Getting started with Deep Security AMI from AWS Marketplace
When you deploy the Deep Security Manager AMI from AWS Marketplace, you:
- Manage your data and traffic in your Virtual Private Cloud (VPC)
- Manage your own database infrastructure operation and costs
- Deploy and manage the Deep Security Manager
If you would prefer Trend Micro to host and maintain the infrastructure instead, see Sign up for Deep Security as a Service.
Deep Security Agent is designed to protect servers, not laptops.
To protect AWS WorkSpaces virtual desktop infrastructure (VDI) workstations, add the “Plus” application bundle instead. It includes Trend Micro Worry-Free Business Security.
Recommended deployment method
We recommend that you use the AWS Quick Start Deep Security on AWS to automatically deploy Deep Security on AWS. This Quick Start deploys Deep Security using AWS CloudFormation templates and offers two license models: Per Protected Instance Hour and Bring your own License (BYOL). The default configuration protects instances in the Amazon Virtual Private Cloud (Amazon VPC) where the Deep Security Manager is deployed. After deployment, you can modify your setup to protect instances across your entire AWS infrastructure.
The Quick Start includes an option for deploying in the AWS GovCloud (US) region with the BYOL license model.
Detailed step-by-step instructions for deploying the Quick Start are available in the AWS Quick Start deployment guide. The AWS documentation assumes that you have used AWS before and are familiar with AWS services. We recommend that you read the AWS Deep Security Overview before you begin to make sure that you are familiar with the required technologies and concepts and then you can proceed to Step 1. Set up an Amazon VPC.
It should take you less than an hour to deploy and configure your Deep Security environment using the Quick Start. At a high level, you will perform the following steps:
- Set up or identify an Amazon VPC that has two private subnets in different Availability Zones and one public subnet with an attached Internet gateway.
- Subscribe to Deep Security using one of the licensing models.
- Launch the Quick Start for the licensing model you selected: Per Protected Instance Hour Quick Start or BYOL Quick Start.
When the Quick Start has finished it will have deployed a Deep Security management cluster into the VPC that you have set up. This cluster includes Deep Security public and private elastic load balancers, Deep Security Manager instances, and a highly available multi-AZ RDS instance hosting the Deep Security database and its mirror.
- Log in to the Manager console using the URL provided on the Outputs tab of the AWS CloudFormation stack.
- Deploy Deep Security Agents to your AWS instances
You have several options for automating the deployment of Deep Security Agents to your instances:
- Deployment scripts (see Deploy agents using a deployment script )
- Baking the agent (see Bake the Deep Security Agent into your AMI)
- AWS Elastic Beanstalk scripts
- Puppet manifests
- Chef recipes
- Agent-Initiated activation event-based tasks to assign policies (see Create an event-based task)
- Go to Support > Deployment Scripts in the top right corner of Deep Security Manager.
- Select the platform where you will be deploying the agents from the Platform list.
- Select the Activate Agent automatically after installation check box.
- Select a policy based on the operating system where you will be deploying the agents from the Security Policy list.
- Leave the other options as their default settings and click Copy to Clipboard.
As you make the selections, the Deployment Script Generator will generate a script (PowerShell for Windows, bash for Linux) that you will run on your Deep Security instance.
RDP into to your Windows instance, start PowerShell (in administrator mode), and paste the script and run it.
SSH into your Linux instance and run the copied bash script from a command line.
The script will download, install, and activate a Deep Security Agent on your AWS instance and then apply the Deep Security policy that you selected.
- Return to Deep Security Manager to verify that your AWS instance shows a status of "Managed (online)" (or that some operation is underway) and a policy has been assigned.