Deep Security 11 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.

Deploy the Deep Security AMI from AWS Marketplace

Instead of manually uploading and installing Deep Security software onto your own custom AMI, we recommend that you use the Quick Start Deep Security on AWS. This method uses AWS CloudFormation templates for quick deployment in about 1 hour. And if you're upgrading an existing Deep Security AMI, see Upgrade the Deep Security Manager AMI instead.

The default configuration protects instances in the Amazon Virtual Private Cloud (VPC) where your Deep Security Manager is deployed. After deployment, you can change this to protect instances across your entire AWS infrastructure.

The Deep Security AMI has two license models:

The template includes an option for deploying in the AWS GovCloud (US) region.

Detailed step-by-step instructions for deploying the Quick Start are available in the AWS Quick Start deployment guide. Basic steps include:

  1. If you're not familiar with AWS services, read the AWS Deep Security Overview.
  2. Set up or identify an Amazon VPC that has two private subnets in different Availability Zones (AZ)and one public subnet with an Internet gateway.
  3. Subscribe to Deep Security using one of the licensing models.
  4. Launch the Quick Start template for the licensing model you selected: Per Protected Instance Hour Quick Start or BYOL Quick Start.

    When it finishes, a Deep Security management cluster has been deployed into the VPC that you have set up. This cluster includes Deep Security public elastic load balancers, Deep Security Manager instances, and a highly available multi-AZ RDS instance hosting the Deep Security database and its mirror.

  5. Log in to the Deep Security Manager console using the URL provided on the Outputs tab of the AWS CloudFormation stack.

    To connect via SSH to the Amazon Linux server where Deep Security Manager is running, see

    The user name for the Deep Security Manager instance is "trend", not "root" or "ec2-user".
  6. Install the agent software on computers. There are multiple methods:

  7. Activate the agent.
  8. Assign a policy to a computer.
  9. Enable at least one agent to act as a Deep Security Relay. For details, see Distribute security and software updates with relays.