DeepSurface: AWS EC2 (BYOL)

Documentation
Installation Guide
Overview
Let DeepSurface Host For You
Getting Started
System Requirements
Self Hosted Quick Start - Installing to Cloud Platforms
Self Hosted - Installation Using an OVA
Registration, Package Installation, and Initialization
First Steps After Initialization of the Console
Deployment Options
Main and Subordinate Consoles
Agent-Based Deployment
User Managed Scan Deployment
Credentialed Scanning Deployment
Mixed Environment
Deployment Tools
Active Directory Group Policy
Microsoft Endpoint Configuration Manager (part of InTune)
Tanium Deploy
HCL BigFix
Ivanti
Virtual Machines
VMWare
Virtual Box
VirtualBox Guest Additions
AWS EC2 (BYOL)
AWS EC2 (Usage Based)
Azure Cloud
Google Cloud
Additional Items to Consider
Main Console Server Certificates
LDAP
TOFU
Clock Sync
DeepSurface Commands
Multiple Vulnerability Sources
API Documentation
User Guide
Reporting
Dashboards
Exports
Risk Insight
Hosts
Patches
Vulnerabilities
Vulnerability Instances
Users
Remediation Workflow Manager
Plans
Settings
Integrations
Workflow
Exporting
Accepted Risk Plans
Accepted Risk Workflow
Explore
Model
Paths
Activity
Tasks
Configuration Alerts
Scan Logs
Notification Settings
Scanning
Status
Agents
User Managed
Credentialed Scanning Settings
Credentials
Scan Groups
General Settings
Cloud Scanning
Network Connectivity
Subordinates
Vulnerability Sources
Setup
Sensitive Assets: Polices
Sensitive Assets: Manual
Admin Settings
SMTP Settings
Certificates
Outbound Proxy
Authentication Providers
Users
Tags
Integrations Guide
Vulnerability Sources
CrowdStrike Spotlight
SentinelOne
Carbon Black Cloud
Microsoft Defender for Endpoint
Wazuh
Lansweeper Cloud
Nessus API
Tenable.io API
Security Center/Tenable.sc API
Rapid7 InsightVM API
Qualys API
Nozomi Guardian
Eclypsium
AWS Inspector
Remediation
Jira Software
Tanium (BETA)
Authentication Providers
LDAP (Active Directory)
SAML (Azure Active Directory)
SAML (Google)
SAML (Okta)
PAM
CyberArk
Delinea (Thycotic)
Microsoft LAPS
Security Guide
Firewall Configuration
Base Network Requirements
Agent Network Requirements
Credentialed Scanning Network Requirements
API Network Requirements
How DeepSurface Scans Work
Domain (LDAP) Scanning
Host Scanning Routine
Reasons for the Administrative Access Requirement
Endpoint Protection Considerations
Other Items
Scope of Data Storage and Retention
IPS/IDS Considerations
Logging
Resetting the DSADMIN password
Product Information
Changelogs
Open source Licenses
End User License Agreement (EULA)

Prerequisites: Before Starting

  • A DeepSurface Analyzer license is required to use this product. If you do not yet have a license, you may purchase one by submitting the BYOL Licence Request Form.
  • If you are unfamiliar with launching EC2 instances we recommend reviewing the AWS documentation here: Launching an Instance via the Instance Wizard.
  • Instance Launch Steps (from the AWS Console)

    Your screen will look something like the following. Note the AWS region in the orange rectangle. Ensure you are in the correct region and that this matches the region you provided to the DeepSurface support team.

    Nav to EC2

    1. Navigate to EC2 (as shown by the red arrow and rectangle) Nav to EC2
    2. Choose Launch Instance (about halfway down the page as of this writing)
    3. Select AWS Marketplace.
    4. In the search box, type DeepSurface and hit the enter key.
    5. Locate DeepSurface RiskAnalyzer (BYOL) in the list of available images and click the associated Select button Nav to AMI
    6. Choose an Instance Type: Review the Virtual Hardware Requirements to select the instance type that corresponds to your needs. The minimum requirements are 4 CPUs, 16GB RAM, and 128GB for Storage. The recommended instance type that meets these requirements is m4.xlarge.
    7. Click on "Next: Configuration Instance Details"
      • Configure your instance as required. You may find it helpful to reference the Configure Instance Details Step of Launching an Instance via the Instance Wizard if any settings are unfamiliar.
      • Keep in mind, many of the settings in this step cannot be modified after launching an instance.
    8. Click on "Add Storage" -> 128 GB is the recommended size, but feel free to increase based on your company's preference.
    9. Click on "Next: Add Tags" adding any tags that your organization uses for managing your EC2 instances.
    10. Click on "Next Configure Security Group" choosing the existing security group you identified in the Prerequisites step.
    11. Click "Review and Launch" in the bottom right-hand corner.
    12. You will be prompted to "Select an existing key pair or create a new key pair".
    1. Click the acknowledgment check box and then "Launch Instances"

    Log Into Your DeepSurface RiskAnalyzer (BYOL) via SSH

    1. Navigate to the Instances UI in the AWS Console (if you are still on the previous screen, just click the View Instances button on the bottom right). You can also get there by navigating to EC2 then choosing Instances > Instances in the left pane.
    2. Wait for your newly created Instance to move from Initializing to Running
      • This step may take several minutes
      • You can edit your instance name while it is still initiating
    3. Click checkbox next to your instance
    4. Connect to your instance using the Connect button, or from Actions select Connect. Connect
    5. Select the SSH Client tab. You will see a screen that looks like the following Key Pair
    6. Open an ssh client and follow the instructions regarding pem key permissions and connecting to your instance via ssh.
      • Rather than connecting to your instance with ubuntu as the user name, you must connect with the dsadmin user name.
      • The command format will look something like this: ssh -i [pem key] dsadmin@[AWS public IP Address]

    Register your DeepSurface Analyzer instance

    Proceed to Package Installation to register with DeepSurface and begin the system initialization process.

    Troubleshooting: Errors When Initially Registering

    If you run into Errors after running sudo deepsurface-install perform the following step to assist in troubleshooting.

    AWS EC2 Metadata Service Connectivity

    The EC2 Instance must be able to connect to the EC2 metadata service. HTTP connectivity to 169.254.169.254 is required for this Usage Based Product Option.

    To verify the EC2 instance can connect to the metadata service, ssh into the EC2 instance and run:

    curl http://169.254.169.254/latest/meta-data/

    A successful response will return a list of available metadata options.

    Please contact DeepSurface support if additional assistance is needed once these troubleshooting steps have been performed.