REFERENCE ARCHITECTURE
Download PDF

Cloud Security Guardian for AWS

Onboarding and initial setup for AWS Cloud Infrastructure

Overview

Barracuda Cloud Security Guardian is an agentless SaaS service that makes it easy to stay secure while building applications in, and moving workloads to, public-cloud infrastructures. It provides end-to-end visibility of your security posture in your public-cloud deployment, and ensures continuous compliance and automated remediation of security controls so that you can better understand and reduce your risk posture.

Barracuda Cloud Security Guardian discovers and analyzes your entire cloud deployment and lays it out graphically—even if your deployment straddles multiple cloud infrastructures. From here, you can choose to use predefined policy frameworks such as CIS and PCI-DSS 1, or to create customized policy settings that best fit your business and security objectives. Cloud Security Guardian comes with pre-loaded policies using CIS Benchmarks for AWS and is certified on CIS Benchmarks Foundation V1.2.0, Level 2.

The system then assesses your deployment for policy violations. The assessment process continues to run in the background as Barracuda Cloud Security Guardian watches over your environment, remediating configuration drift and policy deviations that may get introduced over time. Remediation of policy violations and vulnerabilities is just a click away.

Barracuda Cloud Security Guardian can configure and deploy Barracuda CloudGen WAFs and Barracuda CloudGen Firewalls as needed to secure your applications and infrastructure in the cloud.

Creating a Barracuda Cloud Security Guardian account on AWS

To create a Barracuda Cloud Security Guardian account, follow these steps.

  1. In a browser, navigate to guardian.barracuda.com.
    Note: If you received an email invitation for Barracuda Cloud Security Guardian, click the link in the email invitation and proceed to Step 5 below.
  2. Click Free Trial.
    Note that the trial period is 30 days. Before the 30 days are over, you must specify a license. Refer to Licenses for details.
  3. Provide your email address and click Register.
  4. An email is sent to you. Click the link in the email to confirm your identity.
  5. Complete the registration form click Register. Then click Sign In.
  6. On the login page, enter your credentials and click Sign In.

After you have set up your account, the Dashboard displays Get Started with Cloud Security Guardian. Click the Get Started link.

Step 2: Adding a Cloud Service Account - AWS

Barracuda Cloud Security Guardian must be able to communicate with your Cloud Service account. Perform the following steps to enable communication.

You must complete Step 1: Creating a Cloud Security Guardian Account - AWS before proceeding with this step.

Barracuda Cloud Security Guardian is automatically licensed for 30 days, as part of the free trial. After you purchase Barracuda Cloud Security Guardian, you must specify the license. Refer to Licenses for details.

Continuing from Step 1: Creating a Cloud Security Guardian Account - AWS, click Get Started with AWS.

If you are not already at this screen, follow these steps to get there:

  1. In Barracuda Cloud Security Guardian, navigate to Settings > Cloud Service Providers.
  2. Click Add Account to open the Barracuda Cloud Security Guardian onboarding wizard.

Click Launch Stack to open your AWS console in a new browser tab and launch a new stack. If you choose, you can download the Cloud Formation Template to help you launch the stack.

In AWS, create the stack. For the Template, select Specify an Amazon S3 template URL. This field should already include the Barracuda Cloud Security Guardian template. Click Next.

Name the stack and CrossAccountRoleName and click Next.

On the Options page, accept the default entries and click Next.

On the Review page, acknowledge that you are creating an IAM role. Then click Create.

The system will work for a moment to create the stack.

When the creation is complete, click the stack.

Under Outputs, locate the RoleARN. Copy the value of the key RoleARN.

Back in the Barracuda Cloud Security Guardian onboarding wizard, paste the name of the RoleARN you just created.

In AWS, locate the ExternalID. Copy the value and paste it into the ExternalID field in the Barracuda Cloud Security Guardian.

Click Add. The system verifies the connection.

When the account connection is verified, click Close to close the wizard.

Deploying the stack takes about 10 minutes.

The setup wizard continues to enabling Security & Compliance. To perform this setup, continue to Step 3: Enabling Security and Compliance.

Enabling Security and Compliance on AWS

This portion of the wizard is a continuation from adding a cloud service account. If you are not able to complete this process during setup, you can return to it by following the instructions in Enabling Security and Compliance.

Click Enable Security & Compliance to continue with this setup. The system loads your VPCs.

Select a VPC and Subnet, then click Deploy.

Note that the subnet must have connectivity for outbound access. Inbound access is not required.

Specify your CloudTrail Configuration. If you already have a CloudTrail service, specify the existing service. This is cost-effective. Alternatively, create a new CloudTrail service. Click Apply.

View the list of data centers to find one or more data center you want to enable. For each data center you want to enable, click Edit.

Flip the switch to set Security & Compliance Scan to Enabled. Select the Default Policy, and click Save Changes.

When you have finished, click Next. Then click Finish.

To set up additional policies or to return to this setup again later, refer to Enabling Security and Compliance.

Cloud Storage Shield

Cloud Storage Shield scans your S3 buckets for malicious files or objects. It monitors the content of S3 bucket using the Barracuda Advanced Threat Protection service. If it finds anything malicious, it blocks access to the files.

Enabling Cloud Storage Shield

To enable Cloud Storage Shield:

  1. Navigate to Services > Cloud Storage Shield.
  2. Select the cloud service account that you want to protect.
  3. One at a time, select one or more regions that you want to protect, then click Deploy Regional Stack.
    You must enable Barracuda Cloud Security Guardian in a region before you can enable Cloud Storage Shield.

As part of deploying the stack, select a VPC and Subnet from the region on which you want to deploy the Cloud Storage Shield. Then click Deploy.

v1.0
Specifications subject to change without notice.
Barracuda Networks and the Barracuda Networks logo are registered trademarks of Barracuda Networks, Inc. in the United States.
All other names are the property of their respective owners.
Network and App Security