How do I install a Scanner Appliance in AWS?

Avatar
Amil Sefo
Follow

Holm Security have developed a Scanner Appliance image for Amazon Web Services (AWS) using the latest security standards that AWS offers.

The image is distributed as an Amazon Machine Image (AMI) and allows any of our customers to spin up a Scanner Appliance within their own AWS account. 

The AMI is making use of encrypted storage volumes, therefore the customer is required to set up a policy on their AWS account in order to be able to make use of the Scanner Appliance. 

Preparation for the Scanner Appliance in Security Center

  • ntpservers: NTP servers are limited to a maximum of 4.
  • token: Token from Security Center > Scanner Appliance section.
{
 "ntpservers": ["xxx.xxx.xxx.xxx","xxx.xxx.xxx.xxx"],
 "token": "nnnnnn"
}

For OnPrem usage with a self-signed certificate be:
{
	"ntpservers": ["xxx.xxx.xxx.xxx","xxx.xxx.xxx.xxx"],
	"token": "nnnnnn",
	"api_base_url": "https://onprem.address:8004",
	"nvt_base_url": "https://onprem.address:8007",
	"apt_base_url": "http://onprem.address:8044",
	"trust_certificates": "1"
}

If using a valid certificate, the "trust_certificates" line should be removed.

When adding scanner appliance for OnPrem:
The TLS certificate hostname on the OnPrem must be the same as api-url. If it's not the registration will fail.
cert.png


This config will be later added to the EC2 User data before booting the Instance (Scanner Appliance Image) in AWS.

Do that while adding the Instance in the AWS, in the step "3. Configure Instance" to the User data at the bottom.

This can be added to running instance later as well by: Instances-> (Right click on the right Instance) -> Instance Settings -> Edit User Data -> Current User data. 

Instance is required to be rebooted after the change and please also ensure your IP address is also set or configured for the scanner appliance.

Steps to set up Scanner Appliance in AWS

  1. Set up the Identity and Access Management (IAM) policy on your account where you will host the Scanner Appliance, see below.
  2. Attach the policy to the user who will initiate the EC2 with the AMI.
  3. Share the following information to support@holmsecurity.com (where the Scanner Appliance will run in your AWS account):
    • AWS Account ID (12-digit account number)
    • AWS Region
  4. Wait for confirmation from Support that the Scanner Appliance AMI is shared with your account and region.
  5. Confirm in your AWS account that you can access the shared AMI.

Network communication

Scanner Appliance for the cloud have the same technical communication requirements. Please refer to this article and make sure outbound communication rules for your instance is opened properly: 
https://support.holmsecurity.com/hc/en-us/articles/213477725-What-are-the-firewall-settings-for-Scanner-Appliance-

Instance size

We recommend running the Scanner Appliance using minimum m5.large in AWS. 

AWS IAM Policy

The below IAM policy needs to be created in your AWS account and attached to the user who will initiate the Scanner Appliance AMI. It is required as we are using disk encryption on the AMI, to be able to read the Customer Master Key (CMK) from Holm Security. 

Suggested policy name: Holm-Security-Scanner-Appliance-ReadKMS 

Region: eu-west-1 (Ireland)

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "kms:DescribeKey",
 "kms:ReEncrypt*",
 "kms:CreateGrant",
 "kms:Decrypt"
 ],
 "Resource": [
 "arn:aws:kms:eu-west-1:949780939287:key/cc08deb2-0b5b-4545-b5db-becaf030830f"
 ]
 }]
}

Region: ap-south-1 (Mumbai)

 {
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "kms:DescribeKey",
 "kms:ReEncrypt*",
 "kms:CreateGrant",
 "kms:Decrypt"
 ],
 "Resource": [
 "arn:aws:kms:ap-south-1:949780939287:key/85575c51-cb46-48ed-b16c-3ac85ba82e0e"
 ]
 }]
}

Region: us-east-1 (N. Virginia)

 {
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "kms:DescribeKey",
 "kms:ReEncrypt*",
 "kms:CreateGrant",
 "kms:Decrypt"
 ],
 "Resource": [
 "arn:aws:kms:us-east-1:949780939287:key/892f7d3e-c80f-48b4-813a-910eec4eca7f"
 ]
 }]
}

Region: eu-north-1 (Stockholm)

 {
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "kms:DescribeKey",
 "kms:ReEncrypt*",
 "kms:CreateGrant",
 "kms:Decrypt"
 ],
 "Resource": [
 "arn:aws:kms:eu-north-1:949780939287:key/9b8a7e61-2e43-46eb-8dba-1c55e9723918"
 ]
 }]
}

Region: ap-southeast-1 (Singapore)

 {
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "kms:DescribeKey",
 "kms:ReEncrypt*",
 "kms:CreateGrant",
 "kms:Decrypt"
 ],
 "Resource": [
 "arn:aws:kms:ap-southeast-1:949780939287:key/104c89b9-c759-4ae5-86a0-bc4d40be9734"
 ]
 }]
}

Region: eu-central-1 (Frankfurt)

 {
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "kms:DescribeKey",
 "kms:ReEncrypt*",
 "kms:CreateGrant",
 "kms:Decrypt"
 ],
 "Resource": [
 "arn:aws:kms:eu-central-1:949780939287:key/edaeca23-e374-430d-bd43-ad496993a0a4"
 ]
 }]
}
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.