ESET Cloud Workload Protection—Microsoft Azure, Amazon Web Services, Google Cloud Platform main features
•Enables visibility and protection of cloud workloads by synchronizing virtual machines organized in resource groups.
•Enables deployment of security protection to workloads, either manually or automatically, for newly created instances.
•Provides endpoint-level security indicators from protected workloads, expanding visibility into threats across cloud environments.
•Provides extended asset context in Incidents and supports response actions on protected machines.
•Ingests more cloud indicators and telemetry, expanding visibility into cloud environment activity.
How to enable the integration
Prerequisites
Review and complete all prerequisites that apply to your chosen path before starting the CloudFormation template deployment.
These requirements apply regardless of which template you select.
Account is in the standard AWS partition
Only AWS Organizations and accounts in the standard AWS commercial partition are supported. Accounts in other partitions (such as AWS GovCloud or AWS China) are not supported.
AWS account permissions
The AWS IAM principal (user or role) you use to deploy the CloudFormation stack must have sufficient permissions to create all of the resources the template provisions.
Required permission scope: AdministratorAccess, or a custom policy that allows creating:
•IAM roles and managed policies
•S3 buckets and bucket policies
•CloudTrail trails
•Lambda functions (invoked as CloudFormation custom resources)
•CloudFormation stacks and StackSets
If you are unsure whether your credentials are sufficient, check with your AWS administrator before proceeding.
Deploy the stack only once per account/organization
Each template creates resources with fixed names (for example, CwppServiceRole). Deploying a second stack in the same account will fail with a resource-already-exists error. If a previous deployment failed or needs to be redone, delete the existing CloudFormation stack first.
AWS region with CloudTrail support
Deploy the stack in an AWS region that supports multi-region CloudTrail trails. All standard commercial AWS regions qualify. GovCloud and China regions are not supported.
|
|
EC2 instances must have the SSM Agent installed and running (it is pre‑installed on most AWS‑provided AMIs) on any instance where you plan to deploy the ESET protection product. DHMC enables automatic management but does not install the SSM Agent. This requirement can also be enabled later and is not mandatory before onboarding.
|
|
These additional requirements apply when using either organization template.
Deploy from the management account
Organization templates must be deployed while logged into your AWS Organizations management account. You cannot use a member account for this deployment.
Locate your Root Organizational Unit ID
During deployment, you will be asked for your root organizational unit ID, which is used to deploy StackSets to all accounts. To find it:
1.Open the AWS Organizations console.
2.Click the Root entry at the top of the organizational tree.
3.Copy the ID—it has the format r-xxxx.
For detailed instructions, see the AWS documentation on navigating your organization’s hierarchy.
Permission to activate CloudFormation–Organizations trusted access
The template automatically activates trusted access between CloudFormation and AWS Organizations (via a Lambda custom resource). The deploying principal must be allowed to call cloudformation:ActivateOrganizationsAccess. This is included in AdministratorAccess. If you use a scoped permission set, ensure this action is explicitly allowed.
|
These additional requirements apply when using either DHMC template variant.
No conflicting Default Host Management Configuration (DHMC)
If you previously used AWS SSM Quick Setup to configure DHMC, even partially, you cannot use the organization-wide onboarding with DHMC setup. The two configurations will conflict. In that case:
1.Use the non-DHMC organization onboarding.
2.In your existing SSM Quick Setup configuration, ensure DHMC is active in all member accounts and all regions where CWP will be deployed.
Permissions for SSM Quick Setup
In addition to the base organization permissions, the deploying principal needs:
•ssm-quicksetup:UpdateServiceSettings
•organizations:EnableAWSServiceAccess
•Permission to create service-linked roles
These are all included in AdministratorAccess. The template creates a Lambda that performs these steps automatically, you do not need to run any commands manually.
|
Enabling VM (EC2 instance) protection in CWP for AWS EC2 instances involves two levels of requirements. The EC2 instance must first be registered as an SSM-managed instance (account-level setup), and then each individual instance must meet VM-level requirements before the protection product can be installed on it. Other CWP functionality works on accounts that do not meet these prerequisites.
Project prerequisites
These requirements apply at the AWS account level. CWP configures them automatically during onboarding when the DHMC template variant is used. For accounts where DHMC was not set up during onboarding (or before), these steps must be completed manually before VM protection can be enabled.
•EC2 instance must be an SSM-managed instance
CWP deploys the ESET protection product through AWS Systems Manager (SSM). For SSM to reach an EC2 instance, that instance must be registered as an SSM-managed instance. The recommended way to ensure this for all instances in an account is to enable Default Host Management Configuration (DHMC), which automatically registers every EC2 instance in an account and region without requiring a dedicated IAM instance profile on each instance.
DHMC can be enabled per region in the AWS console under Systems Manager > Fleet Manager > Account management, or organization-wide via SSM Quick Setup. See the AWS DHMC documentation for details.
VM-level requirements
These requirements apply to each individual EC2 instance. When the account-level setup is in place, the protection product can be deployed to an instance only if it meets all of the following.
•EC2 instance must have outbound internet access
Each EC2 instance targeted for protection deployment must have outbound internet access. Instances in private subnets without a NAT gateway, outbound internet access must be configured before protection can be deployed.
•SSM Agent must be installed and running
AWS SSM communicates with EC2 instances through the SSM Agent. Most AWS-provided AMIs (Amazon Linux, Ubuntu Server, Windows Server) include the SSM Agent pre-installed. For custom or third-party AMIs, verify that the agent is installed and running.
See the AWS SSM Agent documentation for installation instructions and how to verify the agent status on a running instance.
To have a functional deployment of protection to EC2 instances for Linux in AWS, the protected account or organization needs to have AWS System Manager enabled, and EC2 instances need to have the SSM Agent installed.
•VM must run a supported operating system
CWP can only deploy the ESET protection product on instances running a supported OS distribution. For the full list of supported OS distributions, see the reference below.
•VM must meet the protection product system requirements
Each VM targeted for protection deployment must satisfy the minimum hardware and software requirements for the ESET protection product.
Windows Server
oProcessor: Intel or AMD single-core x64
oMemory: 256 MB of free RAM
oHard drive: 700 MB of free disk space
Linux
oProcessor: Intel/AMD x64 with 2 cores (vCPUs)
oMemory: 2 GB of RAM
oHard drive: 700 MB of free disk space
oGlibc 2.28 or later
oLinux kernel version 4.18 or later
oAny UTF-8 encoding locale
oSecure Boot must be disabled |
Integration setup in ESET PROTECT Web Console
Click Connect to go through the Connect Integration process:
1.General Setup—type Name, select a method: AWS Organizations (with Root Organization Unit ID) or AWS single account (with Account ID), type Client description and click Continue.
2.Host Management—select if the Default Host Management Configuration is enabled in your AWS account.
3.CloudFormation—create a stack in AWS (click the Launch in AWS button to check the stack status or complete the setup) and then select Confirm Status.
4.Integration Summary—review Integration Summary with your settings (Name, Method, Account ID, ESET CWP S3 Bucket, Client description) and click Finish.
|
|
When an integration is finished (Status: Active), you can the see virtual machines synchronized in the Integration in Computers > Companies tree > selected organization (static group).
|
Deployment
System requirements and supported operating systems
You can deploy the ESET protection to virtual machines that meet the system requirements for the installation of the ESET security application:
•ESET Server Security for Windows (Windows VMs)
•ESET Server Security for Linux (Linux VMs)
Auto deployment
By default, auto-deployment is turned off. You can define how ESET Cloud Workload Protection behaves on virtual machines integrated from your connected cloud environments in the Configuration section.
If configured, every 15 minutes it is checked if there is an eligible virtual machine in the given group (target) to start deployment. If yes, the ESET Management Agent and then a security product will be installed on the virtual machine in a few minutes.
Audit log contains information about starting deployment.
Manual deployment
Select the computers on which you want to enable ESET security product. A subscription will be assigned automatically.
1.Go to Computers > select Company (static group) > list virtual machines.
2.Select the virtual machine > click the three dots 
button > select Platform modules > click Enable ESET security application for cloud.
3.Select Targets.
4.Select to agree to Legal documents and click Enable.
