Create an outpost for security scanning performed on infrastructure in a cloud account owned by you.
This topic provides instructions for creating an outpost for different CSPs.
Important
While outposts provide maximum control over the scanning environment, cloud scan mode is the recommended default for most organizations. For details, see When to choose outpost scan.
Creating an outpost comprises the following phases:
Running the outpost creation wizard in Cortex Cloud to generate an outpost authentication template for the relevant CSP. This template establishes trust with the CSP and grant the necessary permissions to Cortex Cloud. Described below.
Executing the template in the CSP to create the outpost, initially in pending status. Described below.
Running the CSP onboarding wizard Cortex Cloud to generate an authentication template for the relevant CSP (AWS, GCP, Azure).
Executing the authentication template in the CSP to onboard the CSP and ingest its data sources.
Run the outpost creation wizard to generate a template
Start the outpost creation wizard by navigating to → → and clicking New Outpost.
Note
Verify that your internet connection is active. An active internet connection is necessary for notifications to be sent to Cortex Cloud for creating the new outpost. If you are unable to establish an internet connection, contact customer support for a manual workaround.
Perform the steps according to your CSP.
In Create AWS Outpost, select the type of AWS environment:
Commercial: (Default) Standard cloud deployment typically used for private and public sector organizations that do not require isolated government-specific infrastructure.
Government: AWS GovCloud environments for compatibility with FedRAMP-certified tenants.
(Optional) Define tags and tag values to be added to any new resource created by Cortex in the cloud environment. Click Next.
Click Download Terraform to download the Terraform template file.
Execute the Terraform template in the CSP to create the outpost.
In Create GCP Outpost, select the type of GCP environment:
Commercial: (Default) Standard cloud deployment typically used for private and public sector organizations that do not require isolated government-specific infrastructure.
Government: GCP Assured Workloads for compatibility with FedRAMP-certified tenants.
Enter the project ID of the GCP project.
(Optional) Define tags and tag values to be added to any new resource created by Cortex in the cloud environment. Click Next.
Click Download Terraform to download the Terraform template file.
Execute the Terraform template in the CSP to create the outpost.
Note
When creating an outpost for a specific Azure subscription, the outpost account must be in the same Azure organization as the monitored subscriptions.
In Create Azure Outpost, select the type of Microsoft Azure environment:
Commerical: (Default) Standard cloud deployment typically used for private and public sector organizations that do not require isolated government-specific infrastructure.
Government: Microsoft Azure Government environments for compatibility with FedRAMP-certified tenants.
Enter the tenant ID of the Azure tenant in which you want to establish the outpost.
Note
Due to limitations in Terraform, the Azure subscription name cannot contain blanks.
(Optional) Define tags and tag values to be added to any new resource created by Cortex in the cloud environment. Click Next.
Click Download Terraform to download the Terraform template file.
Execute the Terraform template in the CSP to create the outpost.
Execute the template in the CSP to finalize the outpost
When you have downloaded the Terraform template file in the onboarding wizard, log in to the CSP and execute the template file.
Perform the steps according to your CSP.
Prerequisite
Before you begin, ensure you have:
An AWS account
Permission to create a stack and its resources in AWS
Installed Terraform on your local machine. You can download Terraform from the official Terraform website and follow the installation instructions for your operating system.
Installed the AWS CLI tool and configured your profile with the
aws configure ssowizard.
Open your local terminal (Command prompt, PowerShell, or Terminal).
Log in to your AWS account using the AWS CLI:
aws sso login --profile
<my-profile>Where
<my-profile>is the profile you configured with theaws configure ssowizard.Create a directory on your local machine to store and run the Terraform code. If you are creating more than one outpost, you need a separate directory for each one:
mkdir -p ~/terraform/aws-outpost-1
Navigate to the directory you created and extract the Terraform files.
cd ~/terraform/aws-outpost-1 tar -xzvf <your_template>.tar.gz
Initialize Terraform in your project directory:
terraform init
Apply your Terraform configuration using the downloaded parameter file. When prompted, enter the subscription ID:
terraform apply --var-file=template_params.tfvars
When prompted, review the actions Terraform will perform and approve them by entering
yes.The Terraform template is deployed, and your outpost is created. To view all outposts and their details, navigate to → → .
Danger
Before you begin, ensure you have:
A GCP account
Permission to create the required resources in Google Cloud Deployment Manager
Installed Terraform on your local machine. You can download Terraform from the official Terraform website and follow the installation instructions for your operating system.
Installed the GCP gcloud CLI tool
Open your local terminal (Command Prompt, PowerShell, or Terminal).
Log in to your GCP account using the gcloud CLI:
gcloud auth login
Create a directory on your local machine to store and run the Terraform code. If you are creating more than one outpost, you need a separate directory for each one:
mkdir -p ~/terraform/gcp-outpost-1
Navigate to the directory you created and extract the Terraform files.
cd ~/terraform/gcp-outpost-1 tar -xzvf <your_template>.tar.gz
Initialize Terraform in your project directory:
terraform init
Apply your Terraform configuration using the downloaded parameter file. When prompted, enter the project ID:
terraform apply --var-file=template_params.tfvars
When prompted, review the actions Terraform will perform and approve them by entering
yes.The Terraform template is deployed, and your outpost is created. To view all outposts and their details, navigate to → → .
Danger
Before you begin, ensure you have:
An active Azure subscription.
Installed the Azure CLI tool.
Permission to deploy a custom template and create its resources in Microsoft Azure ("Owner" or "Contributor" on the designated outpost subscription scope, and Active Directory "Cloud Application Administrator" or "Application Administrator" privileged roles).
Installed Terraform 1.9.4 or above on your local machine. You can download Terraform from the official Terraform website and follow the installation instructions for your operating system.
A static egress IP assigned to the machine running this Terraform. This is used to configure the Azure Storage IP whitelist (Recommended). Without this, future runs of this Terraform may fail on Azure storage configurations.
Open your local terminal (Command Prompt, PowerShell, or Terminal).
Log in to your Azure account using the Azure CLI:
az login
If prompted, select the subscription_id of the designated subscription, or run:
az account set --subscription
<subscription_id>Where
<subscription_id>is the subscription ID of the designated subscription.Create a directory on your local machine to store and run the Terraform code. If you are creating more than one outpost, you need a separate directory for each one:
mkdir -p ~/terraform/azure-outpost-1
Navigate to the directory you created and extract the Terraform files.
cd ~/terraform/azure-outpost-1 tar -xzvf <your_template>.tar.gz
Initialize Terraform in your project directory:
terraform init
Apply your Terraform configuration using the downloaded parameter file. When prompted, enter the subscription ID:
terraform apply --var-file=template_params.tfvars
When prompted for
var.storaage_account_ip_whitelist, you can leave it empty to enable access from any public IP to the storage accounts. We recommend you to limit access to selected IPs. To limit access, enter a comma-separated list of public IP addresses, including your local machine's egress IP (to enable the completion of the Terraform run). For example:8.8.8.8, 8.8.4.4Review the actions Terraform will perform and approve them by entering
yes.It is important to create a backup of the Terraform state file using one of the following methods:
Back up the
terraform.tfstateandterraform.tfstate.backupfiles or use Terraform backend to save the state.Create copies of the
terraform.tfstateandterraform.tfstate.backupfiles. These can then be moved to the working folder to allow Terraform to upgrade or destroy the created resources as necessary.Ensure you're using a backend block in your Terraform configuration. For more information, see Backend block configuration overview.
The Terraform template is deployed, and your outpost is created. To view all outposts and their details, navigate to → → .
What's next?
After you have executed the template in your CSP:
The necessary permissions are granted and a notification is sent to Cortex Cloud with the execution details.
A new outpost is created in pending status and can be viewed in the Outpost page at → → .
Continue the CSP onboarding by running and executing the CSP onboarding wizard to generate an authentication template for the relevant CSP (AWS, GCP, Azure).
If you have successfully executed the template in your cloud service provider and no new outpost has been created, verify that your internet connection is active. An active internet connection is necessary for the notification to be sent to Cortex Cloud to create the new outpost. If you are unable to establish an internet connection, contact customer support for a manual workaround.