Start protecting AWS instances with Deep Security as a Service

Applies to Deep Security as a Service only

Before you can start protecting your AWS instances with Deep Security as a Service, you will need to:

  1. Modify your AWS Security Group to allow outbound traffic over port 443.
  2. Add your AWS cloud account to Deep Security.
  3. Deploy Deep Security Agents to your AWS instances.

Modify your AWS Security Group to allow outbound traffic over port 443

If you have AWS Security Groups that restrict outbound traffic, you must allow outbound communication over port 443.

  1. Log in to your Amazon Web Services Console.
  2. On the EC2 Dashboard, go to the Security Groups page (Network & Security > Security Groups)
  3. Edit the Security Group associated with your instances to allow outbound traffic to Deep Security IP addresses over port 443.

For more information on required port numbers and IP addresses, see Port numbers.

Add your AWS cloud account to Deep Security

If you want to import Microsoft Azure VMs into Deep Security, see "Import virtual machines from a Microsoft Azure account" in Add a Microsoft Azure cloud account to Deep Security.

You may also think of this as importing your AWS instances to Deep Security.

If you have already added individual AWS instances that are part of this Amazon account, they will be moved in the tree structure to appear under this account.

  1. Sign in to your Deep Security as a Service account at https://app.deepsecurity.trendmicro.com. You'll arrive at the Deep Security Manager web console.
  2. Click the Computers tab to display the Computers page.
  3. On the Computers page, click Add > Add AWS Account to display the Add AWS Cloud Account Wizard.
  4. On the Setup Type page, select Quick
  5. The next page describes what will happen during the setup process and provides a URL that you can send to your AWS administrator in case you do not have access to AWS. Click Next
  6. If you have not already signed into your AWS account you will be prompted to do so.
  7. Click Next on the Select Template page to accept the defaults.
  8. If your organization uses tags, you can add them on the Options page.
  9. Click Next.
  10. On the Review page, select the check box next to I acknowledge that this template might cause AWS CloudFormation to create IAM resources.
  11. Click Create.
  12. When AWS finishes setting up a cross-account role, the page will display a success message. You can close the screen before the success message is displayed. The account will be added as soon as the cross-account role is set up.
  13. All AWS instances associated with your account will appear on the computers page in the Deep Security Manager, organized by region, VPC and subnet.

If you have already added individual AWS instances that are part of this Amazon account, they will be moved in the tree structure to appear under this account.

If your account does not appear on the Computers page within 10 minutes, or if you get an error message saying that the account could not be added, refer to Issues adding your AWS account to Deep Security for troubleshooting tips.

Deploy Deep Security Agents to your AWS instances

  1. In the top right corner, go to Support > Deployment Scripts.
  2. Select the Platform to which you are deploying the software.
  3. Select the Activate Agent Automatically option.
  4. Select a Policy based on the operating system to which you will be deploying the Agent(s).
  5. Leave the other options at their default settings. As you make the selections, the Deployment Script Generator will generate a script (PowerShell for Windows, bash for Linux), that you will run on your Deep Security instance.
  6. Copy the script to your clipboard.
  7. For Windows platforms

    1. RDP into to your Windows instance.
    2. Start PowerShell. (Note: You must run PowerShell as Administrator.)
    3. Paste the script from your clipboard into PowerShell and run it.

    For Linux platforms

    1. SSH into your Linux instance.
    2. Run the copied bash script from a command line. ( Note: You must run the script as root.)

The script will download, install, and activate a Deep Security Agent on your AWS instance, and then apply a Deep Security protection policy.

Return to Deep Security Manager to verify that your AWS instance shows a Status of "Managed (online)" (or that some operation is underway) and a Policy is assigned.