Use cases
Integrate AWS Inventory with GravityZone Control Center
To use Bitdefender Security for AWS, you must subscribe to it in AWS Marketplace, then integrate GravityZone Control Center with your Amazon EC2 inventory by using cross-account access.
Subscribe to Bitdefender Security for AWS
Login to your AWS Marketplace at this link: https://aws.amazon.com/marketplace/.
Access Bitdefender Security for Amazon Web Services page.
Click the Continue button on the right side of the page.
Read the subscription details and click Subscribe. A message will inform that you are subscribed to Bitdefender Security for AWS.
Click Set Up Your Account. You will be redirected to a registration form hosted by Bitdefender. Follow these steps according to your customer status:
As new GravityZone customer:
Fill in the required information.
Click Finish purchase.
If the provided details are valid, a customer company and a user account will be created for you in GravityZone Control Center. You will receive your login details to the specified email address. At this moment, you can access GravityZone Control Center using the link provided in the email.
As existing GravityZone customer:
Click the link provided under the form’s title.
Enter your GravityZone credentials.
Click Find company and finish purchase.
If the login credentials are valid, a confirmation message will appear. Access GravityZone Control Center using the provided link.
Note
For the registration to succeed, you must not have had an Amazon EC2 integration in the past.
For details about subscribing to Bitdefender Security for AWS, refer to Subscribe to Bitdefender Security for Amazon Web Services in AWS Marketplace.
Integrate GravityZone with Amazon Web Services
Log in to Control Center using your GravityZone credentials.
In the upper-right corner of the console, go to Integrations.
If you do not have an active integration, click Add > Add Amazon EC2 Integration. The Amazon EC2 Integration Settings window will open.
Under External ID, click the Generate button.
Open a new tab in your browser and log in to the AWS console.
Click Services at the upper-side of the AWS console and select Security, Identity and Compliance > IAM.
In the left-side menu, click Roles. A new page is displayed.
Click the Create role button.
Select Another AWS account.
Switch to Control Center and copy the Account ID from the Amazon EC2 Integration Settings window.
Go back in AWS console and paste the string in the Account ID field.
Select Require external ID (Best practice when a third party will assume this role).
Switch to Control Center and copy the External ID from the Amazon EC2 Integration Settings window. You can do this in two ways:
Select the string and use CTRL + C.
Click the Copy to clipboard icon at the end of the string.
Back in the AWS console, paste the string in the External ID field.
Click Next: Permissions.
Check the AmazonEC2ReadOnlyAccess permision and click Next: Review.
In the new page, provide a name and a description in the required fields.
Click Create Role. You will view the list of all existing roles. Wait for about 1 minute for the changes to propagate across all AWS regions.
Click your role name to view the details.
Copy the ARN.
Switch to the Control Center tab and paste the ARN into the dedicated field.
Click Save.
GravityZone will import the Amazon EC2 instances in Network, where they will be visible by regions and availability zones.
For details about integrating GravityZone with Amazon EC2 inventory, refer to Set up GravityZone integration with Amazon EC2 using a cross-account role.
Set up Bitdefender Security for AWS
This section provides you with instructions on how to set up Bitdefender Security for AWS in your Amazon EC2 environment. It is useful to first get familiar with the Bitdefender Security for AWS components (described in Bitdefender Security for AWS compatibility and requirements).
Overview
Before you start, check Bitdefender Security for AWS compatibility and requirements and make sure to have the required Amazon and GravityZone credentials at hand. You can find all necessary information in Bitdefender Security for AWS compatibility and requirements.
To set up Bitdefender Security for AWS on your Amazon EC2 instances follow the below steps:
Subscribe to the service in AWS Marketplace.
Integrate GravityZone with Amazon EC2 inventory.
Install BEST on the instances you want to protect.
Subscribe to Bitdefender Security for AWS
Log in to your AWS Marketplace at this link: https://aws.amazon.com/marketplace/.
Access Bitdefender Security for Amazon Web Services page.
Click the Continue button on the right side of the page.
Read the subscription details and click Subscribe. A message will inform that you are subscribed to Bitdefender Security for AWS.
Click Set Up Your Account. You will be redirected to a registration form hosted by Bitdefender. Follow these steps according to your customer status:
As new GravityZone customer:
Fill in the required information.
Click Finish purchase.
If the provided details are valid, a customer company and a user account will be created for you in GravityZone Control Center. You will receive your login details to the specified email address. At this moment, you can access GravityZone Control Center using the link provided in the email.
As existing GravityZone customer:
Click the link provided under the form’s title.
Enter your GravityZone credentials.
Click Find company and finish purchase.
If the login credentials are valid, a confirmation message will appear. Access GravityZone Control Center using the provided link.
Note
For the registration to succeed, you must not have had an Amazon EC2 integration in the past.
For details about subscribing to Bitdefender Security for AWS, refer to Subscribe to Bitdefender Security for Amazon Web Services in AWS Marketplace.
Integrate GravityZone with Amazon Web Services
Log in to Control Center using your GravityZone credentials.
In the upper-right corner of the console, go to Integrations.
If you do not have an active integration, click Add > Add Amazon EC2 Integration. The Amazon EC2 Integration Settings window will open.
Under External ID, click the Generate button.
Open a new tab in your browser and log in to the AWS console.
Click Services at the upper-side of the AWS console and select Security, Identity and Compliance > IAM.
In the left-side menu, click Roles. A new page is displayed.
Click the Create role button.
Select Another AWS account.
Switch to Control Center and copy the Account ID from the Amazon EC2 Integration Settings window.
Go back in AWS console and paste the string in the Account ID field.
Select Require external ID (Best practice when a third party will assume this role).
Switch to Control Center and copy the External ID from the Amazon EC2 Integration Settings window. You can do this in two ways:
Select the string and use CTRL + C.
Click the Copy to clipboard icon at the end of the string.
Back in the AWS console, paste the string in the External ID field.
Click Next: Permissions.
Check the AmazonEC2ReadOnlyAccess permision and click Next: Review.
In the new page, provide a name and a description in the required fields.
Click Create Role. You will view the list of all existing roles. Wait for about 1 minute for the changes to propagate across all AWS regions.
Click your role name to view the details.
Copy the ARN.
Switch to the Control Center tab and paste the ARN into the dedicated field.
Click Save.
GravityZone will import the Amazon EC2 instances in Network, where they will be visible by regions and availability zones.
For details about integrating GravityZone with Amazon EC2 inventory, refer to this Set up GravityZone integration with Amazon EC2 using a cross-account role.
Install BEST on Instances
To protect instances with Bitdefender Security for AWS, you must install BEST (the client software) on each of them. BEST uses automatic (default) scan modes for EC2 instances set on Central Scan with Bitdefender Security Server hosted in the corresponding AWS region, with fallback on Hybrid Scan (with Light Engines using in-the-cloud scanning and, partially, the local signatures).
Prepare for Silent Agent installation as follows:
Make sure the instances you want to protect run a supported operating system.
BEST has the ability to remove competitor Antivirus solutions. Should to automatic removal fail, uninstall (not just disable) any existing antimalware software from instance. Running other security software simultaneously with Bitdefender Security for AWS may affect their operation and cause major problems with the system.
The installation requires administrative privileges. Make sure to have all the necessary credentials at hand (for example, the private keys of your Amazon EC2 key pairs).
Configure the Amazon EC2 security groups to allow SSH and Remote Desktop Protocol access from your computer and SSH access from the Control Center instance.
If you run firewall software on your instances, make sure to configure it to allow access to the Bitdefender Security for AWS communication ports.
You connect to individual instances via a SSH or Remote Desktop client and use the installation link from Control Center to download and install Silent Agent locally.
To obtain the download links for the installation files:
Connect to Control Center using your company account.
Go to the Computers > Installation Area page.
Click Installation Link. The window that appears provides you with the download links for the Windows web installer and the Linux installation script.
Run the installation file using administrator/root privileges.
On instances running Linux operating systems, you can install BEST remotely, from Control Center. For any of these methods, you must first specify the remote authentication credentials:
Connect to Control Center using your Administrator's Account.
Go your name or company's name in the right upper corner of the page-> Credentials Manager.
For each key name, you must specify the private key and, if needed, complete the list of user names to authenticate with. To specify the necessary credentials, click the Edit icon in the Action column. You can either upload the Amazon private key file or insert its content in the text box. You can remove or add user names as needed.
Remote Installation. To remotely install BEST from the GravityZone Control Center:
Go to the Computers > View Computers page. This page displays your Amazon EC2 instances.
Click the Show menu located above the table (to the left) and choose Unmanaged Computers.
Select the check boxes corresponding to the Linux instances on which you want to install protection. Use the menu under the OScolumn to filter instances by operating system.
Click Tasks and choose Install from the menu.
Click Install. A window will appear, prompting for additional information such as credentials and the package that is required for the install.
You can view task execution status and results on the Computers > View Tasks page. Installation takes minutes to complete.
Subscribe to Bitdefender Security for Amazon Web Services in AWS Marketplace
This section provides information about subscribing, unsubscribing and reporting the usage of Bitdefender Security for AWS on your Amazon EC2 instances.
About Bitdefender Security for AWS on Marketplace
Bitdefender has updated its Security for AWS product on AWS Marketplace to support consolidated billing directly from customer’s AWS account.
Subscription on AWS Marketplace is today available for new GravityZone customers and for existing users who have not had an AWS subscription in the past.
To subscribe to Bitdefender Security for Amazon Web Services, you must have an active AWS account.
As a best practice, it is strongly recommended that you create and use IAM user accounts associated to your AWS root account. Learn more about IAM here.
After subscribing to the Bitdefender Security for AWS, your account will be charged by Amazon on hourly usage of the service, as part of your AWS monthly invoice.
Subscribing to Bitdefender Security for AWS
To be able to use Bitdefender Security for AWS on your Amazon EC2 instances, you must subscribe on AWS Marketplace following these steps:
Login to your AWS Marketplace at this link: https://aws.amazon.com/marketplace/.
Access Bitdefender Security for Amazon Web Services page.
Click the Continue button on the right side of the page.
Read the subscription details and click Subscribe. A message will inform that you are subscribed to Bitdefender Security for AWS.
Click Set Up Your Account. You will be redirected to a registration form hosted by Bitdefender. Follow these steps according to your customer status:
As new GravityZone customer:
Fill in the required information.
Click Complete Registration.
If the provided details are valid, a customer company and a user account will be created for you in GravityZone Control Center. You will receive your login details to the specified email address. At this moment, you can access GravityZone Control Center using the link provided in the email.
As existing GravityZone customer:
Click the link provided under the form’s title.
Enter your GravityZone credentials.
Click Find company and finish purchase.
If the login credentials are valid, a confirmation message will appear. Access GravityZone Control Center using the provided link.
Make sure the company meets the following conditions:
The company account is registered as a Customer, not Partner.
The company account is not suspended.
The company account has AWS visibility in the Integrations section of your profile.
Note
For the registration to succeed, you must not have had an Amazon EC2 integration in the past.
After subscribing to Bitdefender Security for AWS, you need to configure the Amazon EC2 integration and deploy Bitdefender Endpoint Security Tools on your Amazon EC2 instances to protect them. For details, refer to Set up GravityZone integration with Amazon EC2 using a cross-account role.
Once you have subscribed and the integration is completed:
All your Amazon EC2 instances having BEST installed will become licensed.
The AWS Marketplace widget will appear in Control Center > My Company. Click it to go to AWS Marketplace.
Error messages
If the subscription cannot be validated, you will receive an error message with explanations adapted to certain situations:
Could not find the company linked to these credentials. The credentials may be invalid or the company does not exist.
Solution:
Re-enter your GravityZone credentials by accessing the provided link.
Contact Bitdefender Business Support.
The company could not be created.
Solution:
Contact Bitdefender Business Support.
Amazon EC2 product activation for this company failed. It may be already activated, or the activation is not possible at this moment.
Solution:
Re-enter your GravityZone credentials by accessing the provided link.
Contact Bitdefender Business Support.
Usage reporting
While subscribed to Bitdefender Security for AWS, you are charged by Amazon on a monthly basis, according to the usage reported by Bitdefender.
The usage of your company is reported hourly per protected instance. Invoicing is performed by AWS according to the instance size, as defined below:
Small – for micro and small EC2 instances.
Medium – for medium EC2 instances.
Large – for large EC2 instances.
xLarge – for xlarge EC2 instances.
Check the AWS Marketplace product page to view the price list for each instance size.
Unsubscribing from Bitdefender Security for AWS
You can unsubscribe anytime from Bitdefender Security for AWS if you do not need to protect your Amazon EC2 instances anymore. For details, refer to Uninstall Bitdefender Security for Amazon Web Services.
Set up GravityZone integration with Amazon EC2 using a cross-account role
This section describes how to integrate your Amazon Web Services account with GravityZone Control Center by using a cross-account role.
Should you need to subscribe to Bitdefender Security for AWS from Amazon Web Services Marketplace, refer to Subscribe to Bitdefender Security for Amazon Web Services in AWS Marketplace.
Overview
GravityZone administrators can integrate Control Center with Amazon EC2 by using a cross-account role associated with an IAM (Identity and Access Management) user. To learn more about IAM, refer to this KB article provided by Amazon Web Services.
This procedure replaces the old integration method based on AWS key pairs and reflects the latest version of APIs provided by AWS.
GravityZone integration with Amazon EC2 implies the following security elements:
Account ID – the unique identifier of the Bitdefender AWS account. The Account ID is necessary for your IAM user to create the GravityZone specific role for cross-account access.
External ID – a unique identifier linked to your GravityZone company, used for security reasons and necessary to create the GravityZone specific role for cross-account access.
ARN (Amazon Resource Name) – a unique identifier for AWS resources, associated with a role attached to your AWS user account.
Note
It is recommended to set up the Amazon integration using an IAM user account created specifically for this purpose. The IAM user requires IAMFullAccess permission to be able to create the role required for the AWS integration in GravityZone.
Prerequisites
Before starting to configure the AWS integration:
Make sure you have the appropriate AWS user account credentials at hand.
Open the AWS Console and GravityZone Control Center in two browser tabs, at the same time. You will need to work on both of them to create the AWS integration successfully.
Before starting the process, make sure that you change the session timeout in Control Center > My Account from 15 minutes to at least 1 hour. If the session expires, you must restart the integration steps.
Integrating GravityZone with Amazon Web Services
Log in to Control Center using your GravityZone credentials.
In the upper-right corner of the console, go to Integrations.
If you do not have an active integration, click Add > Add Amazon EC2 Integration. The Amazon EC2 Integration Settings window will open.
Under External ID, click the Generate button.
Open a new tab in your browser and log in to the AWS console.
Click Services at the upper-side of the AWS console and select Security, Identity and Compliance > IAM.
In the left-side menu, click Roles. A new page is displayed.
Click the Create role button.
Select Another AWS account.
Switch to Control Center and copy the Account ID from the Amazon EC2 Integration Settings window.
Go back in AWS console and paste the string in the Account ID field.
Select Require external ID (Best practice when a third party will assume this role).
Switch to Control Center and copy the External ID from the Amazon EC2 Integration Settings window. You can do this in two ways:
Select the string and use CTRL + C.
Click the Copy to clipboard icon at the end of the string.
Back in the AWS console, paste the string in the External ID field.
Click Next: Permissions.
Check the AmazonEC2ReadOnlyAccess permission and click Next: Review.
In the new page, provide a name and a description in the required fields.
Click Create Role. You will view the list of all existing roles. Wait for about 1 minute for the changes to propagate across all AWS regions.
Click your role name to view the details.
Copy the ARN.
Switch to the Control Center tab and paste the ARN into the dedicated field.
Click Save.
GravityZone will import the Amazon EC2 instances in Network, where they will be visible by regions and availability zones.
Control Center automatically synchronizes with Amazon EC2 inventory every 15 minutes. You can also manually synchronize with Amazon inventory using the Synchronize with Amazon EC2 button placed at the upper side of the Network page.
GravityZone Control Center also synchronizes with AWS console each time you click Save in the Amazon EC2 Integration Settings window.
Install protection
To protect your Amazon EC2 instances, you must install the Bitdefender Endpoint Security Tools agent on them. When installing an agent, you have to assign a Security Server. GravityZone has Security Servers distributed in several AWS regions. Select the Security Server from the same region as your instance.
For more information on installing security agents, refer to Security agents.
Useful considerations: changing the External ID, errors, removing the integration
After setting up your integration, you must take into account certain aspects so that you won’t have issues further on.
If needed, you can regenerate anytime in Control Center the External ID for your Amazon EC2 integration. This action will invalidate the currently used External ID and the integration. To restore the integration, you have to update your role in the AWS console with the new External ID.
This is how you change the External ID:
Go to Integrations.
Click the existing Amazon EC2 integration. The Amazon EC2 Integration Settings window will open.
Click Generate. A warning message will inform you that the new External ID will invalidate the current one. Also, your current integration will become invalid until you update your AWS role with the External ID.
Click Confirm.
Copy the newly-generated External ID.
Log in to the AWS console in a new browser tab.
Go to Services > IAM > Roles and select your role.
Go to Summary > Trust Relationship and click Edit trust relationship.
Enter the new External ID in the
sts:ExternalIDfield.
Click Update Trust Policy.
Go back to the Amazon EC2 Integration Settings window in GravityZone Control Center. The time for the changes to propagate to AWS may vary. Wait for about 1 minute, then click Save.
Certain error messages will inform you when something goes wrong with your Amazon EC2 integration:
Could not save the changes. Either the provided External ID is incorrect, or the AWS role has propagated in all regions yet.
This error appears when clicking Save in the Amazon EC2 Integration Settings window, in the following situations:
The Amazon EC2 policy for your role did not propagate to any AWS region. Wait for a few seconds and click again Save.
You have introduced an incorrect External ID when creating or updating your role in the AWS console.
Amazon EC2 policy was not applied on all regions. Please wait a few seconds and try again.
This error appears when clicking Save in the Amazon EC2 Integration Settings window and the Amazon EC2 policy has propagated to some, but not to all AWS regions. Wait a little bit more and click Save again.
Not authorized to perform this operation. Make sure the AmazonEC2ReadOnlyAccess is attached to the user/role.
This error appears when clicking Save in the Amazon EC2 Integration Settings window, if the AmazonEC2ReadOnly policy is not attached to the role. To solve this issue, log in to the AWS console, go to Roles > [your role] > Permissions > Attach policy and select the missing policy.
Invalid ARN for the specified role.
This error appears when clicking Save in the Amazon EC2 Integration Settings window after providing an invalid ARN. Verify the ARN and click Save again.
Unknown communication error.
This error appears if a communication error has been encountered when clicking Save in the Amazon EC2 Integration Settings window. Wait a few seconds and click Save again.
Invalid Amazon User Credentials.
You receive this notification by email when:
The integration policy from the AWS console (AmazonEC2ReadOnlyAccess) has been detached from your IAM role.
You have generated a new External ID without modifying your IAM role or your role has a different External ID from the one existing in GravityZone Control Center.
Your IAM role has been deleted from AWS for an existing Amazon EC2 integration.
This error message is sent one time a day, after:
Manual synchronization, when clicking the Synchronize with Amazon EC2 button in Control Center > Network.
Automatic synchronization of GravityZone with AWS, which occurs at every 15 minutes.
If you do not want to manage the security of your Amazon EC2 instances with Bitdefender anymore, you can delete the integration from Control Center. For details, refer to Uninstall Bitdefender Security for Amazon Web Services.
Uninstall Bitdefender Security for Amazon Web Services
This section covers the complete flow of removing Bitdefender Security for AWS from Amazon EC2 instances.
This flow ensures a seamless removal of Bitdefender Security for Amazon Web Services, avoiding potential security issues and additional charges from Amazon.
Uninstall Bitdefender Endpoint Security Tools from Amazon EC2 instances
If you do not plan to manage the security of your EC2 instances with Bitdefender Endpoint Security Tools, you must uninstall the security agent from them. There are two ways you can uninstall Bitdefender Endpoint Security Tools:
Manually on the target instances:
For Windows OS:
Log in the EC2 instance.
Go to Control Panel and select Bitdefender Endpoint Security Tools.
Access the Uninstall option.
Enter the Bitdefender password, if enabled in the security policy. During uninstallation, you can view the progress of the task.
For Linux OS:
Open the terminal.
Gain root access using the
suorsudo sucommands.Navigate using the cd command to the following path:
/opt/BitDefender/binRun the script:
# ./remove-sve-clientEnter the Bitdefender password to continue, if enabled in the security policy.
Remotely. Send the managed instances an Uninstall task from GravityZone Control Center.
Delete the Amazon EC2 integration
You can do this in GravityZone Control Center:
Go to the Integrations page from the menu in the upper-right corner of Control Center.
Select the check box corresponding to the Amazon EC2 integration.
Click the Delete button at the upper side of the table. You need to confirm the deletion in the new window that shows up.
Unsubscribe from Bitdefender Security for AWS
You can do this in AWS Marketplace:
Log in to AWS Marketplace by:
Following this link: https://aws.amazon.com/marketplace/.
Clicking the AWS Marketplace widget in GravityZone Control Center > My Company.
From the user menu in the upper-right corner of the screen, select Your Marketplace Software.
Go to Your Software Subscriptions > SaaS.
Click Cancel subscription and confirm the action.
Important
If you remove the Amazon EC2 integration without uninstalling the Bitdefender agent from all managed instances:
The security agent expires on the managed machines, meaning that they will stop communication with GravityZone and Bitdefender Bitdefender Cloud Services. However, it will be re-licensed if there are available license slots on the GravityZone license key.
The unmanaged instances will be deleted from the GravityZone network inventory.
The managed instances will be moved to Computers and Groups as virtual machines.
After unsubscribing from the Bitdefender service without removing BEST and the integration, the security agent will expire on Amazon EC2 instances, leaving them unprotected.
If you remove the Amazon EC2 integration, but let the subscription in place, Bitdefender will report further usage 0 (zero) to AWS, while Amazon will continue to issue monthly bills.
To subscribe again to Bitdefender Security for AWS, refer to Subscribe to Bitdefender Security for Amazon Web Services in AWS Marketplace. To integrate GravityZone with your Amazon EC2 instances, refer toSet up GravityZone integration with Amazon EC2 using a cross-account role.