AlienVault® USM Anywhere™

Requirements for AWS Sensor Deployment

USM Anywhere deploys the Amazon Web Services (AWS) Sensor in the Amazon Elastic Compute Cloud (EC2) platform through either Amazon Virtual Private Cloud (VPC) or the Amazon EC2-Classic flat network.

Requirement Description
m3.large / m5.large instance An m5.large instance in a VPC, or an m3.large in Amazon EC2-Classic network.

100GB EBS volume

The Amazon Elastic Block Store (EBS) provides short-term storage for your data as it is processed.

A 100GB Amazon EBS volume is designated as the default size for optimal performance.

Internet connection to the USM Anywhere secure cloud Review the Sensor Ports and Connectivity for more information

Important: If you download and deploy the m5.large instance, you must launch it into a VPC; this instance type is not supported on the Amazon EC2-Classic platform.

You cannot change the instance type of an existing t2.large or m3.large instance in Amazon EC2-Classic to an m5.large VPC instance. If you need to change instance type, you need to redeploy the sensor.

AWS Deployment Regions

The AWS Sensor is deployed on one of the following AWS endpoint regions based on your location. The following table lists the name and code of each Region. These are the available regions:

Code and Name of Supported AWS Regions
Name Code
US East (N. Virginia) us-east-1
US West (Oregon) us-west-2
Asia Pacific (Tokyo) ap-northeast-1
Asia Pacific (Mumbai) ap-south-1
Asia Pacific (Sydney) ap-southeast-2
Canada (Central) ca-central-1
Europe (Frankfurt) eu-central-1
Europe (Ireland) eu-west-1
Europe (London) eu-west-2
South America (São Paulo) sa-east-1

Application Service Dependencies

With the AWS CloudFormation Template provided by AT&T Cybersecurity, you can automatically deploy USM Anywhere as a service into your environment. Review the following sections for information about the outbound/inbound IP addresses, ports, and services used by USM Anywhere.

Sensor Ports and Connectivity

Before you deploy a USM Anywhere Sensor, you must configure your firewallVirtual or physical device designed to defend against unauthorized access to data, resources, or a private network. A firewall’s primary purpose is to create segregation between two or more network resources, blocking undesirable traffic between them. permissions to enable the required connectivity for the new sensor. Initial deployment of a sensor requires that you open egress and outbound ports and protocols in the firewall for communication with USM Anywhere and AT&T Cybersecurity Secure Cloud resources. The sensor receives no inbound connections from outside the firewall.

Note: To launch the USM Anywhere Sensor web user interface (UI) during the initial setup, you need to allow inbound traffic to the sensor IP address through TCP port 80. You can remove access to this port after the sensor successfully connects to USM Anywhere. You do not need to allow inbound traffic to this port from the Internet.

Type Ports Inbound/Outbound Endpoints Purpose
TCP 443 Outbound Communication with AT&T Cybersecurity for initial setup and future updates of the sensor
TCP 443 Outbound Ongoing communication with Open Threat Exchange® (OTX™)
TCP 443 Outbound your USM Anywhere subdomain
Ongoing communication with USM Anywhere
SSL / TCP 7100 Outbound your USM Anywhere subdomain
Ongoing communication with USM Anywhere
UDP 53 Outbound DNS Servers (Google Default) Ongoing communication with USM Anywhere
UDP 123 Outbound

Sync with network time protocol (NTP) services in the AT&T Cybersecurity Secure Cloud
TCP 22 and 443 Outbound

SSHProgram to securely log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another through Secure Copy (SCP). communications with the USM Anywhere remote support server.

See Troubleshooting and Remote Sensor Support for more information about remote technical support through the USM Anywhere Sensor console.

Important: A USM Anywhere Sensor deployed in AWS might require outbound access to specific AWS resources, based on the sensor app in use. For example, the AWS sensor app must have the ability to connect to the AWS API (port 443). However, the actual API endpoint might be different depending on the service (such as Amazon Simple Storage Service [S3] or Amazon CloudWatch).

USM Anywhere normally gives systems explicit access to the AWS API.

USM Anywhere cannot deploy the AWS sensor in an AWS GovCloud region.

Security Groups in Your AWS VPC

For sensor deployment in an AWS VPC, the AWS CloudFormation template automatically creates the security groups needed for network connectivity between the instances within the VPC. However, this does require that you manually assign the USMServicesSG security group to your hosts to enable access to the UDP port 514 so that the sensor can receive syslog packet transmissions.

See Enabling Connections in an AWS VPC for more detailed information about these security groups.

AWS Services

USM Anywhere uses the following AWS services:

  • Amazon CloudWatch
  • AWS CloudTrail
  • AWS Elastic Load Balancing (ELB)
  • Amazon S3
  • Amazon EC2
  • AWS Identity and Access Management (IAM)
  • Amazon GuardDuty
  • Amazon Relational Database Service (RDS)

See IAM Roles and Permissions Required by Your AWS Sensor for a full description of the IAM roles and permissions that your AWS Sensor requires for these AWS services.

Note: USM Anywhere uses us-east-1 as a default region in the amazon-aws app. As a result, you might want to verify whether your Sensors are communicating with us-east-1, even if you have never deployed to that region.

Installation Prerequisites

Before you install the AWS Sensor, make sure you have the following prerequisites available:

Installation Prerequisites
Prerequisites Description
AWS CloudFormation template provided by AT&T Cybersecurity

The AWS CloudFormation template automatically creates all required AWS resources for deployment, including an IAM role and instance profile for use by the USM Anywhere Sensor instance.

URLs for these templates are included in the Deploying the AWS Sensor instructions.

Privileged user account on AWS To deploy the AWS CloudFormation template, you must have a privileged user account in AWS with permissions to create IAM resources.

Multiple AWS Accounts or Amazon VPCs

If you have multiple AWS accounts, you must deploy the AWS Sensor in each AWS account that you want to monitor.

Amazon VPC enables you to launch AWS resources into a virtual network that you've defined. A single sensor can monitor an entire AWS account, even when it contains multiple Amazon VPCs.

Note: If you intend to use the USM Anywhere vulnerabilityA known issue or weakness in a system, procedure, internal control, software package, or hardware that could be used to compromise security. scanner with the AWS Sensor, you must allow traffic from the sensor and the target instance you are scanning. You can usually accomplish this by using Amazon VPC peering (see the AWS documentation for more information).