AlienVault® USM Anywhere™

Deploying the AWS Sensor

After you review the requirements and make sure that your Amazon Web Services (AWS) environment is configured as needed, you can deploy the AWS Sensor. Using the AWS CloudFormation Template provided by AT&T Cybersecurity, you automatically deploy USM Anywhere as a service into your environment.

The following procedure describes how to launch the AWS Sensor when provisioning the USM Anywhere service for the first time. In this process, you launch the USM Anywhere product from the AWS Management Console using the AWS CloudFormation template.

Important: If you are deploying the sensor in a VPC, make sure that the target VPC subnet has the Enable auto-assign public IPv4 address option enabled prior to creating the AWS CloudFormation stack. For detailed information, refer to the AWS documentation.

To create a new sensor in the AWS Management Console

  1. Log in to the AWS Management Console.
  2. Under Find Services, enter a name, keyword, or acronym to launch the AWS CloudFormation service page.
  3. In the upper right corner, click Create stack.
  4. On the Specify template page, in the Amazon S3 URL field, copy and paste the URL for the AWS Sensor that fits your environment:

    • Amazon Virtual Private Cloud (VPC)

      https://s3.amazonaws.com/downloads.alienvault.cloud/usm-anywhere/sensor-images/usm-anywhere-sensor-aws-vpc.template

    • Classic mode of Amazon Elastic Compute Cloud (EC2)

      https://s3.amazonaws.com/downloads.alienvault.cloud/usm-anywhere/sensor-images/usm-anywhere-sensor-aws.template

  5. Click Next and then click Next again to continue.
  6. On the Specify stack details page, in the Stack name text box, enter a name to identify the stack.

    The name must be one word. Use hyphens if desired. For example, you could call the stack "USM-sensor-1".

  7. Set parameters for the AWS Sensor.

    Note: The volume size should be prefilled. You can leave this setting at the default value.

    • In the USM Anywhere Sensor Name text box, enter a name for the sensor. This is usually the same as the stack name.
    • In the Key Name list, select the key pair that allows SSH connections to the sensor.
    • In the Traffic Mirroring Mode list, select Yes to deploy a sensor ready for VPC traffic mirroring, or select No to deploy a sensor without those additional considerations.
    • See Enabling VPC Traffic Mirroring for more information on this feature.
    • In the HTTP Access Range text box, specify the IP address range that allows HTTP access to the sensor.
    • In the SSH Access Range text box, specify the IP address range that allows SSH access to the sensor.
  8. Click Next.
  9. (VPC templates only.) Select the appropriate VPC ID and Subnet ID, specify whether to use a public or private IP address, then click Next.

    If you choose to deploy your sensor with a public IP address, the subnet you select must have "Auto-assign public IPv4 address" enabled.
  10. (Optional.) On the Configure stack options page, set tags for the instance and click Next.

  1. On the Review page, select the checkbox at the bottom of the page next to the statement, "I acknowledge that AWS CloudFormation might create IAM resources."

    On the Review page, select the IAM resources acknowledgement

  2. Click Create stack.
  3. In the Stacks page, confirm that your newly created stack status reads like this:

    CREATE_IN_PROGRESS

    Stack creation typically takes about 15 minutes. When the stack build is complete, you see the following confirmation:

    CREATE_COMPLETE

  4. After your new stack is complete, click the Outputs tab and locate the URL.

    Click the URL link (displayed in blue) to access the sensor VM instance

    This URL is based on the public IPv4IPv4 is the most commonly used Internet Protocol, despite the fairly limited number of IP addresses it can support (2^32). An IPv4 address is written as a series of four numbers separated by periods, for example, 172.8.240.2. IPv6, the latest version of the Internet Protocol (IP), is notable in that it expanded the available address space to a length of 128 bits compared to 32 bits in IPv4. IPv6 addresses are represented as eight groups of four digits separated by colons address of your deployed sensor (http://<ip-address>). Make note of this address so that you have it for configuring your data sources to send data to the AWS Sensor.

    See the AWS documentation for more information about how to manage public IPv4 addresses.

  5. Click the URL link to launch the USM Anywhere Sensor Setup page.

Next...

See Setting the AWS Sensor Connection to USM Anywhere.