Skip to main content

Bitdefender Security for AWS compatibility and requirements

Bitdefender Security for Amazon Web Services is a security solution designed for cloud infrastructures and integrated with GravityZone Cloud Control Center. An innovative and comprehensive solution, Bitdefender Security for AWS protects Amazon EC2 instances running Windows or Linux operating systems.

This section provides you with comprehensive information on the compatibility and requirements of Bitdefender Security for AWS.


Bitdefender Security for AWS is exclusively compatible and integrates with the Amazon Elastic Compute Cloud (Amazon EC2) web service. To use Bitdefender Security for AWS, you need an account on the GravityZone Cloud Control Center and to install BEST on each instance to be protected. You can obtain an account by registering here.

Control Center requirements

Control Center can be accessed from the following web browsers:

  • Mozilla Firefox

  • Google Chrome

  • Safari

  • Microsoft Edge

  • Opera

An Internet connection is needed.


Control Center also works with older versions of these browsers, but errors may occur in some cases.

Supported guest operating systems

For a full list of supported operating systems for Bitdefender Security for AWS, refer to the Supported operating systems section of Endpoint protection.

Amazon credentials

To subscribe to Bitdefender Security for AWS as a direct customer, you must first have an active AWS account. As a best practice, it is strongly recommended that you create and use IAM user accounts associated to your AWS root account.

Moreover, make sure to use a production account where you will be charged by AWS on a monthly basis for using the Bitdefender service.

For details about subscribing to Bitdefender Security for AWS, refer to Subscriptions.

The Amazon EC2 integration in GravityZone is now based on cross-account access login. This procedure avoids sharing long-term AWS credentials, such as Access Key ID and Secret Access Key.

The Amazon EC2 integration procedure requires you to provide an ARN (Amazon Resource Name - unique identifier for AWS resources) associated with a role attached to your AWS user account.

It is recommended to set up the Amazon integration using an IAM user account created specifically for this purpose. The IAM user requires IAMFullAccess permission to be able to create the role required for the AWS integration in GravityZone.


It is recommended to set up the Amazon integration using an IAM user account created specifically for this purpose. The IAM user requires IAMFullAccess permission to be able to create the role required for the AWS integration in GravityZone. For more information, refer to the Security best practices in IAM page.

Before starting to configure the AWS integration:

  • Make sure you have the appropriate AWS user account credentials at hand.

  • Open the AWS Console and GravityZone Control Center in two browser tabs, at the same time. You will need to work on both of them to create the AWS integration successfully.

For details about integrating GravityZone with your Amazon EC2 instances, refer to Set up the GravityZone integration with Amazon EC2 using a cross-account role.


For your Amazon EC2 integrations to work correctly, you must ensure that instance metadata is enabled in AWS. By default, this option is enabled.

For more information, refer to the official AWS documentation.

The following types of machines are supported by Bitdefender:

  • Small – for micro and small EC2 instances.

  • Medium – for medium EC2 instances.

  • Large – for large EC2 instances.

  • xLarge – for xlarge or larger EC2 instances.

Communication ports to be added in AWS Security Groups

Here are the ports that you need to add in Amazon Security Groups to ensure proper communication between Bitdefender security agents, Security Server, and the Control Center.

Amazon EC2 security groups must allow inbound access to SSH and RDP during the BEST installation on instances. If you run firewall software on your instances, make sure to configure it to allow access to all of the previously specified ports.



SSH (22)

Port used to access instances running on Linux.

RDP (3389)

Port used to access instances running on Windows.


Communication port between Silent Agent and Control Center.

7081 / 7083 (SSL)

Communication port between BEST and the scan daemon running on the Security Server hosted in the corresponding AWS region.

80 / 7074 (Relay)

Communication ports used by BEST for updates.

The ports must be added also by users that have VPC instances in Amazon Web Services. Our recommendation is to add as a source address but, if you require to allow traffic only for specific IP addresses, please contact Bitdefender customer support.