Skip to main content

Use cases

Integrating the AWS Marketplace Inventory with GravityZone Control Center

To use Bitdefender Security for AWS, you must subscribe to it in the AWS Marketplace. Afterwards you must integrate the GravityZone Control Center with your Amazon EC2 inventory by using cross-account access.

Subscribe to Bitdefender Security for AWS

  1. Login to your AWS Marketplace account.

  2. Access Bitdefender Security for Amazon Web Services page.

  3. Click the Continue button on the right side of the page.

  4. Read the subscription details and click Subscribe.

    A message is going to inform that you are subscribed to Bitdefender Security for AWS.

  5. Click Set Up Your Account. You are going to be redirected to a registration form hosted by Bitdefender. Follow these steps according to your customer status:

    • As new GravityZone customer:

      1. Fill in the required information.

      2. Click Finish purchase.

      If the details you provided are valid, a customer company and a user account are going to be created for you in the GravityZone Control Center. You are going to receive your login details to the specified email address. At this moment, you can access GravityZone Control Center using the link provided in the email.

    • As existing GravityZone customer:

      1. Click the link provided under the form’s title.

      2. Enter your GravityZone credentials.

      3. Click Find company and finish purchase.

      If the login credentials are valid, a confirmation message is displayed. Access GravityZone Control Center using the provided link.

      Note

      For the registration to succeed, you must not have had an Amazon EC2 integration in the past.

For details about subscribing to Bitdefender Security for AWS, refer to Subscribing to Bitdefender Security for Amazon Web Services in AWS Marketplace.

Integrate GravityZone with Amazon Web Services

  1. Log in to Control Center using your GravityZone credentials.

  2. In the upper-right corner of the console, go to Integrations.

  3. If you do not have an active integration, click Add > Add Amazon EC2 Integration. The Amazon EC2 Integration Settings window is going to be displayed.

  4. Under External ID, click the Generate button.

  5. Open a new tab in your browser and log in to the AWS console.

  6. Click Services at the upper-side of the AWS console and select Security, Identity and Compliance > IAM.

  7. In the left-side menu, click Roles. A new page is displayed.

  8. Click the Create role button.

  9. Select Another AWS account.

  10. Switch to the Control Center and copy the Account ID from the Amazon EC2 Integration Settings window.

  11. Go back in AWS console and paste the string in the Account ID field.

  12. Select Require external ID (Best practice when a third party will assume this role).

  13. Switch to Control Center and copy the External ID from the Amazon EC2 Integration Settings window by either:

    1. Selecting the string and use CTRL + C.

    2. Clicking the Copy to clipboard icon at the end of the string.

  14. In the AWS console, paste the string in the External ID field.

  15. Click Next: Permissions.

  16. Check the AmazonEC2ReadOnlyAccess permission and click Next: Review.

  17. In the new page, provide a name and a description in the required fields.

  18. Click Create Role.

    You are going to view the list of all existing roles. Wait for about 1 minute for the changes to propagate across all AWS regions.

  19. Click your role name to view the details.

  20. Copy the ARN.

  21. Switch to the Control Center tab and paste the ARN into the dedicated field.

  22. Click Save.

    GravityZone is going to import the Amazon EC2 instances in the Network page, where they are going to be visible by regions and availability zones.

For details about integrating GravityZone with the Amazon EC2 inventory, refer to Setting up the GravityZone integration with Amazon EC2 using a cross-account role.

Set up Bitdefender Security for AWS from the AWS Marketplace

This section provides you with instructions on how to set up Bitdefender Security for AWS in your Amazon EC2 environment. It is useful to first get familiar with the Bitdefender Security for AWS components (described in Bitdefender Security for AWS compatibility and requirements).

Overview

Before you start, check the Bitdefender Security for AWS compatibility and requirements and make sure to have the required Amazon and GravityZone credentials at hand. You can find all necessary information in the Bitdefender Security for AWS compatibility and requirements page.

To set up Bitdefender Security for AWS on your Amazon EC2 instances follow these steps:

  1. Subscribe to the service in AWS Marketplace.

  2. Integrate GravityZone with Amazon EC2 inventory.

  3. Install BEST on the instances you want to protect.

Subscribe to Bitdefender Security for AWS

  1. Log in to your AWS Marketplace account.

  2. Access the Bitdefender Security for Amazon Web Services page.

  3. Click the Continue button on the right side of the page.

  4. Read the subscription details and click Subscribe. A message will inform that you are subscribed to Bitdefender Security for AWS.

  5. Click Set Up Your Account. You will be redirected to a registration form hosted by Bitdefender. Follow these steps according to your customer status:

    • As new GravityZone customer:

      1. Fill in the required information.

      2. Click Finish purchase.

      If the provided details are valid, a customer company and a user account is going to be created for you in the GravityZone Control Center. You are going to receive your login details to the specified email address. At this moment, you can access GravityZone Control Center using the link provided in the email.

    • As existing GravityZone customer:

      1. Click the link provided under the form’s title.

      2. Enter your GravityZone credentials.

      3. Click Find company and finish purchase.

      If the login credentials are valid, a confirmation message is going to be displayed. Access GravityZone Control Center using the provided link.

      Note

      For the registration to succeed, you must not have had an Amazon EC2 integration in the past.

For details about subscribing to Bitdefender Security for AWS, refer to Subscribing to Bitdefender Security for Amazon Web Services in AWS Marketplace.

Integrate GravityZone with Amazon Web Services

  1. Log in to Control Center using your GravityZone credentials.

  2. In the upper-right corner of the console, go to Integrations.

  3. If you do not have an active integration, click Add > Add Amazon EC2 Integration. The Amazon EC2 Integration Settings window is going to be displayed.

  4. Under External ID, click the Generate button.

  5. Open a new tab in your browser and log in to the AWS console.

  6. Click Services at the upper-side of the AWS console and select Security, Identity and Compliance > IAM.

  7. In the left-side menu, click Roles. A new page is displayed.

  8. Click the Create role button.

  9. Select Another AWS account.

  10. Switch to the Control Center and copy the Account ID from the Amazon EC2 Integration Settings window.

  11. Go back in AWS console and paste the string in the Account ID field.

  12. Select Require external ID (Best practice when a third party will assume this role).

  13. Switch to Control Center and copy the External ID from the Amazon EC2 Integration Settings window by either:

    1. Selecting the string and use CTRL + C.

    2. Clickning the Copy to clipboard icon at the end of the string.

  14. In the AWS console, paste the string in the External ID field.

  15. Click Next: Permissions.

  16. Check the AmazonEC2ReadOnlyAccess permision and click Next: Review.

  17. In the new page, provide a name and a description in the required fields.

  18. Click Create Role. You will view the list of all existing roles. Wait for about 1 minute for the changes to propagate across all AWS regions.

  19. Click your role name to view the details.

  20. Copy the ARN.

  21. Switch to the Control Center tab and paste the ARN into the dedicated field.

  22. Click Save.

    GravityZone is going to import the Amazon EC2 instances in the Network page, where they are going to be visible by regions and availability zones.

For details about integrating GravityZone with Amazon EC2 inventory, refer to Setting up the GravityZone integration with Amazon EC2 using a cross-account role.

Install Bitdefender Endpoint Security Tools on Instances

To protect instances with Bitdefender Security for AWS, you must install Bitdefender Endpoint Security Tools (BEST) on each of them. BEST uses automatic (default) scan modes for EC2 instances set on Central Scan with Bitdefender Security Server hosted in the corresponding AWS region, with fallback on Hybrid Scan (with Light Engines using in-the-cloud scanning and, partially, the local signatures).

Prepare for BEST Installation

You can prepare for Silent Agent installation by following these steps:

  1. Make sure the instances you want to protect run a supported operating system.

  2. BEST has the ability to remove competitor Antivirus solutions. Should to automatic removal fail, uninstall (not just disable) any existing antimalware software from instance. Running other security software simultaneously with Bitdefender Security for AWS may affect their operation and cause major problems with the system.

  3. The installation requires administrative privileges. Make sure to have all the necessary credentials at hand (for example: the private keys of your Amazon EC2 key pairs).

  4. Configure the Amazon EC2 security groups to allow SSH and Remote Desktop Protocol access from your computer and SSH access from the Control Center instance.

  5. If you run firewall software on your instances, make sure to configure it to allow access to the Bitdefender Security for AWS communication ports.

Local Installation

You connect to individual instances via a SSH or Remote Desktop client and use the installation link from Control Center to download and install Silent Agent locally.

To obtain the download links for the installation files follow these steps:

  1. Connect to Control Center using your Company Account.

  2. Go to the Network > Installation Packages page.

  3. Select the package you want to install.

  4. Select Send download links from the More Actions button.

    The newly displayed window provides you with the download links for the Windows web installer and the Linux installation script.

Run the installation file using administrator/root privileges.

Remote Installation

On instances running Linux operating systems, you can install BEST remotely, from the Control Center. For any of these methods, you must first specify the remote authentication credentials:

  1. Connect to Control Center using your Administrator's Account.

  2. Go your name or company's name in the right upper corner of the page and select Credentials Manager.

  3. For each key name, you must specify the private key and, if needed, complete the list of user names to authenticate with. To specify the necessary credentials, click the Edit icon in the Action column. You can either upload the Amazon private key file or insert its content in the text box. You can remove or add user names as needed.

To remotely install BEST from the GravityZone Control Center you must:

  1. Go to the Computers > View Computers page.

    This page displays your Amazon EC2 instances.

  2. Click the Show menu located above the table and select Unmanaged Computers.

  3. Select the check boxes corresponding to the Linux instances on which you want to install protection.

    Use the menu under the OS column to filter instances by operating system.

  4. Click Tasks and select Install from the menu.

  5. Click Install.

    A new window is displayed, prompting for additional information such as credentials and the package that is required for the install.

You can view task execution status and results on the Computers > View Tasks page. The installation takes minutes to complete.

Subscribing to Bitdefender Security for Amazon Web Services in AWS Marketplace

This section provides information about subscribing, unsubscribing and reporting the usage of Bitdefender Security for AWS on your Amazon EC2 instances.

About Bitdefender Security for AWS on Marketplace

Bitdefender has updated its Security for AWS product on AWS Marketplace to support consolidated billing directly from customer’s AWS account.

Subscription on AWS Marketplace is available for new GravityZone customers and for existing users who have not had an AWS subscription in the past.

To subscribe to Bitdefender Security for Amazon Web Services, you must have an active AWS account.

As a best practice, it is strongly recommended that you create and use IAM user accounts associated to your AWS root account. For more information, refer to the official IAM documentation page.

After you subscribe to the Bitdefender Security for AWS, your account is going to be charged by Amazon on hourly usage of the service, as part of your AWS monthly invoice.

Subscribe to Bitdefender Security for AWS

To be able to use Bitdefender Security for AWS on your Amazon EC2 instances, you must subscribe on AWS Marketplace by following these steps:

  1. Login to your AWS Marketplace account.

  2. Access the Bitdefender Security for Amazon Web Services page.

  3. Click the Continue button on the right side of the page.

  4. Read the subscription details and click Subscribe.

    A message is going to inform that you are subscribed to Bitdefender Security for AWS.

    13280_1.png

  5. Click Set Up Your Account.

    You are going to be redirected to a registration form hosted by Bitdefender. Follow these steps according to your customer status:

    • As new GravityZone customer:

      1. Fill in the required information.

        13280_2.png

      2. Click Complete Registration.

      If the provided details are valid, a customer company and a user account is going to be created for you in the GravityZone Control Center. You are going to receive your login details to the specified email address. At this moment, you can access GravityZone Control Center using the link provided in the email.

    • As existing GravityZone customer:

      1. Click the link provided under the form’s title.

      2. Enter your GravityZone credentials.

      3. Click Find company and finish purchase.

        13280_3.png

      If the login credentials are valid, a confirmation message is going to be displayed. Access GravityZone Control Center using the provided link.

      Make sure the company meets the following conditions:

      • The company account is registered as a Customer, not Partner.

      • The company account is not suspended.

      • The company account has AWS visibility in the Integrations section of your profile.

      Note

      For the registration to succeed, you must not have had an Amazon EC2 integration in the past.

After you subscribe to Bitdefender Security for AWS, you need to configure the Amazon EC2 integration and deploy Bitdefender Endpoint Security Tools on your Amazon EC2 instances to protect them. For details, refer to Setting up the GravityZone integration with Amazon EC2 using a cross-account role.

Once you have subscribed and the integration is completed:

  • All your Amazon EC2 instances having BEST installed will become licensed.

  • The AWS Marketplace widget is going to be displayed in the Control Center > My Company page. Click it to go to AWS Marketplace.

Error messages

If the subscription cannot be validated, you are going to receive an error message with explanations adapted to certain situations:

  1. Could not find the company linked to these credentials. The credentials may be invalid or the company does not exist.

    To fix this error, you must:

  2. The company could not be created.

    To fix this error, you must:

  3. Amazon EC2 product activation for this company failed. It may be already activated, or the activation is not possible at this moment.

    To fix this error, you must:

Usage reporting

While subscribed to Bitdefender Security for AWS, you are charged by Amazon on a monthly basis, according to the usage reported by Bitdefender.

The usage of your company is reported hourly per protected instance. Invoicing is performed by AWS according to the instance size:

  • Small – for micro and small EC2 instances.

  • Medium – for medium EC2 instances.

  • Large – for large EC2 instances.

  • xLarge – for xlarge EC2 instances.

Check the AWS Marketplace product page to view the price list for each instance size.

Unsubscribe from Bitdefender Security for AWS

You can unsubscribe anytime from Bitdefender Security for AWS if you do not need to protect your Amazon EC2 instances anymore. For details, refer to Uninstalling Bitdefender Security for Amazon Web Services.Uninstalling Bitdefender Security for Amazon Web Services

Setting up the GravityZone integration with Amazon EC2 using a cross-account role

This section describes how to integrate your Amazon Web Services account with GravityZone Control Center by using a cross-account role.

Should you need to subscribe to Bitdefender Security for AWS from Amazon Web Services Marketplace, refer to Subscribing to Bitdefender Security for Amazon Web Services in AWS Marketplace.

Overview

GravityZone administrators can integrate Control Center with Amazon EC2 by using a cross-account role associated with an IAM (Identity and Access Management) user. To learn more about IAM, refer to the official Amazon Web Services page.

This procedure replaces the old integration method based on AWS key pairs and reflects the latest version of APIs provided by AWS.

GravityZone integration with Amazon EC2 implies the following security elements:

  • Account ID – the unique identifier of the Bitdefender AWS account. The Account ID is necessary for your IAM user to create the GravityZone specific role for cross-account access.

  • External ID – a unique identifier linked to your GravityZone company, used for security reasons and necessary to create the GravityZone specific role for cross-account access.

  • ARN (Amazon Resource Name) – a unique identifier for AWS resources, associated with a role attached to your AWS user account.

Note

It is recommended to set up the Amazon integration using an IAM user account created specifically for this purpose. The IAM user requires the IAMFullAccess permission to be able to create the role required for the AWS integration in GravityZone.

Prerequisites

Before starting to configure the AWS integration:

  • Make sure you have the appropriate AWS user account credentials at hand.

  • Open the AWS Console and the GravityZone Control Center in two browser tabs, at the same time. You are going to need to work on both of them to create the AWS integration successfully.

Before starting the process, make sure that you change the session timeout in Control Center > My Account from 15 minutes to at least 1 hour. If the session expires, you must restart the integration steps.

Integrate GravityZone with Amazon Web Services

  1. Log in to the Control Center using your GravityZone credentials.

  2. In the upper-right corner of the console, go to Integrations.

  3. If you do not have an active integration, click Add > Add Amazon EC2 Integration. The Amazon EC2 Integration Settings window is going to be displayed.

    13155_1.png

  4. Under External ID, click the Generate button.

  5. Open a new tab in your browser and log in to the AWS console.

  6. Click Services at the upper-side of the AWS console and select Security, Identity and Compliance > IAM.

    13155_2.png

  7. In the left-side menu, click Roles.

    A new page is displayed.

    13155_3.png

  8. Click the Create role button.

    13155_4.png

  9. Select Another AWS account.

    13155_5.png

  10. Switch to the Control Center and copy the Account ID from the Amazon EC2 Integration Settings window.

  11. Go back to the AWS console and paste the string in the Account ID field.

  12. Select Require external ID (Best practice when a third party will assume this role).

  13. Switch to Control Center and copy the External ID from the Amazon EC2 Integration Settings window by either:

    1. Selecting the string and use CTRL + C.

    2. Clicking the Copy to clipboard icon at the end of the string.

  14. In the AWS console, paste the string in the External ID field.

  15. Click Next: Permissions.

  16. Check the AmazonEC2ReadOnlyAccess permission and click Next: Review.

  17. In the new page, provide a name and a description in the required fields.

  18. Click Create Role. You will view the list of all existing roles. Wait for about 1 minute for the changes to propagate across all AWS regions.

  19. Click your role name to view the details.

  20. Copy the ARN.

    13155_6.png

  21. Switch to the Control Center tab and paste the ARN into the dedicated field.

  22. Click Save.

    GravityZone is going to import the Amazon EC2 instances in Network page, where they are going to be visible by regions and availability zones.

    Control Center automatically synchronizes with Amazon EC2 inventory every 15 minutes. You can also manually synchronize with Amazon inventory using the Synchronize with Amazon EC2 button placed at the upper side of the Network page.

    The GravityZone Control Center also synchronizes with the AWS console each time you click Save, in the Amazon EC2 Integration Settings window.

Install protection

To protect your Amazon EC2 instances, you must install the Bitdefender Endpoint Security Tools agent on them. When you install the agent, you must assign a Security Server. GravityZone has Security Servers distributed in several AWS regions. Select the Security Server from the same region as your instance.

For more information on installing security agents, refer to Security agents.

Useful considerations: change the External ID, errors, remove the integration

After setting up your integration, you must take into account certain aspects so that you won’t have issues further on.

Change the External ID for your Amazon EC2 integration

If needed, the External ID for your Amazon EC2 integration can be regenerated anytime, in the Control Center. This action is going to invalidate the currently used External ID and the integration. To restore the integration, you have to update your role in the AWS console with the new External ID.

To change the External ID, must follow these steps:

  1. Go to Integrations.

  2. Click the existing Amazon EC2 integration.

    The Amazon EC2 Integration Settings window is going to be displayed.

  3. Click Generate.

    A warning message is going to inform you that the new External ID is going to invalidate the current one. Also, your current integration is going to become invalid until you update your AWS role with the External ID.

  4. Click Confirm.

  5. Copy the newly-generated External ID.

  6. Log in to the AWS console in a new browser tab.

  7. Go to Services > IAM > Roles and select your role.

  8. Go to Summary > Trust Relationship.

  9. Click Edit trust relationship.

    13277_spr.png

  10. Enter the new External ID in the sts:ExternalID field.

    13155_8.png

  11. Click Update Trust Policy.

  12. Go back to the Amazon EC2 Integration Settings window in GravityZone Control Center. The time for the changes to propagate to AWS may vary. Wait for about 1 minute, then click Save.

Error Messages

Certain error messages are going to inform you when something goes wrong with your Amazon EC2 integration:

  • Could not save the changes. Either the provided External ID is incorrect, or the AWS role has propagated in all regions yet.

    This error is displayed when clicking Save in the Amazon EC2 Integration Settings window, in the following situations:

    • The Amazon EC2 policy for your role did not propagate to any AWS region. Wait for a few seconds and click again Save.

    • You have introduced an incorrect External ID when creating or updating your role in the AWS console.

  • Amazon EC2 policy was not applied on all regions. Please wait a few seconds and try again.

    This error is displayed when you have clicked Save in the Amazon EC2 Integration Settings window and the Amazon EC2 policy has propagated to some, but not to all AWS regions. Wait a little bit more and click Save again.

  • Not authorized to perform this operation. Make sure the AmazonEC2ReadOnlyAccess is attached to the user/role.

    This error is displayed when you have clicked Save in the Amazon EC2 Integration Settings window, if the AmazonEC2ReadOnly policy is not attached to the role. To solve this issue, log in to the AWS console, go to Roles > [your role] > Permissions > Attach policy and select the missing policy.

  • Invalid ARN for the specified role.

    This error is displayed when you have clicked Save in the Amazon EC2 Integration Settings window after providing an invalid ARN. Check if the ARN is correct and click Save again.

  • Unknown communication error.

    This is displayed appears if a communication error has been encountered when you have clicked Save in the Amazon EC2 Integration Settings window. Wait a few seconds and click Save again.

  • Invalid Amazon User Credentials.

    You receive this notification by email when:

    • The integration policy from the AWS console (AmazonEC2ReadOnlyAccess) has been detached from your IAM role.

    • You have generated a new External ID without modifying your IAM role or your role has a different External ID from the one existing in GravityZone Control Center.

    • Your IAM role has been deleted from AWS for an existing Amazon EC2 integration.

    This error message is sent one time a day, after:

    • Manual synchronization, when you click the Synchronize with Amazon EC2 button in the Control Center > Network page.

    • Automatic synchronization of GravityZone with AWS, which occurs at every 15 minutes.

Remove the integration

If you do not want to manage the security of your Amazon EC2 instances with Bitdefender anymore, you can delete the integration from Control Center. For details, refer to Uninstalling Bitdefender Security for Amazon Web Services.Uninstalling Bitdefender Security for Amazon Web Services

Active Directory instance within a Security for AWS integration

Currently, there is no full compatibility between the Active Directory instance and the Security for AWS integration. If you add an Active Directory instance within your Security for AWS integration, your machine is going to be set as unmanaged in the Security for AWS integration, without any IP, and its inventory managed by the Active Directory instance.

To best leverage both integrations, the Active Directory instance is prioritized in terms of inventory, policy assignment, and license flows.

If you already have an Active Directory instance in the Security for AWS integration, you must delete and reconfigure the Security for AWS integration.

The set-up order must be:

  1. Active Directory

  2. Security for AWS

Configuring the instances in this order is going to set the instance managed in the Active Directory and unmanaged in the Security for AWS Inventory.

If another Security for AWS integration needs to be added with an Active Directory instance, you must:

  1. Delete your previous Security for AWS integration.

  2. Wait for the Active Directory instance to synchronize.

  3. Reinstall the Security for AWS integration.

In this section: