Deploy the Deep Security AMI using CloudFormation

Instead of manually deploying Deep Security software, Trend Micro recommends that you use the Deep Security Cloudformation template on AWS. This method uses AWS CloudFormation templates for quick deployment in approximately 1 hour. This Cloudformation template automatically deploys two Deep Security Manager nodes on AWS, using AWS services and best practices. This template is the preferred method of deployment, but you can also follow manual instructions to deploy the AMI yourself if you only require a single-node Deep Security Manager. If you are upgrading an existing Deep Security AMI, see Upgrade Deep Security Manager AMI instead.

The default configuration protects instances in the Amazon Virtual Private Cloud (VPC) where your Deep Security Manager is deployed. After deployment, you can change this to protect instances across your entire AWS infrastructure.

The Deep Security AMI has two billing models:

• Pay as You Go (also called Per Protected Instance Hour)
• Seat-based (also called Bring Your Own License (BYOL))

The template includes an option for deploying in the AWS GovCloud (US) region.

The following are detailed instructions for deploying Deep Security using Cloudformation template:

1. Set up or identify an Amazon VPC that has two private subnets in different Availability Zones (AZ) and one public subnet with an Internet gateway.
   If you are not familiar with the AWS service VPC setup, you can use the CloudFormation template on Trend Micro Deep Security Github repository to build a VPC for Deep Security.
   1. Download the Infrastructure.template from the Deep Security Github repository.
   2. In AWS CloudFormation, go to Stacks > Create stack. Use Amazon S3 URL or Upload the template file or synchronize from Git to open the template on AWS Cloudformation.
   3. Go to Specify stack details and specify the VPC’s name, then set Enable DSN Host Name to True.
   4. Configure stack options as required, and then click Next.
   5. Review and create the stack, then click Next, and then click Submit if the all configurations are fine.
      After the stack has been created, the VPC information is displayed in the CloudFormation stack Outputs tab.
2. Select the CloudFormation template for the licensing model you selected earlier, and then perform the following:
   1. Select CloudFormation Template from the Fulfillment option list.
   2. Select the Software version. Trend Micro recommends selecting the latest version.
   3. Select the region to which to deploy.
   4. Click Continue to Launch.
3. In the Launch this software page, select Launch CloudFormation from the Choose Action list, and then click Launch.
4. In the AWS CloudFormation console, perform the following:
   1. In AWS CloudFormation, go to Stacks > Create stack. Use the default Amazon S3 URL displayed on the page, and then click Next.
   2. Go to Specify stack details, configure the parameters, and then click Next.
   3. Review and create the stack, then click Next, and then click Submit if the all configurations are fine.
      When finished, a Deep Security management cluster has been deployed into the VPC that you have set up. This cluster includes Deep Security public elastic load balancers (ELBs), two Deep Security Manager instances, and a highly-available multi-AZ RDS instance for the Deep Security database and its mirror.

The following diagram depicts the process:

To create more than two Deep Security Managers, you need to launch a new AMI. For more information, see Deploy the Deep Security AMI manually.

You can log in to the Deep Security Manager console by using the URL provided on the Outputs tab of the AWS CloudFormation stack.

For information on how to connect via SSH to the Amazon Linux server where Deep Security Manager is running, see What is Amazon EC2?.

Note that the user name for the Deep Security Manager instance is trend, (not root or ec2-user).

Next steps

After installing the manager, you are ready to deploy a Deep Security Relay and Deep Security Agents.