Deploying the Sentinel Appliance to AWS Using VM Import
Deploying the Sentinel Appliance to AWS Using VM Import
-
Upload the OVA (downloaded as described in Downloading the Sentinel Appliance) to your S3 bucket:
-
Go to the S3 console in AWS, find your bucket, and choose Overview.
-
Select the OVA.
-
Click Upload to upload the OVA to your bucket.
-
-
Import the OVA as an AWS image as described in What is VM Import/Export? (see particularly the section Import your VM as an Image).
When following the AWS documentation in that link, you can reuse the sample JSON files. However, any text in RED needs to be replaced with the information that is specific to your S3 bucket, OVA, and so on. |
For information on VM Import/Export, see VM Import/Export Requirements.
Examples
This section describes sample files and commands used in Importing Your VM as an Image using VM Import/Export. We recommend you create these files in your home directory to directly reuse (copy/paste) the commands.
Any parsing or python parsing errors encountered when running any of the commands may be a result of the choice of text editor used (for example, Sublime Text). To resolve this issue, we recommend using nano or Vim editors. If the errors persist, ensure that you are using Python 3.X or higher. |
Creating trust policy file from the terminal
-
Create a file named trust-policy.json from your terminal with the following policy:
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{"Service": "vmie.amazonaws.com"}, "Action":"sts:AssumeRole", "Condition": { "StringEquals":{ "sts:Externalid":"vmimport" } } } ] }
-
Run the
create-role
command to create a role namedvmimport
.
Ensure that you specify the full path to the location of the trust-policy.json file that you created in the previous step, and that you include thefile://
prefix as shown the following command:
aws iam create-role --role-name vmimport --assume-role-policy-document "file://trust-policy.json"
Ensure that the role is named as vmimport . Failing to do so may result in a failure during the import-image step.
|
Creating role-policy file from terminal
-
Create a file named role-policy.json from your terminal with the following policy:
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource":[ "arn:aws:s3:::yourinfo" ] }, { "Effect":"Allow", "Action":[ "s3:GetObject" ], "Resource":[ "arn:aws:s3:::yourinfo/*" ] }, { "Effect":"Allow", "Action":[ "ec2:ModifySnapshotAttribute", "ec2:CopySnapshot", "ec2:RegisterImage", "ec2:Describe*" ], "Resource":"*" } ] }
-
Run the
put-role-policy
command to attach the role policy to the role created earlier. Ensure that you specify the full path to the location of the role-policy.json file.
aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file://role-policy.json"
To create a role, you need to have the following permissions in AWS: PutRolePolicy , CreateRole (write), GetRole , GetRolePolicy , ListPolicies , and ListRoles (read).
|
If you are prompted to run aws configure
you need to add the following information like your AWS keys and so on.
$ aws configure AWS Access Key ID [None]: YOURAWSACCESSKEY AWS Secret Access Key [None]: YOURAWSSECRETACCESSKEY Default region name [None]: YOURREGIONNAME Default output format [None]: ENTER
Creating containers file from terminal
-
Create a file named containers.json from your terminal:
[ { "Description": "scaXXX", "Format": "ova", "UserBucket": { "S3Bucket": "YourBucketName", "S3Key": "scaXXX.ova" } } ]
-
Run the
import-image
command to import the OVA.aws ec2 import-image --description "scaXXXX" --license-type BYOL --disk-containers file://containers.json
Sample output:
{ "Status": "active", "LicenseType": "BYOL", "Description": "scaXXXX", "Progress": "2", "SnapshotDetails": [ { "UserBucket": { "S3Bucket": "YourBucketName", "S3Key": "scaXXXX.ova" }, "DiskImageSize": 0.0, "Format": "OVA" } ], "StatusMessage": "pending", "ImportTaskId": "import-ami-example" }
-
Run the
describe-import-image-tasks
command to check the status of the import task:aws ec2 describe-import-image-tasks --import-task-ids import-ami-example
Sample output:
The following output is displayed when the command executes successfully.{ "ImportImageTasks": [ { "Status": "active", "LicenseType": "BYOL", "Description": "scaXXXX", "Progress": "28", "SnapshotDetails": [ { "UserBucket": { "S3Bucket": "YourBucketName", "S3Key": "scaXXXX.ova" }, "DiskImageSize": 2807544320.0, "Format": "VMDK" }, { "UserBucket": { "S3Bucket": "YourBucketName", "S3Key": "scaXXXX.ova" }, "DiskImageSize": 476500480.0, "Format": "VMDK" } ], "StatusMessage": "converting", "ImportTaskId": "import-ami-example" } ] }
Sample output:
The following is a sample output when the import process completes successfully.{ "ImportImageTasks": [ { "Status": "completed", "LicenseType": "BYOL", "Description": "scaXXXX", "ImageId": "ami-example", "Platform": "Linux", "Architecture": "x86_64", "SnapshotDetails": [ { "UserBucket": { "S3Bucket": "YourBucketName", "S3Key": "scaXXXX.ova" }, "SnapshotId": "snap-example", "DiskImageSize": 2807544320.0, "DeviceName": "/dev/sda1", "Format": "VMDK" }, { "UserBucket": { "S3Bucket": "YourBucketName", "S3Key": "scaXXXX.ova" }, "SnapshotId": "snap-example", "DiskImageSize": 476500480.0, "DeviceName": "/dev/sdf", "Format": "VMDK" } ], "ImportTaskId": "import-ami-example" } ] }
-
Log on to your AWS account.
-
Go to EC2.
You see the AMI created (ami-example). -
Select Launch Instance.
If you require any other configuration for an appliance that is hosted in AWS, please contact support@whitehatsec.com for assistance.