DeepSurface: AWS EC2 (BYOL)
DocumentationInstallation GuideOverviewLet DeepSurface Host For YouGetting StartedSystem RequirementsSelf Hosted Quick Start - Installing to Cloud PlatformsSelf Hosted - Installation Using an OVARegistration, Package Installation, and InitializationFirst Steps After Initialization of the ConsoleDeployment OptionsMain and Subordinate ConsolesAgent-Based DeploymentUser Managed Scan DeploymentCredentialed Scanning DeploymentMixed EnvironmentDeployment ToolsActive Directory Group PolicyMicrosoft Endpoint Configuration Manager (part of InTune)Tanium DeployHCL BigFixIvantiVirtual MachinesVMWareVirtual BoxVirtualBox Guest AdditionsAWS EC2 (BYOL)AWS EC2 (Usage Based)Azure CloudGoogle CloudAdditional Items to ConsiderMain Console Server CertificatesLDAPTOFUClock SyncDeepSurface CommandsMultiple Vulnerability SourcesAPI DocumentationUser GuideReportingDashboardsExportsRisk InsightHostsPatchesVulnerabilitiesVulnerability InstancesUsersRemediation Workflow ManagerPlansSettingsIntegrationsWorkflowExportingAccepted Risk PlansAccepted Risk WorkflowExploreModelPathsActivityTasksConfiguration AlertsScan LogsNotification SettingsScanningStatusAgentsUser ManagedCredentialed Scanning SettingsCredentialsScan GroupsGeneral SettingsCloud ScanningNetwork ConnectivitySubordinatesVulnerability SourcesSetupSensitive Assets: PolicesSensitive Assets: ManualAdmin SettingsSMTP SettingsCertificatesOutbound ProxyAuthentication ProvidersUsersTagsIntegrations GuideVulnerability SourcesCrowdStrike SpotlightSentinelOneCarbon Black CloudMicrosoft Defender for EndpointWazuhLansweeper CloudNessus APITenable.io APISecurity Center/Tenable.sc APIRapid7 InsightVM APIQualys APINozomi GuardianEclypsiumAWS InspectorRemediationJira SoftwareTanium (BETA)Authentication ProvidersLDAP (Active Directory)SAML (Azure Active Directory)SAML (Google)SAML (Okta)PAMCyberArkDelinea (Thycotic)Microsoft LAPSSecurity GuideFirewall ConfigurationBase Network RequirementsAgent Network RequirementsCredentialed Scanning Network RequirementsAPI Network RequirementsHow DeepSurface Scans WorkDomain (LDAP) ScanningHost Scanning RoutineReasons for the Administrative Access RequirementEndpoint Protection ConsiderationsOther ItemsScope of Data Storage and RetentionIPS/IDS ConsiderationsLoggingResetting the DSADMIN passwordProduct InformationChangelogsOpen source LicensesEnd User License Agreement (EULA)
Prerequisites: Before Starting
A DeepSurface Analyzer license is required to use this product. If you do not yet have a license, you may purchase one by submitting
the BYOL Licence Request Form.
- A DeepSurface installation code is needed to complete the product installation process, this will be provided to you upon purchase of a DeepSurface license.
- You will need access to your organization's AWS Management Console.
- As with any DeepSurface deployment, administrators will need to be able to access the DeepSurface web console via HTTPS (port 443/TCP). The vast majority of administration tasks can be performed via HTTPS, but the initial setup and occasional low-level tasks will need to be performed via SSH (port 22/TCP).
- You will need a key pair and security group that can be used with the instance. Additional context on key pair and security group configuration can be found here: Setting up with Amazon EC2. Ensure your security group is configured so you will be able access your instance using SSH(port 22/TCP) and HTTPS(port 443/TCP) after launch.
- If you plan to connect to your instance from outside of your VPC, you will need to determine how a public IP address will be assigned to your instance.
Options for configuring a public IP include:
- Allocating an Elastic IP address and associating it with the instance
- Enabling the public IP attribute when launching your instance
- Whether or not you choose to configure a public IP, we strongly recommend the instance use a static IP address. This will allow for reliable configuration of HTTPS certificates and network access policies.
If you are unfamiliar with launching EC2 instances we recommend reviewing the AWS documentation
here: Launching an Instance via the Instance Wizard.
Instance Launch Steps (from the AWS Console)
Your screen will look something like the following. Note the AWS region in the orange rectangle. Ensure you are in the correct region and that this matches the region you provided to the DeepSurface support team.
- Navigate to EC2 (as shown by the red arrow and rectangle)
- Choose Launch Instance (about halfway down the page as of this writing)
- Select AWS Marketplace.
- In the search box, type DeepSurface and hit the enter key.
- Locate DeepSurface RiskAnalyzer (BYOL) in the list of available images and click the associated Select button
- Choose an Instance Type: Review the Virtual Hardware Requirements to select the instance type that corresponds to your needs.
The minimum requirements are 4 CPUs, 16GB RAM, and 128GB for Storage. The recommended instance type that meets these requirements is m4.xlarge.
- Click on "Next: Configuration Instance Details"
- Configure your instance as required. You may find it helpful to reference the Configure Instance Details Step of Launching an Instance via the Instance Wizard if any settings are unfamiliar.
- Keep in mind, many of the settings in this step cannot be modified after launching an instance.
- Click on "Add Storage" -> 128 GB is the recommended size, but feel free to increase based on your company's preference.
- Click on "Next: Add Tags" adding any tags that your organization uses for managing your EC2 instances.
- Click on "Next Configure Security Group" choosing the existing security group you identified in the Prerequisites step.
- Click "Review and Launch" in the bottom right-hand corner.
- You will be prompted to "Select an existing key pair or create a new key pair".
- Choose an existing key pair and select the key pair that was identified in the Prerequisites step listed above.
- Click the acknowledgment check box and then "Launch Instances"
Log Into Your DeepSurface RiskAnalyzer (BYOL) via SSH
- Navigate to the Instances UI in the AWS Console (if you are still on the previous screen, just click the View Instances button on the bottom right). You can also get there by navigating to EC2 then choosing Instances > Instances in the left pane.
- Wait for your newly created Instance to move from Initializing to Running
- This step may take several minutes
- You can edit your instance name while it is still initiating
- Click checkbox next to your instance
- Connect to your instance using the Connect button, or from Actions select Connect.
- Select the SSH Client tab. You will see a screen that looks like the following
- Open an ssh client and follow the instructions regarding pem key permissions and connecting to your instance via ssh.
- Rather than connecting to your instance with ubuntu as the user name, you must connect with the dsadmin user name.
- The command format will look something like this:
ssh -i [pem key] dsadmin@[AWS public IP Address]
Register your DeepSurface Analyzer instance
Proceed to Package Installation to register with DeepSurface and begin the system initialization process.
Troubleshooting: Errors When Initially Registering
If you run into Errors after running sudo deepsurface-install
perform the following step to assist in troubleshooting.
AWS EC2 Metadata Service Connectivity
The EC2 Instance must be able to connect to the EC2 metadata service. HTTP connectivity to 169.254.169.254 is required for this Usage Based Product Option.
To verify the EC2 instance can connect to the metadata service, ssh into the EC2 instance and run:
curl http://169.254.169.254/latest/meta-data/
A successful response will return a list of available metadata options.
Please contact DeepSurface support if additional assistance is needed once these troubleshooting steps have been performed.