Install a Secure Event Connector on an AWS VPC Using a Terraform Module

Before you begin

  • To perform this task, you must enable SAL on your Security Cloud Control tenant. This section presumes that you have a SAL license. If you do not have one, purchase the Cisco Security and Analytics Logging, Logging and Troubleshooting license.

  • Ensure you have a new SEC installed. To create a new SEC, see Install a Secure Event Connector on an SDC Virtual Machine.

  • When installing the SEC, make sure you take a note of the Security Cloud Control bootstrap data and SEC bootstrap data.

Procedure


Step 1

Go to Secure Event Connector Terraform Module on the Terraform Registry and follow the instructions to add the SEC Terraform module to your Terraform code.

Step 2

Apply the Terraform code.

Step 3

Ensure that you print the instance_id and sec_fqdn outputs, because you will need them later in the procedure.

Note

To troubleshoot your SEC, you must connect to your SEC instance using the AWS Systems Manager Session Manager (SSM). See the AWS Systems Manager Session Manager documentation to know more about connecting to an instance using SSM.

Ports to connect to the SDC instance using SSH are not exposed for secuirty reasons.

Step 4

To enable sending of logs from your ASA to the SEC, obtain the certificate chain of the SEC you created and remove the leaf certificate by running the following command with the output from Step 3:

rm -f /tmp/cert_chain.pem && openssl s_client -showcerts -verify 5 -connect <FQDN>:10125 < /dev/null | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="/tmp/cert_chain.pem"; if(a > 1) print >>out}'

Step 5

Copy the contents of /tmp/cert_chain.pem to your clipboard.

Step 6

Take a note of the IP address of the SEC using the following command:

nslookup <FQDN>

Step 7

Log in to Security Cloud Control and start adding a new trustpoint object. See Adding a Trusted CA Certificate Object for more information. Ensure you uncheck the Enable CA flag in basic constraints extension checkbox in Other Options before clicking Add.

Step 8

Click Add, copy the CLI commands generated by Security Cloud Control in the Install Certificate page, and click Cancel.

Step 9

Below enrollment terminal, add no ca-check in a text clipboard.

Step 10

SSH into your ASA device or use the ASA CLI option in Security Cloud Control and execute the following commands:

DataCenterFW-1> en
Password: *****************
DataCenterFW-1# conf t
DataCenterFW-1(config)# <paste your modified ASA CLIs here and press Enter>
DataCenterFW-1(config)# wr mem
Building configuration...
Cryptochecksum: 6634f35f 4c5137f1 ab0c5cdc 9784bdb6

What to do next

You can check if your SEC is receiving packets using AWS SSM:
You should now see logs similar to this:
time="2023-05-10T17:13:46.135018214Z" level=info msg="[ip-10-100-5-19.ec2.internal][util.go:67 plugin.createTickers:func1] Events - Processed - 6/s, Dropped - 0/s, Queue size - 0"