Using Deep Security with AWS Auto Scaling
Removing deleted instances
To automatically remove EC2 instances from Deep Security that no longer exist because they Auto Scaling Group size was decreased, configure an EC2 Cloud Account. This will ensure that instances that no longer exist in AWS EC2 are removed from Deep Security. The Protect your AWS instances section in the DSaaS Quick Start Guide contains the list of steps to set up a Cloud Account.
Protecting new EC2 instances created through AWS autoscaling
In order to install the Deep Security Agent on new EC2 instances created through AWS Auto Scaling, the deployment script needs to be specified in the Auto Scaling launch configuration:
- Obtain a deployment script for the Deep Security Agent:
- Log into DSM console
- From Support menu in the top right-hand corner, select Deployment Scripts
- Check the Activate the Agent Automatically box
- Select a suitable Security Policy, Computer Group and Relay Group
- Copy the script to clipboard
- When configuring your AWS launch configuration, specify the script as "user data" (e.g., using --user-data option in create-launch-configuration (use base64 encoding for the script), or in the UI)
If you are running a Microsoft Windows-based AMI and encounter issues getting the PowerShell install / activation script to actually run, the issues may be caused by creating the AMI from a running instance.
AWS supports creating AMIs from running
instances, but this option disables ALL of the Ec2Config tasks that would run at start time on any instance created from the AMI.
This behaviour stops the instance from even attempting to run the PowerShell script.
You must create AMIs from machines that are stopped for the installation / activation script to work when scripted from the User Data section.