Deploy the Deep Security AMI from AWS Marketplace
Instead of manually uploading and installing Deep Security software onto your own custom AMI, we recommend that you use the Quick Start Deep Security on AWS. This method uses AWS CloudFormation templates for quick deployment in about 1 hour. And if you're upgrading an existing Deep Security AMI, see Upgrade the Deep Security Manager AMI instead.
The default configuration protects instances in the Amazon Virtual Private Cloud (VPC) where your Deep Security Manager is deployed. After deployment, you can change this to protect instances across your entire AWS infrastructure.
The Deep Security AMI has two license models:
The template includes an option for deploying in the AWS GovCloud (US) region.
Detailed step-by-step instructions for deploying the Quick Start are available in the AWS Quick Start deployment guide. Basic steps include:
- If you're not familiar with AWS services, read the AWS Deep Security Overview.
- Set up or identify an Amazon VPC that has two private subnets in different Availability Zones (AZ)and one public subnet with an Internet gateway.
- Subscribe to Deep Security using one of the licensing models.
- Launch the Quick Start template for the licensing model you selected: Per Protected Instance Hour Quick Start or BYOL Quick Start.
When it finishes, a Deep Security management cluster has been deployed into the VPC that you have set up. This cluster includes Deep Security public and private elastic load balancers, Deep Security Manager instances, and a highly available multi-AZ RDS instance hosting the Deep Security database and its mirror.
Log in to the Manager console using the URL provided on the Outputs tab of the AWS CloudFormation stack.
To connect via SSH to the Amazon Linux server where Deep Security Manager is running, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html.The user name for the Deep Security Manager instance is "trend", not "root" or "ec2-user".
Install the agent software on computers. There are multiple methods:
- Manual deployment: Run the install package on the computer, then activate it and assign a policy. For instructions, see Manually install the Deep Security Agent.
- Deployment scripts: Upload and then run the installer using Linux or Unix shell scripts or Microsoft PowerShell. For instructions, see Use deployment scripts to add and protect computers.
- Ansible: For Ansible recipes, see the Deep Security Ansible playbook on GitHub.
- Chef: For Chef recipes for deployment and management, see the Deep Security Chef cookbook on GitHub.
- Puppet: For Puppet manifests, see the Deep Security Puppet manifests repository on GitHub.
- SCCM: Microsoft System Center Configuration Manager (SCCM) can install an agent, activate it, and apply a policy. To use SCCM, go to Administration > System Settings > Agents and enable agent-initiated activation.
- Template or Elastic Beanstalk: Include the agent in your VM template. See Bake the agent into your AMI or WorkSpace bundle and AWS Elastic Beanstalk scripts
- Activate the agent.
- Assign a policy to a computer.
- Enable at least one agent to act as a Deep Security Relay. For details, see Distribute security and software updates with relays.