to receive authorization in the cloud environment that you specified.
   • If you selected AWS, specify the following settings:
     • Use AWS IAM role

       Select this option if you have already created an IAM role for the Administration Server to use AWS services.

     • AWS IAM user account credentials

       Select this option if you have an IAM user account with the necessary permissions and you can enter a key ID and secret key.

       If you specified that you have AWS IAM user account credentials, specify the following:

       • Access key ID

         The IAM access key ID is a sequence of alphanumeric characters. You received the key ID when you created the IAM user account.

         The field is available if you selected an AWS IAM access key for authorization instead of an IAM role.

       • Secret key

         The secret key that you received with the access key ID when you created the IAM user account.

         The characters of the secret key are displayed as asterisks. After you begin entering the secret key, the Show button is displayed. Click and hold this button for the necessary amount of time to view the characters you entered.

         The field is available if you selected an AWS IAM access key for authorization instead of an IAM role.

       To see the characters that you entered, click and hold the Show button.

   • If you selected Azure, specify the following settings:
     • Azure Application ID

       You created this application ID on the Azure portal.

       You can provide only one Azure Application ID for polling and other purposes. If you want to poll another Azure segment, you must first delete the existing Azure connection.

     • Azure Subscription ID

       You created the subscription on the Azure portal.

     • Azure Application password

       You received the password of the Application ID when you created the Application ID.

       The characters of the password are displayed as asterisks. After you begin entering the password, the Show button becomes available. Click and hold this button to view the characters you entered.

       To see the characters that you entered, click and hold the Show button.

     • Azure storage account name

       You created the name of the Azure storage account for working with Kaspersky Security Center.

     • Azure storage access key

       You received a password (key) when you created Azure storage account for working with Kaspersky Security Center.

       The key is available in section "Overview of the Azure storage account," in subsection "Keys."

       To see the characters that you entered, click and hold the Show button.

   If you selected Google Cloud, specify the following settings:

   • Client email address

     Client email is the email address that you used for registering your project at Google Cloud.

   • Project ID

     Project ID is the ID that you received when you registered your project at Google Cloud.

   • Private key

     Private key is the sequence of characters that you received as your private key when you registered your project at Google Cloud. You might want to copy and paste this sequence to avoid mistakes.

     To see the characters that you entered, click and hold the Show button.

6. If you want, click Set polling schedule and change the default settings.

The connection is saved in the application settings.

After the new cloud segment is polled for the first time, the subgroup corresponding to that segment appears in the Managed devices\Cloud administration group.

If you specify incorrect credentials, no instances will be found during cloud segment polling and a new subgroup will not appear in the Managed devices\Cloud administration group.

Deleting a connection for cloud segment polling

If you no longer have to poll a specific cloud segment, you can delete the connection corresponding to it from the list of available connections. You can also delete a connection if, for example, permissions to poll a cloud segment have been transferred to another user who has different credentials.

To delete a connection:

1. In the main menu, go to DISCOVERY & DEPLOYMENT → DISCOVERY → CLOUD.
2. In the window that opens, click Properties.
3. In the Settings window that opens, click the name of the segment that you want to delete.
4. Click Delete.
5. In the window that opens, click the OK button to confirm your selection.

The connection is deleted. The devices in the cloud segment corresponding to this connection are automatically deleted from the administration groups.

Configuring the polling schedule via Kaspersky Security Center 13.1 Web Console

Expand all | Collapse all

Cloud segment polling is performed according to schedule. You can set the polling frequency.

The polling frequency is automatically set at 5 minutes by the Cloud Environment Configuration Wizard. You can change this value at any time and set a different schedule. However, it is not recommended to configure polling to run more frequently than every 5 minutes, because this could lead to errors in the API operation.

To configure a cloud segment polling schedule:

1. In the main menu, go to DISCOVERY & DEPLOYMENT → DISCOVERY → CLOUD.
2. In the window that opens, click Properties.
3. In the Settings window that opens, click the name of the segment for which you want to configure a polling schedule.

   This opens the Cloud segment settings window.

4. In the Cloud segment settings window, click the Set polling schedule button.

   This opens the Schedule window.

5. In the Schedule window, define the following settings:
   • Scheduled start

     Polling schedule options:

     • Every N days

       The polling runs regularly, with the specified interval in days, starting from the specified date and time.

       By default, the polling runs every day, starting from the current system date and time.

     • Every N minutes

       The polling runs regularly, with the specified interval in minutes, starting from the specified time.

       By default, the polling runs every five minutes, starting from the current system time.

     • By days of week

       The polling runs regularly, on the specified days of week, and at the specified time.

       By default, the polling runs every Friday at 6:00:00 PM.

     • Every month on specified days of selected weeks

       The polling runs regularly, on the specified days of each month, and at the specified time.

       By default, no days of month are selected; the default start time is 6:00:00 PM.

   • Start interval (min)

     Specify what N is equal to (for minutes or days).

   • Starting from

     Specify when to start the first poll.

   • Run missed tasks

     If the Administration Server is switched off or unavailable during the time for which the poll is scheduled, the Administration Server can either start the poll immediately after it is switched on, or wait for the next time for which the poll scheduled.

     If this option is enabled, the Administration Server starts polling immediately after it is switched on.

     If this option is disabled, the Administration Server waits for the next time for which the polling is scheduled.

     By default, this option is enabled.

6. Click Save to save the changes.

The polling schedule for the segment is configured and saved.

Page top

Viewing the results of cloud segment polling via Kaspersky Security Center 13.1 Web Console

You can view the results of cloud segment polling, that is, view the list of cloud devices managed by the Administration Server.

To view the results of cloud segment polling,

In the main menu, go to DISCOVERY & DEPLOYMENT → DISCOVERY → CLOUD.

This displays the cloud segments available for polling.

Page top

Viewing the properties of cloud devices via Kaspersky Security Center 13.1 Web Console

You can view the properties of each cloud device.

To view the properties of a cloud device:

1. In the main menu, go to DEVICES → MANAGED DEVICES.
2. Click the name of the device whose properties you want to view.

   A properties window opens with the General section selected.

3. If you want to view the properties specific for cloud devices, select the System section in the properties window.

   The properties are displayed depending on the cloud platform of the device.

   For the devices in AWS, the following properties are displayed:

   • Device discovered using API (value: AWS)
   • Cloud Region
   • Cloud VPC
   • Cloud availability zone
   • Cloud subnet
   • Cloud placement group (this unit is only displayed if the instance belongs to a placement group; otherwise, it is not displayed)

   For the devices in Azure, the following properties are displayed:

   • Device discovered using API (value: Microsoft Azure)
   • Cloud Region
   • Cloud subnet

   For the devices in Google Cloud, the following properties are displayed:

   • Device discovered using API (value: Google Cloud)
   • Cloud Region
   • Cloud VPC
   • Cloud availability zone
   • Cloud subnet

Page top

Synchronization with Cloud: configuring the moving rule

Expand all | Collapse all

During the Cloud Environment Configuration Wizard operation, the Synchronize with Cloud rule is created automatically. This rule allows you to automatically move devices detected in each poll from the Unassigned devices group to the Managed devices\Cloud group, to make these devices available for centralized management. By default, the rule is active after it is created. You can disable, modify, or enforce the rule at any time.

To edit the properties of the Synchronize with Cloud rule and/or enforce the rule:

1. In the main menu, go to DISCOVERY & DEPLOYMENT → DEPLOYMENT & ASSIGNMENT → MOVING RULES.

   This opens a list of moving rules.

2. In the list of moving rules, select Synchronize with cloud.

   This opens the rule properties window.

3. If necessary, specify the following settings in the Rule conditions tab, in the Cloud segments tab:
   • Device is in a cloud segment

     The rule only applies to devices that are in the selected cloud segment. Otherwise, the rule applies to all devices that have been discovered.

     By default, this option is selected.

   • Include child objects

     The rule applies to all devices in the selected segment and in all nested cloud subsections. Otherwise, the rule only applies to devices that are in the root segment.

     By default, this option is selected.

   • Move devices from nested objects to corresponding subgroups

     If this option is enabled, devices from nested objects are automatically moved to the subgroups that correspond to their structure.

     If this option is disabled, devices from nested objects are automatically moved to the root of the Cloud subgroup without any further branching.

     By default, this option is enabled.

   • Create subgroups corresponding to containers of newly detected devices

     If this option is enabled, when the structure of the Managed devices\Cloud group has no subgroups that will match the section containing the device, Kaspersky Security Center creates such subgroups. For example, if a new subnet is discovered during device discovery, a new group with the same name will be created under the Managed devices\Cloud group.

     If this option is disabled, Kaspersky Security Center does not create any new subgroups. For example, if a new subnet is discovered during network poll, a new group with the same name will not be created under the Managed devices\Cloud group, and the devices that are in that subnet will be moved into the Managed devices\Cloud group.

     By default, this option is enabled.

   • Delete subgroups for which no match is found in the cloud segments

     If this option is enabled, the application deletes from the Cloud group all the subgroups that do not match any existing cloud objects.

     If this option is disabled, subgroups that do not match any of the existing cloud objects are retained.

     By default, this option is enabled.

   If you enabled the Synchronize administration groups with cloud structure option when using the Cloud Environment Configuration Wizard, the Synchronize with cloud rule is created with the Create subgroups corresponding to containers of newly detected devices and Delete subgroups for which no match is found in the cloud segments options enabled.

   If you did not enable the Synchronize administration groups with cloud structure option, the Synchronize with cloud rule is created with these options disabled (cleared). If your work with Kaspersky Security Center requires that the structure of subgroups in the Managed devices\Cloud subgroup matches the structure of cloud segments, enable the Create subgroups corresponding to containers of newly detected devices and Delete subgroups for which no match is found in the cloud segments options in the rule properties, and then enforce the rule.

4. In the Device discovered by using the API drop-down list, select one of the following values:
   • No. The device cannot be detected by using AWS, Azure, or Google API, that is, it is either outside the cloud environment, or it is in the cloud environment but it cannot be detected by using an API for some reason.
   • AWS. The device is discovered by using AWS API, that is, the device definitely is in the AWS cloud environment.
   • Azure. The device is discovered by using Azure API, that is, the device definitely is in the Azure cloud environment.
   • Google Cloud. The device is discovered by using Google API, that is, the device definitely is in the Google cloud environment.
   • No value. This criterion cannot be applied.
5. If necessary, set up other rule properties in the other sections.

The moving rule is configured.

Creating Backup of the Administration Server data task by using a cloud DBMS

Expand all | Collapse all

Backup tasks are Administration Server tasks. You create a backup task if you want to use a DBMS located in a cloud environment (AWS or Azure).

To create an Administration Server data backup task:

1. In the main menu, go to DEVICES → TASKS.
2. Click Add.

   The Add Task Wizard starts.

3. On the first page of the Wizard, in the Application list, select Kaspersky Security Center 13.1, and in the Task type list, select Backup of Administration Server data.
4. On the corresponding page of the Wizard, specify the following information:
   • If you are working with a database in AWS:
     • S3 bucket name

       The name of the S3 bucket that you created for the Backup.

     • Access key ID

       You received the key ID (sequence of alphanumeric characters) when you created the IAM user account for working with S3 bucket storage instance.

       The field is available if you selected RDS database on an S3 bucket.

     • Secret key

       The secret key that you received with the access key ID when you created the IAM user account.

       The characters of the secret key are displayed as asterisks. After you begin entering the secret key, the Show button is displayed. Click and hold this button for the necessary amount of time to view the characters you entered.

       The field is available if you selected an AWS IAM access key for authorization instead of an IAM role.

   • If you are working with a database in Microsoft Azure:
     • Azure storage account name

       You created the name of the Azure storage account for working with Kaspersky Security Center.

     • Azure Subscription ID

       You created the subscription on the Azure portal.

     • Azure password

       You received the password of the Application ID when you created the Application ID.

       The characters of the password are displayed as asterisks. After you begin entering the password, the Show button becomes available. Click and hold this button to view the characters you entered.

     • Azure Application ID

       You created this application ID on the Azure portal.

       You can provide only one Azure Application ID for polling and other purposes. If you want to poll another Azure segment, you must first delete the existing Azure connection.

     • Azure SQL server name

       The name and the resource group are available in your Azure SQL Server properties.

     • Azure SQL server resource group

       The name and the resource group are available in your Azure SQL Server properties.

     • Azure storage access key

       Available in the properties of your storage account, in the Access Keys section. You can use any of the keys (key1 or key2).

The task is created and displayed in the list of tasks. If you enable the Open task details when creation is complete option, you can modify the default task settings immediately after the task is created. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.

Page top