Cloud Storage Security Help Docs
Release Notes
  • Introduction
  • Getting Started
    • How to Subscribe
      • Pay-As-You-Go (PAYG)
      • Bring Your Own License/GovCloud (BYOL)
      • AWS Transfer Family
    • How to Deploy
      • Steps to Deploy
      • Advanced Deployment Considerations
      • AWS Transfer Family
    • How to Configure
  • Console Overview
    • Dashboard
    • Malware Scanning
      • AWS
        • Buckets
        • Amazon EBS Volumes
        • Amazon EFS Volumes
        • Amazon FSx Volumes
        • WorkDocs Connections
      • Azure
        • Blob Containers
      • GCP
        • GCP Buckets
    • See What's Infected
      • Findings
      • Malware History
      • Results
    • Schedules
    • Monitoring
      • Error Logs
      • Bucket Settings
      • Deployment
      • Jobs
      • Notifications
      • Storage Assessment
      • Usage
    • Configuration
      • Classification Rule Sets
      • Classification Custom Rules
      • Scan Settings
      • Console Settings
      • AWS Integrations
      • Job Networking
      • API Agent Settings
      • Proactive Notifications
      • License Management
      • Event Agent Settings
    • Access Management
      • Manage Users
      • Manage Accounts
        • Linking an AWS Account
        • Linking an Azure Account
        • Linking a GCP Account
      • Manage Groups
    • Support
      • Getting Started
      • Stay Connected
      • Contact Us
      • Documentation
  • Product Updates
  • How It Works
    • Scanning Overview
      • Event Driven Scanning for New Files
      • Retro Scanning for Pre-Existing Files
      • API Driven Scanning
    • Architecture Overview
    • Deployment Details
    • Sizing Discussion
    • Integrations
      • AWS Security Hub
      • AWS CloudTrail Lake
      • AWS Transfer Family
      • Amazon GuardDuty
      • Amazon Bedrock
    • Demo Videos
    • Scanning APIs
    • SSO Integrations
      • Entra ID SSO Integration
      • Okta SSO Integration
  • Frequently Asked Questions
    • Getting Started
    • Product Functionality
    • Architecture Related
    • Supported File Types
  • Troubleshooting
    • CloudFormation Stack failures
    • Cross-Region Scanning on with private network
    • API Scanning: Could not connect to SSL/TLS (v7)
    • Password not received after deployment
    • Conflicted buckets
    • Modifying scaling info post-deployment
    • Objects show unscannable with access denied
    • Remote account objects not scanning
    • My scanning agents keep starting up and immediately shutting down
    • I cannot access the management console
    • Linked Account Out of Date
    • Rebooting the Management Console
    • Error when upgrading to the latest major version
    • I Cannot Create/Delete an API Agent
  • Release Notes
    • Latest (v8)
    • v7
    • v6 and older
  • Contact Us & Support
  • Data Processing Agreement
  • Privacy Policy
Powered by GitBook
On this page
  • Consider your deployment options
  • Standard Deployment
  • Step 1 - Quick Create Stack and Specify the Parameters
  • Step 2 - Review Stack and Acknowledge
  • Step 3 - Track the events and troubleshoot if needed
  • Step 4 - Console Access
  • Private Deployment
  • Accessing a private deployment
  • Advanced Deployment Considerations
  • After you have finished deploying
  1. Getting Started
  2. How to Deploy

Steps to Deploy

Deployment of our solution happens using a CloudFormation Template.

PreviousHow to DeployNextAdvanced Deployment Considerations

Last updated 1 year ago

If you're planning to deploy both AV and DC at the same, then subscribe to both products and deploy AV first. When you enter the AV management console you can navigate to Configuration -> License Management, where you will see an option to activate DC.

If you are using Terraform, you can find the Steps to deploy .

Consider your deployment options

Which parameters you configure in the CloudFormation Template depends on what your requirements for your deployment are. Options include:

  • The Standard Deployment which requires filling out only 5 fields in the CloudFormation Template

  • A completely Private Deployment where all of our components run in private VPCs and private Subnets with no public IPs assigned at all

  • An in-between option where you have public access (public Load Balancer) while still running all solution components in a private VPC and Subnets

You can mix and match as well as incorporate VPC Endpoints to keep as much traffic as possible going over the AWS backbone.

For an in-depth overview of deployment options and details .

Standard Deployment

The Standard Deployment is the simplest deployment. After providing only 5 inputs to the CloudFormation Template you will have a deployed and running solution in ~5 minutes. This deployment expects the Console and the Agent(s) to be placed in VPCs and Subnets that have an Internet Gateway (IGW) allowing for outbound traffic.

This a typical setup for VPCs and Subnets.The outbound routing allows ECS to pull down images from ECR, allows the Console and Agent(s) to communicate with required AWS Services and provides access to the management UI. Although public IPs are assigned, control is still done through Security Groups and access can be limited through IP ranges.

With this deployment, we register your application subdomain with a Route53 Hosted Zone we host and manage in one of the Cloud Storage Security AWS accounts. This allows you to have consistent access to your application. If you'd prefer to manage the domain and SSL certificate required for a persistent URL yourself, you can leverage the Application Load Balancer options discussed below and on the page.

Step 1 - Quick Create Stack and Specify the Parameters

You must provide values for the following fields in the CloudFormation template:

  1. Virtual Private Cloud (VPC) ID

  2. Subnet A ID

  3. Subnet B ID

  4. Console Security Group CIDR Block

  5. Email

You can leave all the default settings in the rest of the fields.

Virtual Private Cloud (VPC) ID

You must select a VPC from the drop down list for the Management Console to run in.

Subnet A ID

You must select a Subnet A ID from the drop down list contained in the selected VPC. Since we are doing a Standard Deployment, the subnet you select should be public, meaning it should have an IGW attached to it that allows outbound traffic.

Subnet B ID

You must select a different Subnet B ID from the drop down list contained in the selected VPC.

The subnets you choose for A and B must either be able to offer a public IP or be on a network you can access. Without that, the console will run, but not be reachable. This could simply be a public subnet reachable through an Internet Gateway.

If you want to deploy privately continue reading further below.

Please note, If you select the same subnets for A and B, stack creation will fail. If you happen to pick the same value for each field, you will get a message as follows, please correct this before moving on.

Ensure both subnets you select belong to the VPC you have selected. You must select subnets in different Availability Zones.

Console Security Group CIDR Block

We will create a Security Group (SG) for the Management Console that we deploy. This SG will have rules that contain IP ranges which can access the Console. You must select a Console Security Group CIDR Block. Specify your network access or set to "0.0.0.0/0" to access the Management Console from anywhere.

If you need to add multiple IP ranges you can set your first one through the CloudFormation Template and once the solution is deployed you can go to the SG to add additional rules.

0.0.0.0/0 is wide open to the world. The application is still protected by SSL, a username and a password, but you may still choose to control this access. This could be your corporate network range or the /32 IP address your specific system is currently assigned. Google "what's my ip" and the first thing returned is what your current IP address is. Note: If your IP address changes, you may have to manually change the AWS Security Group value to represent the new IP

Email

You must set a valid Email address which we will use to send the initial account username and password that you will use to access your Management Console.

Step 2 - Review Stack and Acknowledge

Ensure you have set all of the parameters in your CFT correctly. Check I acknowledge that AWS CloudFormation might create IAM resources with custom names. under Capabilities. Click Create Stack at the bottom of the screen.

Step 3 - Track the events and troubleshoot if needed

The stack you just created will have a status of CREATE_IN_PROGRESS as it runs. Wait for this to change to CREATE_COMPLETE and monitor the events it generates.

When finished the status for the stack will show CREATE_COMPLETE:

Step 4 - Console Access

Once the stack creation completes, click the Output tab. The top row in the table will have the URL for your Management Console. It will be in the format of https://<accountID-appID>.cloudstoragesecapp.com.

You will also receive an email to the address you entered while configuring your CloudFormation Template details. This email will include the URL to your console + a username and password which you will use to login to your account.

If you chose to use a load balancer, the first field will be called LBWebAddress instead of ConsoleWebAddress

Private Deployment

In order to deploy privately you'll have to set the 5 parameters discussed above in the Standard Deployment section. However, this time you'll need to choose two private subnets (again in separate availability zones).

Private Deployments are defined by locking down the solution components (Console and Agents) such that they do not have public IPs (meaning leveraging private subnets that are behind a NAT Gateway). You can still provide public access if desired while locking everything else down. Whether it is best practices, compliance or internal rules you can deploy and leverage the solution as needed.

First off, AWS Fargate tasks do not get assigned persistent IP addresses. As a result, the IP address can change underneath you requiring you to look it up. You may also decide you'd like to manage or apply your own domain and SSL certificate for accessing the application. A load balancer allows you to accomplish all of these things: a persistent access point, apply your own domain and leverage your own certificates.

Accessing a private deployment

If you only choose to use private subnets and do not use a Load Balancer in front of your Management Console, you will need to use the private IP that is generated by the ECS task that is stood up to host the console.

Advanced Deployment Considerations

The 5 fields discussed above are the minimum fields that have to be set to get the product successfully deployed. For many deployments, the default settings will work well. With that said, the other options in the CloudFormation Template could be beneficial for you to configure and therefore could warrant your attention.

  1. By default, the stack will deploy without the use of a Load Balancer. There are times when this will not work for your use case. Two such scenarios are: you want to use your own DNS and SSL certificate or you want to deploy in a private subnet behind a NAT. These are both great reasons to leverage a load balancer.

    If you would like to include a load balancer at the time of deployment you can do so in your CloudFormation Template. You can also add a load balancer to an existing deployment without one. And you can remove the load balancer after the fact as well. Simply run a Stack Update and add or remove the load balancer. This must be done manually through the CloudFormation Console.

  2. Resources can only be renamed to match your particular naming scheme at the time of deployment. Changing these values later will result in errors. The default values are fine to leave but if you feel the need to rename values such as your quarantine bucket you should do so now before you've deployed.

After you have finished deploying

Alternatively, it could be a private subnet that is an extension of your corporate network you access either from your corporate network or through a VPN connection. Or these subnets may be private subnets fronted by a public Load Balancer. Learn more about this option in the .

If you do not properly set the above 5 parameters, the stack creation will fail and/or you will be unable to access your deployment. If you run into any trouble whatsoever, please and also make sure to review the section of our help docs.

If the stack creation fails, click here to open the section.

It may take a few minutes for DNS to propagate the URL of your management console. If you are unable to load the URL provided in the email/CloudFormation Outputs then wait a few minutes. If it continues to be an issue, check the to see if it is another issue or .

If you reviewed the page you'll see the deployment options leveraging Application Load Balancers. These can be internet-facing or internal and can even be leveraged with the Standard Deployment. You do not have to leverage an ALB in a private deployment, but there are a number of reasons you might want to.

If you would like to have a persistent URL to access your privately deployed management console then you will need to stand up a load balancer in front of it. You can read more on this topic on the and page.

To view details for configuring additional settings within your CloudFormation Template you can review our section. Feel free to SKIP this section if you just want to start with the defaults. However, please consider two exceptions:

You can learn more about both of the above considerations by reviewing our section.

You have completed creating the stack for Antivirus and/or Data Classification for Amazon S3. Next, go to the section to start setting up the anti-malware detection.

here
click here
Advanced Deployment Considerations
Advanced Deployment Considerations
Contact Us
Troubleshooting
Troubleshooting
console access troubleshooting
Contact Us
Deployment Details
Deployment Details
Advanced Deployment Considerations
How to Configure
Advanced Deployment Considerations
Advanced Deployment Considerations
Set your network configuration
Set an initial email address
Acknowledge before creating the stack