Written by Zack Milem

If you have had the chance to read some of the previous posts, then you should have learned how to bake a security agent into your instance and activate it with scripts when new machines are called. Today I want to show you how to leverage built in functions within Deep Security and AWS to do the heavy lifting for you.

To use this we are going to use two very simples things:

  • Tags in AWS (Learn More)
  • Event Based tasks in Deep Security as a Service

I am assuming you have already gotten your AWS account synced with your Deep Security account (Learn how to) and that you are using Deep Security agent baked custom AMI’s. If not, go take a peek at those two resources so you can get up to speed with what we are going to work on today. We will be using policies that have already been set-up based on the type of server.

To make this magic happen, first thing we need to make sure of is that we have tags in AWS set-up. Use these tags to identify the machines with the type of security policy we need to have turned on. In my example I have created a “Server Type” tag in addition to the “Name” tag.

  AWS Tags pic001

Next in Deep Security from the top navigation bar we are going to click on Administration -> Event Based Tasks. Then click on the “New” button at the top of the right hand pane.

Admin Event Based pic 002    

The basic interface for an event based tasks opens, click the drop down and select “Computer Created (By System)” as the event type and select “Next”. The first details box appears:

Event Based Basic pic 003

Here we need to:

  • Specify when to activate the machine (in most cases a slight delay is recommended so that a failure to activate does not occur due to the machine not yet being online when the API sync happens).
  • Next, we will choose what policy we are going to assign, in this case I am assigning a WebServer specific LAMP policy.
  • The last thing we need to check is the Relay group that you will be using to get updates for your agent.
  • The computer will be placed in the AWS group automatically so no need to check that.
  • Click “Next”.

Now we see the details for how we identify the machines that the event will work with. Here is where we use the “ServerType” tag that I created in AWS.

Identify the Tag pic 004

I specify both the “ServerType” tag and the value of “LAMP”, then click done.

Now I am going to launch a new machine using this tag value using an AMI that already has my un-activated image baked in. Below you will see the computer status once the AWS API syncs with Deep Security as “Activating – Delayed”

  Delayed Activation pic 005  

After a couple of minutes we can see that the machine is now fully activated

    Machine Activated pic 006  

Lastly, if we take a look at system events we can see that the activation was indeed triggered by the event based task that we created and the automation is working successfully. It is important to note that the task only runs when an instance is created, not when a tag is changed. Event Based Task triggered pic 007


This approach allows you to build one basic image and then activate specific policies based on tags versus having to build deployment scripts for each server type that you want to deploy. Please follow up with any questions to zack_milem@trendmicro.com