About CWPP Deployment
Cloud Workload Protection Platform (CWPP) provides security to Amazon Web Services (AWS) workloads through Point of Presence (POP) installations on dedicated EC2 instances, which establish connectivity to Skyhigh CASB and help with deploying security plugins on workloads. Once you've established a POP, the next step is to install CWPP Agents on workloads or nodes that you want to secure against vulnerabilities, image hardening, and process allow listing.
These deployment packages are made available in Skyhigh CASB to help you create the required infrastructure.
CWPP POP Services. The POP services are hosted in two or more EC2 instances and are recommended to be hosted in a separate secure VPC. These services are exposed through a load balancer and an AWS Private Link service/VPC Endpoint service.
CWPP Agents. CWPP Agents are typical consumers of the POP service and are installed on workloads hosted in a VPC different from the secure VPC where CWPP POP is installed. Any Agent that needs to establish the connectivity to the POP service needs to have a VPC endpoint created. The VPC Endpoint acts as a bridge between the agents.
VPC Endpoints. Once the VPC Endpoints are created, CWPP Agents will establish the the connectivity with the POP on those endpoints. Skyhigh Security recommends typical endpoint names – cwpp-cicd.cwpp.skyhigh /cwpp-connector.cwpp.skyhigh.
POP Deployment Options
Depending on your use case, you can deploy a single POP or multiple POPs in a region. Please note the following:
- The CWPP POP supports one primary and single/multiple secondary nodes of deployment.
- We recommend deploying a single POP per region, but multiple POP deployments in the same region are supported.
Single POP in a dedicated secure VPC for a Region
This is the recommended deployment, where a single POP in a VPC and can serve all VPC's of different accounts in that region.
Multiple POPs in a secure VPC for a region
To maintain different environments, like production and staging, then you can install multiple POPs in a secure VPC. EFS will be created per VPC, and subsequent POP installation within the same VPC will reuse the EFS.