Bake the Deep Security Agent into your AMI

Applies to Deep Security as a Service, Deep Security AMI from AWS Marketplace, and and on-premise Deep Security 10 only

The term “baking into an AMI” refers to the practice of installing preconfigured software onto the instance that your Amazon Machine Image (AMI) is based on. When doing this with the Deep Security Agent, we recommended that you preactivate the agent before you bake it into your AMI.

  1. Ensure that Deep Security Manager is configured to allow agent-initiated activation and to reactivate cloned and unknown agents by selecting those options on the Agents tab.

  1. Create and configure the instance from which you plan to create your AMI as you normally would.
  2. Install and activate a Deep Security Agent on the instance. You can also assign a base policy when you do this.
  3. The Deep Security Agent must be version 9.6 or later.

  1. Create an AMI from your instance.

The Deep Security Agent will start when you launch an instance based on this AMI. The Agent will apply the protection from the policy assigned in step three until the first time it communicates with the Deep Security Manager. The Deep Security Agent will be reactivated as soon as it communicates with the Deep Security Manager and a new policy can be assigned to it when this happens.

It is recommended that you use an event-based task to assign an appropriate policy on reactivation. For more information, see Automatically assign policies based on AWS EC2 instance tags.