Menu
Trend Micro Deep Security on AWS
Quick Start Reference Deployment Guide

Step 3. Deploy the Quick Start

In this step, you will launch an AWS CloudFormation template that deploys Trend Micro Deep Security into your existing VPC.

  1. Sign in to your AWS account.

  2. Use one of the following links to launch the AWS CloudFormation template. Choose the Per Protected Instance Hour template or the Bring Your Own License (BYOL) template, depending on the subscription you selected in step 2.

    The template is launched in the US East (N. Virginia) region by default. You can change the region by using the region selector in the navigation bar.

    If you have an AWS GovCloud (US) account, you can also launch the BYOL stack in the AWS GovCloud (US) Region.

    Each stack takes approximately 45 minutes to create.

    Note

    You are responsible for the cost of the AWS services used while running this Quick Start reference deployment, and licensing fees for Trend Micro Deep Security. There is no additional cost for using this Quick Start. See the pricing pages for each AWS service you will be using in this Quick Start for full details.

    You can also download the template to use it as a starting point for your own implementation:

  3. On the Select Template page, keep the default URL for the AWS CloudFormation template, and then choose Next.

  4. On the Specify Details page, provide the details about your Amazon VPC and how you want Deep Security to be deployed in it.

    Both templates provide the following parameters:

    Deep Security Manager Configuration:

    Parameter label Parameter name Default Description
    Administrator username for Deep Security DeepSecurityAdminName MasterAdmin The user name for the Deep Security administrator, for web console access.
    Administrator password for Deep Security DeepSecurityAdminPass Requires input The password for the Deep Security administrator. This must be 8-41 characters long and can only contain alphanumeric characters or these special characters: !^*-_+
    EC2 Key Pair for SSH access AWSKeyPairName Requires input The key pair that will be used to launch the EC2 instances that contain the Deep Security Manager. This key pair can be used to create an SSH connection to your Deep Security Manager.

    Network Configuration:

    Parameter label Parameter name Default Description
    VPC for Deep Security Components AWSVPC Requires input The VPC where the Quick Start resources will be deployed. This VPC must contain two private subnets and one public subnet with a connected Internet gateway.
    Public Subnet for Deep Security Managers DeepSecuritySubnet Requires input The subnet to deploy the Deep Security Manager and load balancers in. This subnet must be in the VPC specified by the VPC for Deep Security Components parameter and must be a public subnet with an attached Internet gateway.
    Primary private subnet for RDS DatabaseSubnet1 Requires input The private subnet where the Amazon RDS database will be deployed. This subnet must be in the VPC specified by the VPC for Deep Security Components parameter.
    Secondary private subnet for RDS DatabaseSubnet2 Requires input The private subnet where the Amazon RDS database mirror will be deployed. This subnet must be in the VPC specified by the VPC for Deep Security Components parameter. It must also be in a separate Availability Zone from the Primary private subnet for RDS.

    AWS Quick Start Configuration:

    Parameter label Parameter name Default Description
    Quick Start S3 Bucket Name QSS3BucketName quickstart-reference S3 bucket where the Quick Start templates and scripts are installed. Use this parameter to specify the S3 bucket name you’ve created for your copy of Quick Start assets, if you decide to customize or extend the Quick Start for your own use. The bucket name can include numbers, lowercase letters, uppercase letters, and hyphens, but should not start or end with a hyphen.
    Quick Start S3 Key Prefix QSS3KeyPrefix trendmicro/deepsecurity/latest/ The S3 key name prefix used to simulate a folder for your copy of Quick Start assets, if you decide to customize or extend the Quick Start for your own use. This prefix can include numbers, lowercase letters, uppercase letters, hyphens, and forward slashes.

    The Per Protected Instance Hour template requires the following additional information:

    Deep Security Manager Configuration:

    Parameter label Parameter name Default Description
    Number of instances you expect to protect with Deep Security Agents ProtectedInstances Requires input The number of instances you want to protect with Deep Security. You can choose one of these ranges:
    • 1-100

    • 101-500

    • 501-1000

    • 1001-2000

    The BYOL template requires the following additional information.

    Deep Security Manager Configuration:

    Parameter label Parameter name Default Description
    Deep Security License Key. May be left default to enter key after deployment LicenseKey Optional Enter a license key, if you have one. If you do not have a license key, please leave this parameter blank and enter your key in the console after launch.

    RDS Configuration:

    Parameter label Parameter name Default Description
    Choose the backend database DatabaseEngine PostgreSQL The database you want to use for Deep Security. You can choose PostgreSQL, Oracle, or Microsoft SQL Server.
    Administrator username for RDS Instance DatabaseAdminName dsadmin The user name for the Amazon RDS administrator account.
    Administrator password for RDS Instance DatabaseAdminPassword Requires input The password for the Amazon RDS administrator account. This must be 8-41 characters long and can only contain alphanumeric characters or these special characters: !^*-_+

    When you finish reviewing and customizing the parameters, choose Next.

  5. On the Options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you're done, choose Next.

  6. On the Review page, review and confirm the template settings. Under Capabilities, select the check box to acknowledge that the template will create IAM resources. Deep Security requires this access to be able to see your AWS instances and protect them. console.

    
                        Acknowledging the creation of IAM resources

    Figure 3: Acknowledging the creation of IAM resources

  7. Choose Create to deploy the stack.

  8. Monitor the status of the stack. When the status displays CREATE_COMPLETE, the Trend Micro Deep Security deployment is ready.