Deploying the Sentinel Appliance to AWS Using VM Import

Deploying the Sentinel Appliance to AWS Using VM Import

  1. Upload the OVA (downloaded as described in Downloading the Sentinel Appliance) to your S3 bucket:

    1. Go to the S3 console in AWS, find your bucket, and choose Overview. s3bucket

    2. Select the OVA.

    3. Click Upload to upload the OVA to your bucket.

  2. Import the OVA as an AWS image as described in What is VM Import/Export? (see particularly the section Import your VM as an Image).

When following the AWS documentation in that link, you can reuse the sample JSON files. However, any text in RED needs to be replaced with the information that is specific to your S3 bucket, OVA, and so on.

For information on VM Import/Export, see VM Import/Export Requirements.

Examples

This section describes sample files and commands used in Importing Your VM as an Image using VM Import/Export. We recommend you create these files in your home directory to directly reuse (copy/paste) the commands.

Any parsing or python parsing errors encountered when running any of the commands may be a result of the choice of text editor used (for example, Sublime Text). To resolve this issue, we recommend using nano or Vim editors. If the errors persist, ensure that you are using Python 3.X or higher.

Creating trust policy file from the terminal

  1. Create a file named trust-policy.json from your terminal with the following policy:

    {
         "Version":"2012-10-17",
         "Statement":[
              {
                   "Effect":"Allow",
                   "Principal":{"Service": "vmie.amazonaws.com"},
                   "Action":"sts:AssumeRole",
                   "Condition": {
                        "StringEquals":{
                             "sts:Externalid":"vmimport"
                        }
                   }
              }
         ]
    }
  2. Run the create-role command to create a role named vmimport.
    Ensure that you specify the full path to the location of the trust-policy.json file that you created in the previous step, and that you include the file:// prefix as shown the following command:

aws iam create-role --role-name vmimport --assume-role-policy-document "file://trust-policy.json"
Ensure that the role is named as vmimport. Failing to do so may result in a failure during the import-image step.

Creating role-policy file from terminal

  1. Create a file named role-policy.json from your terminal with the following policy:

    {
         "Version":"2012-10-17",
         "Statement":[
              {
                   "Effect":"Allow",
                   "Action":[
                        "s3:ListBucket",
                         "s3:GetBucketLocation"
                        ],
                   "Resource":[
                        "arn:aws:s3:::yourinfo"
                     ]
              },
              {
                   "Effect":"Allow",
                   "Action":[
                        "s3:GetObject"
                     ],
                   "Resource":[
                        "arn:aws:s3:::yourinfo/*"
                     ]
              },
              {
                   "Effect":"Allow",
                   "Action":[
                        "ec2:ModifySnapshotAttribute",
                        "ec2:CopySnapshot",
                        "ec2:RegisterImage",
                        "ec2:Describe*"
                    ],
                   "Resource":"*"
              }
         ]
    }
  2. Run the put-role-policy command to attach the role policy to the role created earlier. Ensure that you specify the full path to the location of the role-policy.json file.

aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file://role-policy.json"
To create a role, you need to have the following permissions in AWS: PutRolePolicy, CreateRole (write), GetRole, GetRolePolicy, ListPolicies, and ListRoles (read).

If you are prompted to run aws configure you need to add the following information like your AWS keys and so on.

$ aws configure
AWS Access Key ID [None]: YOURAWSACCESSKEY
AWS Secret Access Key [None]: YOURAWSSECRETACCESSKEY
Default region name [None]: YOURREGIONNAME
Default output format [None]: ENTER

Creating containers file from terminal

  1. Create a file named containers.json from your terminal:

    [
      {
        "Description": "scaXXX",
        "Format": "ova",
        "UserBucket": {
          "S3Bucket": "YourBucketName",
          "S3Key": "scaXXX.ova"
        }
      }
    ]
  2. Run the import-image command to import the OVA.

    aws ec2 import-image --description "scaXXXX" --license-type BYOL --disk-containers file://containers.json

    Sample output:

    {
      "Status": "active",
      "LicenseType": "BYOL",
      "Description": "scaXXXX",
      "Progress": "2",
      "SnapshotDetails": [
        {
          "UserBucket": {
            "S3Bucket": "YourBucketName",
            "S3Key": "scaXXXX.ova"
          },
          "DiskImageSize": 0.0,
          "Format": "OVA"
        }
      ],
      "StatusMessage": "pending",
      "ImportTaskId": "import-ami-example"
    }
  3. Run the describe-import-image-tasks command to check the status of the import task:

    aws ec2 describe-import-image-tasks --import-task-ids import-ami-example

    Sample output:
    The following output is displayed when the command executes successfully.

    {
      "ImportImageTasks": [
        {
          "Status": "active",
          "LicenseType": "BYOL",
          "Description": "scaXXXX",
          "Progress": "28",
          "SnapshotDetails": [
          {
            "UserBucket": {
              "S3Bucket": "YourBucketName",
              "S3Key": "scaXXXX.ova"
            },
            "DiskImageSize": 2807544320.0,
            "Format": "VMDK"
          },
          {
            "UserBucket": {
              "S3Bucket": "YourBucketName",
              "S3Key": "scaXXXX.ova"
            },
            "DiskImageSize": 476500480.0,
            "Format": "VMDK"
          }
        ],
        "StatusMessage": "converting",
        "ImportTaskId": "import-ami-example"
        }
      ]
    }

    Sample output:
    The following is a sample output when the import process completes successfully.

    {
      "ImportImageTasks": [
        {
          "Status": "completed",
          "LicenseType": "BYOL",
          "Description": "scaXXXX",
          "ImageId": "ami-example",
          "Platform": "Linux",
          "Architecture": "x86_64",
          "SnapshotDetails": [
            {
              "UserBucket": {
                "S3Bucket": "YourBucketName",
                "S3Key": "scaXXXX.ova"
              },
              "SnapshotId": "snap-example",
              "DiskImageSize": 2807544320.0,
              "DeviceName": "/dev/sda1",
              "Format": "VMDK"
            },
            {
              "UserBucket": {
                "S3Bucket": "YourBucketName",
                "S3Key": "scaXXXX.ova"
              },
              "SnapshotId": "snap-example",
              "DiskImageSize": 476500480.0,
              "DeviceName": "/dev/sdf",
              "Format": "VMDK"
            }
          ],
          "ImportTaskId": "import-ami-example"
        }
      ]
    }
  4. Log on to your AWS account.

  5. Go to EC2.
    You see the AMI created (ami-example).

  6. Select Launch Instance.

If you require any other configuration for an appliance that is hosted in AWS, please contact support@whitehatsec.com for assistance.