Deploying the Sentinel Appliance to AWS Using VM Import

  1. Upload the OVA (downloaded as described in Downloading the Sentinel Appliance) to your S3 bucket:

    1. Go to the S3 console in AWS, find your bucket, and choose "overview."

    2. Select the OVA.

    3. Click on "Upload" to upload the OVA to your bucket.

      s3bucket
  2. Import the OVA as an AWS Image as described here: https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-image-import.htm (see particularly the section "Import Your VM as an Image").

When following the AWS documentation in that link, you can copy and past the sample JSON files; however, any text in RED will need to be replaced with the information that is specific to your S3 Bucket, OVA, etc.

You may also find the requirements information listed here for VM Import/Export useful: https://docs.aws.amazon.com/vm-import/latest/userguide/vmie_prereqs.html

Here are some example files and commands used in the linked steps (these files should be created in your home dir to make things simple; if you do that then you can copy/paste the commands.)

If you get a "parsing" or "python parsing" error when running any of the commands it may be due to the text editor (Sublime, for example). Using Nano or Vim should resolve the issue. If errors are still encountered, please make sure you are using Python 3.X or higher.

Examples:

Create trust policy file from the terminal

{
     "Version":"2012-10-17",
     "Statement":[
          {
               "Effect":"Allow",
               "Principal":{"Service": "vmie.amazonaws.com"},
               "Action":"sts:AssumeRole",
               "Condition": {
                    "StringEquals":{
                         "sts:Externalid":"vmimport"
                    }
               }
          }
     ]
}

Run the command: aws iam create-role --role-name vmimport --assume-role-policy-document file://trust-policy.json

Create role-policy file from the Terminal: nano role-policy.json

{
     "Version":"2012-10-17","
      Statement":[
          {
               "Effect":"Allow",
               "Action":[
                    "s3:ListBucket"
                     "s3:GetBucketLocation",
                    ],
               "Resource":[
                    "arn:aws:s3:::yourinfo
                 ]
          },
          {
               "Effect":"Allow",
               "Action":[
                    "s3:GetObject"
                 ],
               "Resource":[
                    "arn:aws:s3:::yourinfo/*"
                 ]
          },
          {
               "Effect":"Allow",
               "Action":[
                    "ec2:ModifySnapshotAttribute",
                    "ec2:CopySnapshot",
                    "ec2:RegisterImage",
                    "ec2:Describe*"
                ],
               "Resource":"*"
          }
     ]
}
The role must be named vmimport, or it will fail on the import-image step.

Create role-policy file from terminal

Run the command: aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://role-policy.json

To create a role, you will need to have the following permissions in AWS: PutRolePolicy `(permissions), `CreateRole `(write), `GetRole, GetRolePolicy, ListPolicies, and `ListRoles `(read).

If you are prompted to run "aws configure" you will need to add your AWS Keys and other info like this:

$ aws configure
AWS Access Key ID [None]: YOURAWSACCESSKEY
AWS Secret Access Key [None]: YOURAWSSECRETACCESSKEY
Default region name [None]: YOURREGIONNAME
Default output format [None]: ENTER

Create containers file from terminal

[
  {
    "Descriptiuon": "scaXXX",
    "Format": "ova",
    "UserBucket": {
      "S3Bucket": "YourBucketName",
      "S3Key": "scaXXX.ova
    }
  }
]

Issue the "Import" command:

aws ec2 import-image --description "scaXXXX" --license-type BYOL --disk-containers file://containers.json

If the command executes successfully, you should get output similar to this:

{
  "Status": "active",
  "LicenseType": "BYOL",
  "Description": "scaXXXX",
  "Progress": "2",
  "SnapshotDetails": [
    {
      "UserBucket": {
        "S3Bucket": "YourBucketName",
        "S3Key": "scaXXXX.ova"
      },
      "DiskImageSize": 0.0,
      "Format": "OVA"
    }
  ],
  "StatusMessage": "pending",
  "ImportTaskId": "import-ami-example"
}

You can check the status of the import task with this command:

aws ec2 describe-import-image-tasks --import-task-ids import-ami-example

Example output:

{
  "ImportImageTasks": [
    {
      "Status": "active",
      "LicenseType": "BYOL",
      "Description": "scaXXXX",
      "Progress": "28",
      "SnapshotDetails": [
      {
        "UserBucket": {
          "S3Bucket": "YourBucketName",
          "S3Key": "scaXXXX.ova"
        },
        "DiskImageSize": 2807544320.0,
        "Format": "VMDK"
      },
      {
        "UserBucket": {
          "S3Bucket": "YourBucketName",
          "S3Key": "scaXXXX.ova"
        },
        "DiskImageSize": 476500480.0,
        "Format": "VMDK"
      }
    ],
    "StatusMessage": "converting",
    "ImportTaskId": "import-ami-example"
    }
  ]
}

The following is an example of what the output looks like when the Import process is complete.

Run the command: aws ec2 describe-import-image-tasks --import-task-ids import-ami-example

{
  "ImportImageTasks": [
    {
      "Status": "completed",
      "LicenseType": "BYOL",
      "Description": "scaXXXX",
      "ImageId": "ami-example",
      "Platform": "Linux",
      "Architecture": "x86_64",
      "SnapshotDetails": [
        {
          "UserBucket": {
            "S3Bucket": "YourBucketName",
            "S3Key": "scaXXXX.ova"
          },
          "SnapshotId": "snap-example",
          "DiskImageSize": 2807544320.0,
          "DeviceName": "/dev/sda1",
          "Format": "VMDK"
        },
        {
          "UserBucket": {
            "S3Bucket": "YourBucketName",
            "S3Key": "scaXXXX.ova"
          },
          "SnapshotId": "snap-example",
          "DiskImageSize": 476500480.0,
          "DeviceName": "/dev/sdf",
          "Format": "VMDK"
        }
      ],
      "ImportTaskId": "import-ami-example"
    }
  ]
}

Now log into your AWS account and go to EC2. You will see the AMI created (ami-example), and can then choose the option to "Launch Instance."

If any other configuration is needed for an appliance that is hosted in AWS, please contact support@whitehatsec.com for assistance.