The Amazon Web Services (AWS)Amazon Web Services (AWS) is a suite of cloud computing services from Amazon that make up an on-demand platform giving users access to their computing resources. Cloud Connector provides operational visibility into the security of your AWS environment. Based on the collected log information, USM Anywhere receives the data stored in your Amazon Simple Storage Service (S3) buckets, generates the related events for that data within USM Anywhere, and provides real-time alerting to identify malicious activityActivity in a system that exceeds or misuses that access in a manner that negatively affects the confidentiality, integrity, or availability of the organization's information systems..
Important: USM Anywhere starts processing the files contained within Amazon S3 buckets after enabling the AWS Cloud Connector. Any files contained within Amazon S3 buckets before setting up a Cloud Connector will not be processed.
Differences Between an AWS Cloud Connector and a Sensor
Before choosing between an AWS Cloud Connector and a USM Anywhere sensorSensors are deployed into an on-premises, cloud, or multi-cloud environment to collect logs and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation., you need to know how they work and the existing differences between them.
This table includes a summary of the main differences between an AWS Cloud Connector and a sensor.
|Item||AWS Cloud Connector||Sensor|
|Deploy a sensor|
|Create a virtual machine (VM)|
|Inventory data detection (users and assets)|
|Maintenance, updates, upgrades|
|Upload an AWS CloudFormation template into the AWS account|
|Monitor multiple AWS accounts||(one connector per account)||(one sensor per account)|
|Receive Amazon S3 events|
Warning: You will have duplicate events if your sensor is monitoring buckets from an AWS account and you configure an AWS Cloud Connector in the same account monitoring the same buckets.
Keep in mind these points when you are going to choose between an AWS Cloud Connector and a USM Anywhere sensor:
A sensor requires a deploymentEntire process involved in installation, configuration, startup, and testing of hardware and software in a specific environment.. An AWS Cloud Connector doesn't need to deploy a sensor on a VM; instead, it requires an upload of an AWS CloudFormation template that you generate within the USM Anywhere user interface (UI). See Adding an AWS Cloud Connector for more information. This process is much easier and, unlike a sensor, it doesn't require ongoing maintenance.
- A sensor detects inventory data automatically in your account, such as users and assetsAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers.. An AWS Cloud Connector receives Amazon S3 events but doesn't detect users and assets. Deploying a sensor is the best choice if you a specific account that needs to automatically detect users or assets in the AWS environment that are you monitoring.
- An AWS Cloud Connector receives Amazon S3 events, but no events from network-based intrusion detection systems (NIDS)Network-based intrusion detection system (NIDS) monitors network traffic and events for suspicious or malicious activity using the sensors that provide management and network monitoring interfaces to networks and network devices. nor AlienAppsAlienApps extend the threat detection and security orchestration capabilities of the USM Anywhere platform to other security tools that your IT team uses, providing a consolidated approach to threat detection and response.. Deploying a sensor is the best choice if you have a specific account that needs either NIDS or AlienApps, and that are critical for an AWS environment that are you monitoring.
- An AWS Cloud Connector is easier to maintain. For example, a sensor often requires upgrades.
Important: If you have multiple AWS accounts, you can configure some of them with sensors and the rest with AWS Cloud Connectors. You can have a mix of deployments, but best practice is to only deploy one connector or one sensor per AWS account.
Activating an AWS Cloud Connector
To activate an AWS Cloud Connector, you must follow these steps:
Add a new connector.
See Adding an AWS Cloud Connector for more information.
Download the AWS CloudFormation template.
See Downloading an Existing AWS Cloud Connector Template for more information.
Create a stack to upload the AWS CloudFormation template.
See Uploading AWS CloudFormation Templates for more information.
Go to USM Anywhere to enable the AWS Cloud Connector.
See Cloud Connector List View for more information.