TX Prevent on AWS EC2 : CloudFormation template installation guide
π Introduction
This document will guide you through an installation of TX Prevent into your AWS environment by using CloudFormation.
π Architecture
The TX Prevent deployment architecture leverages several Amazon Web Services (AWS) components to provide a highly available and secure product.
Runtime sensors will deploy onto EC2 instances alongside the applications or services you want to watch. These sensors communicate with the ThreatX Prevent control plane services.
π High Availability
-
For each control plane service, instances are created in multiple availability zones
-
The instances are deployed in Auto Scaling Groups (ASG) where they are continuously monitored to ensure the desired number of healthy instances
π Security
-
All control plane services are deployed into private subnets and are never publicly exposed
-
All traffic to Control plane services is encrypted using TLS with Amazon provisioned certificates
ποΈ ThreatX Control Plane Services
| Runtime Analyzer |
A data aggregator, analysis engine, and event router. Connects to ThreatX and emits vulnerability metadata. |
| Scan Template Service |
Ingests passively detected vulnerability data and generates highly targeted scan templates. Executes individual scans are executed and returns the results after determining efficacy. |
| OTEL Collector |
This service collects logs and metrics from the sensors and other control plane services and send them back to ThreatX for enhanced product support. |
β AWS Components and Services
| Application Load Balancer (ALB) |
Fronts the TX Prevent control plane services. Each control plane service has multiple instances in at least two availability zones for high availability with the ALB distributing traffic between them. |
| Auto Scaling Group (ASG) |
Maintains the desired number of healthy service EC2 instances. If an instance becomes unhealthy or is unexpectedly terminated the ASG will create another instance. |
| Parameter Store |
Configuration properties for sensors and control plane services. |
| Secrets Manager |
Sensitive configuration properties. |
| Route53 |
DNS records for the control plane services. |
| Certificate Manager (ACM) |
Provisioning certificates for the control plane services. |
π¦ Prerequisites
β Preflight Checklist
The following items must be completed before the deployment can begin.
-
π Valid ThreatX Tenant ID (customer name)
-
ποΈ Valid ThreatX API Key (See ThreatX Sensor API Key)
-
π€ AWS user or role with either the AdministratorAccess policy or our custom deployment IAM policy
-
ποΈ EC2 key pair for SSH access to the EC2 instances. (See EC2 Key Pair)
-
π³ Docker installed on the EC2 instances where the sensors will be deployed
-
πͺ§οΈ AWS Route53 Hosted Zone for DNS records and certificates of control plane services
-
β οΈVPC with at least:
-
2 private subnets
-
1 public subnet
-
1 internet gateway
-
1 NAT gateway
-
ποΈ Creating an EC2 Key Pair
The EC2 Key pair will be used to SSH into the ThreatX Control Plane EC2 instances. To create one for the install follow the steps below:*
-
Open the AWS EC2 Console.
-
Select
-
On the π Key pairs page, click Create key pair
-
On the π Create Key Pair page:
-
Enter a name (e.g., <threatx-prevent>)
-
Select RSA
-
Select .pem format
-
Add any Tags that you want
-
Click on Create key pair.
-
The private key will then be downloaded to your system.
| Put this key in a safe place. It can be used to SSH into any of TX Prevent EC2’s. |
π» Runtime Sensor System Requirements
| Resources |
It is recommended to have at least 2 cores and 300MB of memory available on the EC2 instance that they will be running on. |
| Network Connectivity |
If Sensors are deployed into a different VPC than that of the control plane, VPC peering or Transit Gateway connectivity will need to be setup between the VPCs. |
| Scanning Requirements |
You may need to adjust security groups to allow ingress traffic from the Scan Template Service to the target endpoints. |
π Control Plane Deployment
$ https://threatx-prevent-cf-template.s3.amazonaws.com/threatx-prevent.yaml[*Download the TX Prevent CloudFormation template* - __https://threatx-prevent-cf-template.s3.amazonaws.com/threatx-prevent.yaml__]π² CloudFormation Template Parameters
| Key | Type | Default | Description |
|---|---|---|---|
|
String |
The API key for TX Prevent |
|
|
String |
The Tenant ID for TX Prevent |
|
|
String |
info |
The logging level to use for all services |
|
AWS::EC2::VPC::Id |
A virtual private cloud (VPC) to install into. See VPC Setup |
|
|
List<AWS::EC2::Subnet::Id> |
At least two private subnets in different Availability Zones in the selected VPC |
|
|
String |
The ID of the Hosted Zone in Route53 to add DNS record to. Must align with the specified Hosted Zone Name. |
|
|
AWS::EC2::KeyPair::KeyName |
Name of an existing EC2 key pair to allow SSH access to the control plane’s EC2 instances |
|
|
String |
threatx-grpc2kafka-production-v1.xplat-production.threatx.io |
The Gateway hostname for TX Prevent |
|
String |
The Hosed Zone Name in Route53 for the control plane service DNS records. Must align with the specified Hosted Zone Id. |
|
|
String |
/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64 |
The latest AMI ID for the TX Prevent services |
| Key | Type | Default | Description |
|---|---|---|---|
|
String |
The tag values for the Runtime Analyzer |
|
|
String |
The environment name for the Runtime Analyzer |
|
|
boolean |
false |
Enable caching for the Runtime Analyzer |
|
boolean |
false |
Enable compression for the Runtime Analyzer |
|
String |
1.2.0 |
The tag for the Runtime Analyzer docker image |
|
boolean |
false |
Accept compressed data for the Runtime Analyzer |
|
Number |
2 |
Number of desired Runtime Analyzer instances |
|
boolean |
false |
Enable queue sampling for the Runtime Analyzer |
|
boolean |
false |
Enable stdout metrics for the Runtime Analyzer |
|
boolean |
false |
Enable catalog monitoring for the Runtime Analyzer |
|
String |
t3.small |
The EC2 instance type for the Runtime Analyzer instances |
| Key | Type | Default | Description |
|---|---|---|---|
|
String |
1.1.0 |
The tag for the Scan Template Service docker image |
|
Number |
2 |
Number of desired Scan Template Service instances |
|
String |
t3.small |
The EC2 instance type for the Scan Template Service instances |
| Key | Type | Default | Description |
|---|---|---|---|
|
String |
1.1.0 |
The tag for the OTEL Collector docker image |
|
String |
t3.small |
The EC2 instance type for the OTEL Collector instances |
|
String |
The Gateway URL for the OTEL Collector |
π Step-by-Step Console Deployment Instructions
Follow these steps οΈto deploy the CloudFormation stack by using the AWS Console to create the TX Prevent services in your AWS environment.
1οΈβ£ Add the TX Prevent CloudFormation Template
-
Sign in to your AWS account via the AWS Console. Select the desired region for the deployment.
-
Open the CloudFormation console
-
Select Create stack and With new resources (standard)
-
Select Choose an existing template and then add the URL for the TX Prevent template to the Amazon S3 URL field:
threatx-prevent-cf-template.s3.amazonaws.com/threatx-prevent.yaml
2οΈβ£ Configure the Stack Details
π On the π Specify stack details Page
-
In the Stack Name field, enter: ThreatXPrevent
-
NOTE: If you choose to enter a different stack name then it must be 14 characters or less in length. This stack name is used as part of AWS resource tags and some of those have length limitations.
-
-
Provide values for the following parameters. Descriptions of all parameters can be found here: Template Parameters.
-
TenantId -
ApiKey -
VPC -
Subnets -
HostedZoneId -
HostedZoneName -
KeyName -
AnalyzerTags
-
-
For all other parameters leave the default settings and adjust them only if instructed by ThreatX.
-
Select Next
3οΈβ£ Configure the Stack Options
π On the π Configure Stack Options Page
-
(optional) Specify tags for the resources in your stack and set any advanced options you want.
-
In the Capabilities section select
I acknowledge that AWS CloudFormation might create IAM resources with custom names -
Select Next
4οΈβ£ Review and Create the Stack
π On the π Review page …
-
Review and confirm all of the template settings.
-
Under Capabilities, review and select the check boxes to acknowledge.
-
Select Create Stack
| The TX Prevent deployment is ready when the stack status is CREATE_COMPLETE. Stack creation should take 5 to 10 minutes. |
| You can watch creation events under the Event tab. To view all the created resources, choose the Outputs tab. |
π AWS CLI Deployment Instructions
Below is an example AWS CLI command to perform the installation. Replace any values shown in <> with your specific values
$ aws cloudformation create-stack \
--template-url https://threatx-prevent-cf-template.s3.amazonaws.com/threatx-prevent.yaml \
--stack-name ThreatXPrevent \
--region <your-region> \
--capabilities CAPABILITY_IAM \
--capabilities CAPABILITY_NAMED_IAM \
--parameters \
ParameterKey=TenantId,ParameterValue=<your-tenant-id> \
ParameterKey=ApiKey,ParameterValue=<your-api-key> \
ParameterKey=VPC,ParameterValue=<your-vpc-id> \
ParameterKey=Subnets,ParameterValue=<your-subnet-id-1>,<your-subnet-id-2> \
ParameterKey=HostedZoneId,ParameterValue=<your-hosted-zone-id> \
ParameterKey=HostedZoneName,ParameterValue=<your-hosted-zone-name> \
ParameterKey=KeyName,ParameterValue=<your-ec2-key-pair-name> \
ParameterKey=AnalyzerTags,ParameterValue=<your-tag-value>π Runtime Sensor Deployment
Use the Docker CLI command that follows, making environment-specific changes where needed, to launch the sensor on the EC2 instance where the application to be monitored is running.
$ docker run -i -p 80:80 -p 50051:50051 \
--network host \
--cap-add=NET_ADMIN \
--mount type=bind,source=./AmazonRootCA1.pem,target=/AmazonRootCA1.pem \ (1)
-e SENSOR_TAGS=raap-example.raap-example-deployment \ (2)
-e RUST_LOG=info \
-e RUST_BACKTRACE=1 \
-e ANALYZER_URL=https://tx-analyzer-threatxprevent.xplat-sandbox.threatx.io:50051 \ (3)
-e ANALYZER_TLS_ENABLED=true \
-e ANALYZER_TLS_CA_PEM=./AmazonRootCA1.pem \
-e TARGET_ENVIRONMENT=docker \
-e INTERFACE=<see table below> \ (4)
-v /sys/kernel/tracing:/sys/kernel/tracing:ro \
public.ecr.aws/threatx/raap/threatx-runtime-sensor:1.2.0| 1 | The Amazon CA certificate must be mounted into the container for the sensor to trust the control plane certificates. Download: www.amazontrust.com/repository/AmazonRootCA1.pem |
| 2 | For the most accurate tracking of events at the application level the TX Prevent sensor needs to derive the name of the application that it is monitoring on the EC2 instance. This should be set the name of the application that this sensor is working alongside. |
| 3 | If you chose a stack name for your control plane installation that is not ThreatXPrevent then the ANALYZER_URL value should be: tx-analyzer-<stackname>.xplat-sandbox.threatx.io:50051 |
| 4 | The network interface name must match the name of the network interface for the EC2 instance that the sensor is running on. See the table below for the correct name for your distribution. |
| Distribution | Interface |
|---|---|
Amazon |
enX0 |
Amazon |
eth0 |
Ubuntu |
enX0 |
SUSE |
eth0 |
Debian |
enX0 |
RHEL |
eth0 |
If your distribution is not listed, you can find the correct interface name by running the ip a command on the EC2 instance.
|
πͺͺ CloudFormation IAM Permissions
There are two options for obtaining the permissions needed to create the TX Prevent stack:
-
Using an existing user or role with the AdministratorAccess policy
-
Creating a new custom IAM policy with the minimum required permissions according to least privilege which will be assigned to the existing user or role you want to use for installation (continue reading next section)
π Configure AWS with the Minimum Permissions Required for Stack Creation
Now we will create a custom policy with the minimum permissions required to create the TX Prevent stack.
π Create a Custom Policy
-
On the π AWS Services page, Select IAM.
-
From π IAM Dashboard, select π
-
On the π Policies page, Select Create policy
-
On the π Specify Permissions page, under the JSON tab:
-
Copy the JSON below into the Policy editor.
-
β Replace all placeholder instances with your actual values:
-
<account-id>with your AWS Account ID -
<hosted-zone-id>with your AWS Route53 Hosted Zone ID
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LaunchTemplates",
"Action": "ec2:CreateLaunchTemplate",
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:<account-id>:launch-template/*"
},
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:*"
],
"Resource": "arn:aws:ssm:*:<account-id>:parameter/ThreatXPrevent*"
},
{
"Sid": "EC2",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress"
],
"Resource": "arn:aws:ec2:*:<account-id>:security-group/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/aws:cloudformation:stack-name": "ThreatXPrevent*"
}
}
},
{
"Sid": "EC2v3",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:RunInstances",
"ec2:DescribeInstances",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeKeyPairs",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DescribeSecurityGroups",
"ec2:CreateLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DeleteLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:DeleteLaunchTemplateVersions",
"ec2:ModifyLaunchTemplate",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTrustStores"
],
"Resource": "*"
},
{
"Sid": "ElasticLoadbalancing",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeListeners"
],
"Resource": "*"
},
{
"Sid": "TargetGroup",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes"
],
"Resource": "arn:aws:elasticloadbalancing:*:<account-id>:targetgroup/ThreatXPrevent*"
},
{
"Sid": "ElasticLoadbalancingV2",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:SetWebAcl",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:AddListenerCertificates",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:ModifyRule",
"elasticloadbalancing:CreateListener"
],
"Resource": "arn:aws:elasticloadbalancing:*:<account-id>:loadbalancer/app/ThreatXPrevent*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:DeleteRule",
"elasticloadbalancing:DeleteListener"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:<account-id>:listener/app/ThreatXPrevent*",
"arn:aws:elasticloadbalancing:*:<account-id>:listener-rule/app/ThreatXPrevent*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"
],
"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
},
{
"Sid": "IAM",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AddRoleToInstanceProfile",
"iam:PassRole",
"iam:DeleteRolePolicy",
"iam:GetRolePolicy",
"iam:GetPolicy",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:ListPolicyVersions",
"iam:TagRole",
"iam:DetachRolePolicy",
"iam:AttachRolePolicy"
],
"Resource": [
"arn:aws:iam::<account-id>:role/ThreatXPrevent*",
"arn:aws:iam::<account-id>:policy/ThreatXPrevent*",
"arn:aws:iam::<account-id>:instance-profile/ThreatXPrevent*"
]
},
{
"Sid": "IAMv2",
"Effect": "Allow",
"Action": "iam:PutRolePolicy",
"Resource": [
"arn:aws:iam::<account-id>:role/ThreatXPrevent*",
"arn:aws:iam::<account-id>:policy/ThreatXPrevent*"
]
},
{
"Sid": "ACM",
"Effect": "Allow",
"Action": "acm:*",
"Resource": "arn:aws:acm:*:<account-id>:certificate/*"
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:CreateSecret",
"secretsmanager:PutSecretValue",
"secretsmanager:TagResource",
"secretsmanager:DeleteSecret"
],
"Resource": "arn:aws:secretsmanager:*:<account-id>:secret:/ThreatXPrevent*"
},
{
"Effect": "Allow",
"Action": "secretsmanager:ListSecrets",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets",
"route53:GetHostedZone"
],
"Resource": "arn:aws:route53:::hostedzone/<hosted-zone-id>_"
},
{
"Effect": "Allow",
"Action": "route53:GetChange",
"Resource": "arn:aws:route53:::change/*"
},
{
"Effect": "Allow",
"Action": [
"autoscaling:CreateAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:PutScalingPolicy",
"autoscaling:DescribePolicies",
"autoscaling:DeletePolicy",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DescribeScalingActivities"
],
"Resource": "*"
}
]
}-
When you are complete, click Next
-
Give the policy a name (e.g., threatx-prevent-install)
-
Add a π·οΈ Tag:
-
Key: product
-
Value: threatx-prevent
-
-
Click Create Policy.
π Creating A New Role For The Installation
From the IAM Console…
-
In the main menu to the left, select
-
Click the Create Role button.
From the Create Role page…
-
Verify that the AWS service button is selected.
-
From the list, select CloudFormation and click Next.
-
In the Filter Policies field, locate and select the checkbox of the policy you created. Click Next.
-
For Role Name, enter threatx-prevent-install.
-
Add a π·οΈ Tag:
-
Key: product
-
Value: threatx-prevent
-
-
Click Create Role
π Use The New Role To Create The Stack
From the Configure Stack Options Page …
-
Locate the Permissions section
-
In the IAM Role Name field, select the newly created role: threatx-prevent-install