Written by Jeffrey Westphal

As adoption to the cloud becomes commonplace in the Information Technology space the biggest questions and primary concerns of current and potential adopters all focus around security.

Chances are you have already started your migration or are at least are in serious discussions about moving your workloads to the cloud. You should already understand the concept of the shared security model and what it means to have a layered approach to security.

This article is focused on easing administration and deployment of security to your workloads by pre-installing or “baking” the security agent into your AMI, more specifically the Trend Micro Deep Security for AWS agent.

Even if you are new to AWS, you are using AMIs in some fashion, either through the marketplace or you have customized your own. Use this opportunity to further customize your AMIs with the Deep Security agent already installed.

Build your custom AMI

Before I discuss the quick process to building your custom AMI, make sure you have the Deep Security agent installed on your instance, OS does not matter. From the Deep Security Manager console remember to “deactivate” the running instance, you can do this through the details or properties of the instance within the Computers tab. The deactivation process ensures that as new instances are created from your AMI they have the capability to be activated as new instances, more on that later.

Once the agent is deactivated you can now proceed to creating your new custom AMI with the Deep Security agent “pre-baked”. As a reminder, if you have never created an AMI its very simple. From the EC2 console right click your instance and choose “create image”. That’s it! AWS will build a snapshot of your instance and create a customized AMI based on that running instance. With direct integration into your AWS cloud account in the Deep Security Management console your new workloads based on your new custom AMI will automatically be listed.

The final step in this process is to automate the policy assignment of new workloads built on your new customized AMI.

Step by Step:

  • From the Deep Security Manager console open the “Administration” tab.
  • Choose the option in the left column for “Event-Based Tasks”.
  • In the right window select the option to create a “New” task, from the drop down option choose “Agent-Initiated Activation”.
  • In the next window select the policy and relay group you want to use for matching instances. IF you are using the AWS Cloud connector, instances will automatically be assigned to the right computer group.
  • Finally choose the process that will be used to assign its policy. This could be a system name, the platform, or metadata, to name a few.

Chances are during your build process your new instances will be tagged in AWS with a name, function, owner, etc. Use this information as metadata to trigger the event based task to assign the policy. And that’s it!

Use this same process when building CloudFormation templates to fully automate your Deep Security deployment.

*Deep Security Manager has to have a communications path on :4118 (by default) to the new instance