DeepSurface: AWS EC2 (Usage Based)

Installation Guide
Let DeepSurface Host For You
Getting Started
System Requirements
Self Hosted Quick Start - Installing to Cloud Platforms
Self Hosted - Installation Using an OVA
Registration, Package Installation, and Initialization
First Steps After Initialization of the Console
Deployment Options
Main and Subordinate Consoles
Agent-Based Deployment
User Managed Scan Deployment
Credentialed Scanning Deployment
Mixed Environment
Deployment Tools
Active Directory Group Policy
Microsoft Endpoint Configuration Manager (part of InTune)
Tanium Deploy
HCL BigFix
Virtual Machines
Virtual Box
VirtualBox Guest Additions
AWS EC2 (Usage Based)
Azure Cloud
Google Cloud
Additional Items to Consider
Main Console Server Certificates
Clock Sync
DeepSurface Commands
Multiple Vulnerability Sources
API Documentation
User Guide
Risk Insight
Vulnerability Instances
Remediation Workflow Manager
Accepted Risk Plans
Accepted Risk Workflow
Configuration Alerts
Scan Logs
Notification Settings
User Managed
Credentialed Scanning Settings
Scan Groups
General Settings
Cloud Scanning
Network Connectivity
Vulnerability Sources
Sensitive Assets: Polices
Sensitive Assets: Manual
Admin Settings
SMTP Settings
Outbound Proxy
Authentication Providers
Integrations Guide
Vulnerability Sources
CrowdStrike Spotlight
Carbon Black Cloud
Microsoft Defender for Endpoint
Lansweeper Cloud
Nessus API API
Security Center/ API
Rapid7 InsightVM API
Qualys API
Nozomi Guardian
AWS Inspector
Jira Software
Tanium (BETA)
Authentication Providers
LDAP (Active Directory)
SAML (Azure Active Directory)
SAML (Google)
SAML (Okta)
Delinea (Thycotic)
Microsoft LAPS
Security Guide
Firewall Configuration
Base Network Requirements
Agent Network Requirements
Credentialed Scanning Network Requirements
API Network Requirements
How DeepSurface Scans Work
Domain (LDAP) Scanning
Host Scanning Routine
Reasons for the Administrative Access Requirement
Endpoint Protection Considerations
Other Items
Scope of Data Storage and Retention
IPS/IDS Considerations
Resetting the DSADMIN password
Product Information
Open source Licenses
End User License Agreement (EULA)

Prerequisites: Before Subscribing

EC2 Instance launched with the DeepSurface RiskAnalyzer AMI from the AWS Marketplace. To configure your IAM role from the AWS console:

  "Version": "2012-10-17",
  "Statement": [
    "Action": [
    "Effect": "Allow",
      "Resource": "*"
  • If you are unfamiliar with launching EC2 instances we recommend reviewing the AWS documentation here: Launching an Instance via the Instance Wizard
  • The Virtual Private Cloud (VPC) the EC2 instance is configured to use must support an outbound HTTPS connection to the public Internet in order to connect to the AWS Metering Service (MeterUsage API). For more information, see the Amazon Virtual Private Cloud Documentation
  • Instance Launch Steps (from the AWS Console)

    Your screen will look something like the following. Note the AWS region in the orange rectangle. Ensure you are in the correct region and that this matches the region you provided to the DeepSurface support team.

    Nav to EC2

    1. Navigate to EC2 (as shown by the red arrow and rectangle) Nav to EC2
    2. Choose Launch Instance (about halfway down the page as of this writing)
    3. Select AWS Marketplace.
    4. In the search box, type DeepSurface and hit the enter key.
    5. Locate DeepSurface RiskAnalyzer in the list of available images and click the associated Select button.
    6. Choose an Instance Type: Review the Virtual Hardware Requirements to select the instance type that corresponds to your needs. The minimum requirements are 4 CPUs, 16GB RAM, and 128GB for Storage. The recommended instance type that meets these requirements is m4.xlarge.
    7. Click on "Next: Configuration Instance Details"
      • Configure your instance as required. You may find it helpful to reference the Configure Instance Details Step of Launching an Instance via the Instance Wizard if any settings are unfamiliar.
      • Keep in mind, many of the settings in this step cannot be modified after launching an instance.
      • Assign the IAM role you created in the Prerequisites step.
    8. Click on "Add Storage" -> 128 GB is the recommended size, but feel free to increase based on your company's preference.
    9. Click on "Next: Add Tags" adding any tags that your organization uses for managing your EC2 instances.
    10. Click on "Next Configure Security Group" choosing the existing security group you identified in the Prerequisites step.
    11. Click "Review and Launch" in the bottom right-hand corner.
    12. You will be prompted to "Select an existing key pair or create a new key pair".
    1. Click the acknowledgment check box and then "Launch Instances"

    Log Into Your DeepSurface RiskAnalyzer via SSH

    1. Navigate to the Instances UI in the AWS Console (if you are still on the previous screen, just click the View Instances button on the bottom right). You can also get there by navigating to EC2 then choosing Instances > Instances in the left pane.
    2. Wait for your newly created Instance to move from Initializing to Running
      • This step may take several minutes
      • You can edit your instance name while it is still initiating
    3. Click checkbox next to your instance
    4. Connect to your instance using the Connect button, or from Actions select Connect.


    1. Select the SSH Client tab. You will see a screen that looks like the following

    Key Pair

    1. Open an ssh client and follow the instructions regarding pem key permissions and connecting to your instance via ssh.
      • Rather than connecting to your instance with ubuntu as the user name, you must connect with the dsadmin user name.
      • The command format will look something like this: ssh -i [pem key] dsadmin@[AWS public IP Address]

    Register your DeepSurface Analyzer instance

    Proceed to Installation using an OVA to register with DeepSurface and begin the system initialization process.

    Troubleshooting: Errors connecting to the AWS Metering Service on Initial Registration

    If you run into AWS Metering Service Connectivity Errors after running sudo deepsurface-install perform the following steps to assist in troubleshooting.

    IAM Role Permissions

    The IAM Role you assigned to the Instance must be assigned the AWSMarketplaceMeteringFullAccess policy. Failure to assign this policy will result in not being able to connect to the AWS Metering Service. For more information, see: Subscribing, Launching, and Managing Products on AWS

    AWS Metering Service Connectivity

    The EC2 Instance must be able to connect to the AWS Metering Service Endpoint associated with the EC2 region the instance belongs to.

    To verify connectivity ssh into the EC2 Instance and run the following command from the console, replacing {region} with the region associated with the EC2 instance:

    curl https://metering.marketplace.{region}

    If the response to this command returns healthy, contact DeepSurface support for additional help. If the response to this command returns any other message, verify that the VPC associated with the EC2 instance is configured to connect to the internet using port 443.

    AWS EC2 Metadata Service Connectivity

    The EC2 Instance must be able to connect to the EC2 metadata service. HTTP connectivity to is required for this Usage Based Product Option.

    To verify the EC2 instance can connect to the metadata service ssh into the EC2 instance and run:


    A successful response will return a list of available metadata options.

    Please contact DeepSurface support if additional assistance is needed once these troubleshooting steps have been performed.