Deploy the AWS Sensor

Role Availability Read-Only Investigator Analyst Manager

After you review the requirements and make sure that your Amazon Web Services (AWS) environment is configured as needed, you can deploy the AWS Sensor. Using the AWS CloudFormation Template provided by AT&T Cybersecurity, you automatically deploy USM Anywhere as a service into your environment.

The following procedure describes how to launch the AWS Sensor when provisioning the USM Anywhere service for the first time. In this process, you launch the USM Anywhere product from the AWS Management Console using the AWS CloudFormation template.

Important: If you are using these instructions to redeploy an existing AWS Sensor, your IP address will not be the same as for your previous sensor. After these steps are complete, you must also update any syslog or NXLog log collection, and any port mirroring to use the new IP address.

To create a new sensor in the AWS Management Console

  1. Log in to the AWS Management Console.
  2. Under Find Services, enter a name, keyword, or acronym to launch the AWS CloudFormation service page.
  3. In the upper right corner, click Create stack, and then select With new resources (standard).

    Standard Option in the Create Stack selection

  4. Go to the USM Anywhere Sensor Downloads page, click the icon of your specific sensor, and copy the URL.

  5. Use the copied URL in the Amazon Simple Storage Service (S3) URL field.
  6. Click Next, and then click Next again to continue.

  7. On the Specify stack details page, in the Stack name text box, enter a name to identify the stack.

    The name must be one word. Use hyphens if desired. For example, you could call the stack "USM-sensor-1".

  8. Set parameters for the AWS Sensor:

    Note: The volume size should be prefilled. You can leave this setting at the default value.

    • In the USM Anywhere Sensor Name text box, enter a name for the sensor.
      This is usually the same as the stack name.
    • In the Key Name list, select the key pair that allows SSH connections to the sensor.
      See AWS documentation, Create or import a key pair, for more information.
    • In the Traffic Mirroring Mode list, select Yes to deploy a sensor ready for VPC traffic mirroring, or select No to deploy a sensor without those additional considerations.

      • Note: See Enabling VPC Traffic Mirroring for more information on this feature.

    • In the HTTP Access Range text box, specify the IP address range that allows HTTP access to the sensor.
    • In the SSH Access Range text box, specify the IP address range that allows SSH access to the sensor.
  9. Click Next.

  10. Select the appropriate VPC ID and subnet ID, specify whether to use a public or private IP address, and then click Next.

    Important: If you choose to deploy your sensor with a public IP address, the subnet you select must have Auto-assign public IPv4 address enabled.

  11. (Optional.) On the Configure stack options page, set tags for the instance, and then click Next.

  1. On the Review page, select the checkbox at the bottom of the page next to the statement "I acknowledge that AWS CloudFormation might create IAM resources."

    On the Review page, select the IAM resources acknowledgement

  2. Click Create stack.

  3. In the Stacks page, confirm that your newly-created stack status reads like this:

    CREATE_IN_PROGRESS

    Stack creation typically takes about 15 minutes. When the stack build is complete, you see the following confirmation:

    CREATE_COMPLETE

    Note: See the Troubleshooting CloudFormation page for more information about the possible errors with your AWS CloudFormation stack.

  4. After your new stack is complete, click the Outputs tab and locate the URL.

    Click the URL link (displayed in blue) to access the sensor VM instance

    This URL is based on the public IPv4 IPv4 is the most commonly used Internet Protocol, despite the fairly limited number of IP addresses it can support (2^32). An IPv4 address is written as a series of four numbers separated by periods, for example, 172.8.240.2. IPv6, the latest version of the Internet Protocol (IP), is notable in that it expanded the available address space to a length of 128 bits compared to 32 bits in IPv4. IPv6 addresses are represented as eight groups of four digits separated by colons address of your deployed sensor (http://<ip-address>). Make note of this address so that you have it for configuring your data sources to send data to the AWS Sensor.

    See the AWS documentation for more information about managing public IPv4 addresses.

  5. Click the URL link to launch the USM Anywhere Sensor Setup page.

Next...

See Connect the AWS Sensor to USM Anywhere.