Topics on this page
Install the agent on an AMI or WorkSpace bundle
Read this page if you want to launch new Amazon EC2 instances and Amazon WorkSpaces with the agent 'baked in'.
If instead you want to:
- protect existing Amazon EC2 instances and Amazon WorkSpaces with Workload Security, see Install the agent on Amazon EC2 and WorkSpace instances.
- protect Amazon WorkSpaces after already protecting your Amazon EC2 instances, see instead Protect Amazon WorkSpaces if you already added your AWS account.
'Baking the agent' is the process of launching an EC2 instance based on a public AMI, installing the agent on it, and then saving this custom EC2 image as an AMI. This AMI (with the agent 'baked in') can then be selected when launching new Amazon EC2 instances.
Similarly, if you want to deploy the Deep Security Agent on multiple Amazon WorkSpaces, you can create a custom 'WorkSpace bundle' that includes the agent. The custom bundle can then be selected when launching new Amazon WorkSpaces.
To bake an AMI and create a custom WorkSpace bundle with a pre-installed and pre-activated agent, follow these steps:
- Add your AWS account to Workload Security
- Configure the activation type
- Launch a 'master' Amazon EC2 instance or Amazon WorkSpace
- Deploy an agent on the master
- Verify that the agent was installed and activated properly
- (Recommended) Set up policy auto-assignment
- Create an AMI or custom WorkSpace bundle based on the master
- Use the AMI
Add your AWS account to Workload Security
You'll need to add your AWS accounts to Workload Security. These are the AWS accounts that will contain the Amazon EC2 instances and Amazon WorkSpaces that you want to protect.
See About adding AWS accounts for details.
Configure the activation type
You'll need to indicate whether you'll allow agent-initiated activation.
Launch a 'master' Amazon EC2 instance or Amazon WorkSpace
You'll need to launch a 'master' Amazon EC2 instance or Amazon WorkSpace. The master instance is the basis for the EC2 AMI or WorkSpace bundle that you will create later.
- In AWS, launch an Amazon EC2 instance or Amazon WorkSpace. See the Amazon EC2 documentation and Amazon WorkSpaces documentation for details.
- Call the instance 'master'.
Deploy an agent on the master
You'll need to install and activate the agent on the master. During this process, you can optionally install a policy.
Ideally, if you bake the agent into your AMI or workspace bundle and then want to use a newer agent later on, you should update the bundle to include the new agent. However, if that's not possible, you can use the Automatically upgrade agents on activation setting so when the agent in the AMI or bundle activates itself, Workload Security can automatically upgrade the agent to the latest version. For details, see Automatically upgrade agents on activation.
Verify that the agent was installed and activated properly
You should verify that the agent was installed and activated properly on the master before proceeding.
(Recommended) Set up policy auto-assignment
You may need to set up policy auto-assignment depending on how you deployed the agent on the master:
- If you used a deployment script, then a policy has already been assigned, and no further action is required.
- If you manually installed and activated the agent, no policy was assigned to the agent, and one should be assigned now so that the master is protected. The Amazon EC2 instances and Amazon WorkSpaces that are launched based on the master will also be protected.
If you want to assign a policy to the master, as well as auto-assign a policy to future EC2 instances and WorkSpaces that are launched using the master, follow these instructions:
In the Workload Security console, create an event-based task with these parameters:
- Set the Event to Agent-Initiated Activation.
- Set Assign Policy to the policy you want to assign.
- (Optional) Set a condition to Cloud Instance Metadata, with either
- a tagKey of EC2 and a tagValue. of True (for an EC2 instance)
- a tagKey of WorkSpaces and a tagValue. of True (for WorkSpaces)
The above event-based task says:
When an agent is activated, assign the specified policy, on condition that
WorkSpaces=trueexists in the Amazon EC2 instance or WorkSpace.
If that key/value pair does not exist in the EC2 instance or WorkSpace, then the policy is not assigned (but the agent is still activated). If you do not specify a condition, then the policy is assigned on activation unconditionally.
For details on creating event-based tasks, see Automatically assign policies based on AWS EC2 instance tags.
If you added a key/value pair in the Workload Security console in the previous step, do the following:
- Go to AWS.
- Find your master EC2 instance or WorkSpace.
- Add tags to the master with a Key of EC2 or WorkSpaces and a Value of True.
For details, see this Amazon EC2 documentation on tagging, and this Amazon WorkSpace documentation on tagging.
You have now set up policy auto-assignment. New Amazon EC2 instances and Amazon WorkSpaces that are launched using the master are activated automatically (since the agent is pre-activated on the master), and then auto-assigned a policy through the event-based task.
- On the master EC2 instance or WorkSpace, reactivate the agent by re-running the activation command on the agent, or by clicking the Reactivate button in the Workload Security console. For details, see Activate the agent.
The re-activation causes the event-based task to assign the policy to the master. The master is now protected.
You are now ready to bake your AMI or create a custom WorkSpace bundle.
Create an AMI or custom WorkSpace bundle based on the master
- To create an AMI on Linux, see this Amazon documentation.
- To create an AMI on Windows, see this Amazon documentation.
- To create a custom WorkSpace bundle, see this Amazon documentation.
You now have an AMI or WorkSpace bundle that includes a pre-installed and pre-activated agent.
Use the AMI
Now that you have a custom AMI or WorkSpace bundle, you can use it as the basis for future Amazon EC2 instances and Amazon WorkSpaces. With the custom AMI or bundle, Deep Security Agent starts up automatically, activates itself, and applies the protection policy assigned to it. It appears in the Workload Security console with a Status of Managed and a green dot next to it.