CLOUD SOLUTIONS

Setting up

To protect your EC2 instances with Security for AWS, you need to complete the following steps:

Installing the security agent on instances

To protect your Amazon EC2 instances, you must install Bitdefender Endpoint Security Tools agent on each one.

The security agent sends scan requests to the closest security server hosted in your AWS regions, which performs the actual scan. Scan servers also communicate with GravityZone Control Center, receiving security settings from the web console and sending back the results of its actions. The Security Server machines are hosted by Bitdefender in several AWS regions, so you do not need to deploy them in your environment.

Bitdefender supports all publicly available AWS regions. For more information, refer to the AWS Regions and Availability Zones table.

When configuring the security agent installation packages, please note that the scan mode configuration takes into account the Amazon EC2 instances:

  • Automatic (default) scan modes for EC2 instances set on Central Scan with Security Server hosted in the corresponding AWS region, with fallback on Hybrid Scan (with Light Engines using in-the-cloud scanning and, partially, the local signatures).

  • You can also choose to configure the scan mode by selecting the Custom mode and selecting the scan modes that you want.

Note

It is recommended to use the default scan modes for EC2 instances because these are specifically designed for a small footprint and low resource consumption.

For instances with powerful resources, you can also configure the EC2 instances to use Private cloud scanning with Security Server hosted in the corresponding AWS region, with fallback on Local Scanning (Full Engines using signatures and engines stored locally).

For detailed information about how to install Bitdefender Endpoint Security Tools, please refer to Installation

Integrating Amazon EC2 with GravityZone Control Center
Creating the Amazon EC2 integration

The Amazon EC2 integration in GravityZone is now based on cross-account access login. This procedure avoids sharing long-term AWS credentials, such as Access Key ID and Secret Access Key.

The Amazon EC2 integration procedure requires you to provide an ARN (Amazon Resource Name - unique identifier for AWS resources) associated with a role attached to your AWS user account.

Note

It is recommended to set up the Amazon integration using an IAM user account created specifically for this purpose. The IAM user requires IAMFullAccess permission to be able to create the role required for the AWS integration in GravityZone. You can learn more about IAM user accounts best practices here.

Before starting to configure the AWS integration:

  • Make sure you have the appropriate AWS user account credentials at hand.

  • Open the AWS Console and GravityZone Control Center in two browser tabs, at the same time. You will need to work on both of them to create the AWS integration successfully.

Important

Before starting the process, make sure that you change the default GravityZone session timeout in Control Center > My Account from 15 minutes to at least 1 hour. If the session expires, you must restart the integration steps.

To create the AWS integration in GravityZone, follow these steps:

  1. Log in to GravityZone Control Center using your company administrator credentials.

  2. Click the user menu at the upper-right corner of the console and select Integrations.

  3. Click the add.png Add button > Add Amazon Ec2 Integration.

  4. The Amazon EC2 Integration Settings window appears, containing the following fields:

    gz_integration1.png
    1. Account ID: the unique identifier of the Bitdefender AWS account. The Account ID field is pre-populated and cannot be edited.

    2. External ID: a unique identifier linked to your GravityZone company, required by your AWS user account to generate the GravityZone specific role for cross-account access. Click the corresponding Generate button to obtain the code, and copy it to clipboard. You will need this code in AWS console to obtain the ARN code required to complete the integration (see step 5-g hereinafter).

    3. ARN: the ARN string (Amazon Resource Name) associated to the GravityZone specific role created in AWS.

  5. At this step, you will need to obtain the ARN code from AWS console. To do that:

    1. Switch to AWS console and sign in using your AWS user account.

    2. Under AWS Services, go to Security, Identity & Compliance > IAM.

      aws_iam.png
    3. Under Dashboard, click Roles.

      aws_role.png
    4. Click Create Role.

      aws_role2.png
    5. In the next screen, click Another AWS Account.

      aws_role3.png
    6. In the Account ID field, enter the Account ID provided by GravityZone integration window (see step no. 4).

    7. In the Options section, check Require external ID (Best practice when a third party will assume this role). A new text area will appear where you will have to enter the External ID generated by GravityZone Control Center (see step no. 4), in the Amazon EC2 Integration Settings window.

      aws_role4.png
    8. Click Next: Permissions.

    9. The next screen will display a list of permissions for the new role. Check the AmazonEC2ReadOnlyAccess permission. You can use the Search field to easily find the permission.

      aws_role5.png
    10. Click Next: Review.

    11. Enter the role name that you want.

    12. Click Create Role.

    13. The next page will display the list of existing roles. Find the new role you have just created and click on it.

    14. In the role page, you will find the role's ARN, required in the GravityZone Control Center Amazon EC2 Integration Settings window. Copy the ARN code.

      aws_role6.png
  6. Switch to GravityZone Control Center and paste the ARN code in the ARN field of the integration window.

    Important

    After creating the role in AWS console, it will take approximatively one minute for this change to propagate to all AWS regions. The integration can be successful only after the new role has propagated all across AWS. Therefore, wait for a minute before making the next step.

  7. Click Save.

  8. Read the AWS License Agreement. To continue, click I Agree.

    • If the integration was successful, the Amazon EC2 instances will be imported in GravityZone and they will be visible in Network > Computer and Groups > Amazon EC2. You will find our Amazon EC2 instances grouped under their Amazon regions and the corresponding Availability Zones.

    • If the integration has failed, you will receive an error message with the possible causes, which may be an invalid External ID, or the integration was created before the AWS new role had propagated to all AWS regions.

    From this point, you can view and manage your Amazon instances from the Network page, under Custom Groups > Amazon EC2.

Editing the Amazon EC2 integration

You can anytime edit your Amazon EC2 integration by clicking on it in the Integrations page on GravityZone Control Center.

For example, it could be necessary to provide a new External ID in AWS. In this case, click the Generate button corresponding to the External ID field. Note that this action will invalidate the currently used External ID. In this case, your integration will be invalidated. To restore the integration, you must create a new External ID and update the corresponding role under your AWS IAM account. For more details about generated a new external ID, refer to Set up GravityZone integration with Amazon EC2 using a cross-account role.