Protect EC2 instances with Deep Security as a Service
Applies to Deep Security as a Service only
To protect your Amazon Web Services (AWS) EC2 instances with Deep Security as a Service:
- Modify your AWS security group to allow port 443 outbound traffic.
- Add your AWS cloud account to Deep Security.
Deep Security Agent is designed to protect servers, not laptops.
To protect AWS WorkSpaces virtual desktop infrastructure (VDI) workstations, add the “Plus” application bundle instead. It includes Trend Micro Worry-Free Business Security.
If you have AWS security groups or firewall policies that restrict outbound traffic from your EC2 instances, you must allow outbound communication over port 443.
- Log in to your Amazon Web Services Console.
- Go to EC2 > Network & Security > Security Groups.
- Select the security group that is associated with your EC2 instances, then select Actions > Edit outbound rules.
- Allow outbound traffic to Deep Security as a Service IP addresses over port 443.
This adds your EC2 instances to Deep Security, and creates a cross-account role for Deep Security.
- Log in to Deep Security as a Service.
- Go to Computers.
- Select Add > Add AWS Account.
- On the Setup Type screen of the wizard, select Quick.
- The next screen describes what will happen during the setup process, and provides a URL that you can send to your AWS administrator if you do not have access to AWS. Click Next.
- If you have not already logged into your AWS account, the wizard prompts you to log in.
- On the Select Template screen, in Source, keep the default Amazon S3 template URL for Deep Security (https://ds-cloud-formation-templates.s3.amazonaws.com/). Click Next.
- On the Specify Details screen, type a name for the AWS CloudFormation stack that will be used to group your EC2 resources for Deep Security. Click Next.
- If your organization uses tags, on the Options screen, add them. Click Next.
On the Review screen, select I acknowledge that this template might cause AWS CloudFormation to create IAM resources, and then click Create.
When the cross-account role is created and the account has been set up, a success message will appear. You don't need to wait; you can close the wizard before the success message appears. All of your account's EC2 instances will appear in Deep Security Manager on Computers, organized by region, VPC, and subnet.
If your account doesn't appear in Deep Security Manager within 10 minutes, or if an error message appears, see Issues adding your AWS account to Deep Security.
In Deep Security Manager, in the top right corner, select Support > Deployment Scripts.
As you select settings, the deployment script generator will generate a corresponding script (PowerShell for Windows, bash for Linux), that you will run on your Deep Security instance.
- Select the Platform to which you are deploying the software.
- Select Activate Agent automatically after installation.
- Select a Policy based on the operating system to which you will be deploying the Agent(s).
- Keep defaults for other settings.
- Copy the deployment script.
In your EC2 instances, paste and run the script.
The script will download, install, and activate a Deep Security Agent on your EC2 instance, and then apply the Deep Security protection policy that you selected.
- Connect to your Windows instance via RDP.
- Right-click the PowerShell icon and select Run as Administrator.
- Paste the script into PowerShell and then run it.
- Connect to your Linux instance via SSH.
Start bash with sudo or as a superuser account such as root.
- Paste the script into the CLI and then run it.
- In Deep Security Manager, go to Computers. In the row for your EC2 instance, verify that the Status column is "Managed (Online)" or that it is managed and an activity is occurring, and that a policy is assigned.