How to deploy Cortex XDR Broker VM in AWS using AWS CLI

Created On 03/25/22 16:08 PM - Last Modified 04/23/24 18:34 PM

AWS

Deployment

Cortex XDR

Objective

We will use aws cli on Ubuntu Linux. Using aws cli we will connect to AWS and perform the required action to upload the Broker VM VMDK file, convert the VMDK into AWS AMI Image. Then we launch an EC2 instance from the newly created Broker VM AMI Image.

Environment

AWS EC2 Instance
Ubuntu Linux

Procedure

Create an IAM user with the proper permissions.

We are going to login using AWS Identity and Access Management (IAM) user, the user needs the following permissions in IAM policy to use VM Import/Export:

Go to IAM >> Access Management >> Users >> Add Users
Enable the option: Access key - programmatic access. Then click Next: Permissions
Select Attach Existing Policies directly. Then click on Create policy

In the JSON tab, copy and paste the following configurations into it.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": ["arn:aws:s3:::mys3bucket","arn:aws:s3:::mys3bucket/*"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CancelConversionTask",
        "ec2:CancelExportTask",
        "ec2:CreateImage",
        "ec2:CreateInstanceExportTask",
        "ec2:CreateTags",
        "ec2:DescribeConversionTasks",
        "ec2:DescribeExportTasks",
        "ec2:DescribeExportImageTasks",
        "ec2:DescribeImages",
        "ec2:DescribeInstanceStatus",
        "ec2:DescribeInstances",
        "ec2:DescribeSnapshots",
        "ec2:DescribeTags",
        "ec2:ExportImage",
        "ec2:ImportInstance",
        "ec2:ImportVolume",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "ec2:TerminateInstances",
        "ec2:ImportImage",
        "ec2:ImportSnapshot",
        "ec2:DescribeImportImageTasks",
        "ec2:DescribeImportSnapshotTasks",
        "ec2:CancelImportTask"
      ],
      "Resource": "*"
    }
  ]
}

Note: Change the mys3bucket to * if you want it to apply for all buckets, or change it to the proper S3 bucket name.

Click Next until you get to specify Policy Name. Then click Create Policy.
Back in the IAM user configuration, choose the Policy you just created.
Complete the User Creation.
Take note of the following user information after confirmation that the user has been created. You will need it later.
- User name
- Access key ID
- Secret access key

Setup AWS CLI in Ubuntu

Install AWS CLI and configure it with the IAM user we just created previously.

Login to the server with admin privilege and install awscli
```
sudo bash
apt install awscli
```
Run this command to configure the awscli
```
aws configure
```
Specify the proper configurations
- AWS Access Key ID:
- AWS Secret Access Key:
- Default region name:
We are now ready to execute commands in aws cli.

Create an AMI Image using Broker VM VMDK file

We will need to download Broker VM from Cortex XDR Web Console. Then import it into your S3 bucket. Then we'll convert the VMDK in S3 bucket into an AMI Image.

Go to the Cortex XDR Web Console >> Settings >> Configurations >> Data Broker >> Broker VMs >> Download >> VMDK.
Download the VMDK file (e.g. broker-vm-15.0.62.vmdk) to your ubuntu computer.
In the AWS Console, navigate to Services >> Storage >> S3. Click Create Bucket. Provide a unique name to create the S3 bucket and use default configuration.

Run this command to copy the vmdk file into the S3 bucket.

aws s3 cp ~/<path/to/broker-vm-version.vmdk> s3://<your_bucket/broker-vm-version.vmdk>

Prepare the following configurations files

configuration.json

Run this command in ubuntu:
```
vi configuration.json
```

Enter the following information into the json file. In S3Bucket, just use the Bucket Name and not its ARN Name. S3Key is the VMDK filename. Replace the names inside <> accordingly.

[
    {
        "Description":"Cortex XDR VM Broker 15.0.62",
        "Format":"vmdk",
        "UserBucket":{
            "S3Bucket":"<your_bucket>",
            "S3Key":"<broker-vm-version.vmdk>"
        }
    }
]

trust-policy.json

Run this command in ubuntu:
```
vi trust-policy.json
```

Copy and paste the following information into the json file.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Principal": { "Service": "vmie.amazonaws.com" },
         "Action": "sts:AssumeRole",
         "Condition": {
            "StringEquals":{
               "sts:Externalid": "vmimport"
            }
         }
      }
   ]
}

role-policy.json

Run this command in ubuntu:
```
vi role-policy.json
```

Copy and paste the following information into the json file. Replace the <disk-image-file-bucket> and <export-bucket> with the correct bucket name. You may specify * to have access to all your S3 buckets

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect": "Allow",
         "Action": [
            "s3:GetBucketLocation",
            "s3:GetObject",
            "s3:ListBucket"
         ],
         "Resource": [
            "arn:aws:s3:::<disk-image-file-bucket>",
            "arn:aws:s3:::<disk-image-file-bucket>/*"
         ]
      },
      {
         "Effect": "Allow",
         "Action": [
            "s3:GetBucketLocation",
            "s3:GetObject",
            "s3:ListBucket",
            "s3:PutObject",
            "s3:GetBucketAcl"
         ],
         "Resource": [
            "arn:aws:s3:::<export-bucket>",
            "arn:aws:s3:::<export-bucket>/*"
         ]
      },
      {
         "Effect": "Allow",
         "Action": [
            "ec2:ModifySnapshotAttribute",
            "ec2:CopySnapshot",
            "ec2:RegisterImage",
            "ec2:Describe*"
         ],
         "Resource": "*"
      }
   ]
}

Use the create-role command to create a role named vmimport and grant VM Import/Export access to it.
```
aws iam create-role --role-name vmimport --assume-role-policy-document "file://trust-policy.json"
```

Use the put-role-policy command to attach the policy to the vmimport role created above.

aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file://role-policy.json"

Create a AMI image from the VMDK file.

aws ec2 import-image --description "Cortex XDR VM Broker 15.0.62" --disk-containers "file://configuration.json"

To track the progress, use the task id value from the output and run:

aws ec2 describe-import-image-tasks --import-task-ids import-ami-<task-id>

Once the task is complete, the AMI Image is ready for use.

Launch a Broker VM instance in AWS EC2

You can launch EC2 instance using the AMI Image created.

Navigate to Services → EC2 → Images → AMIs. You will see the AMI Image is added here.
Go to EC2 → Instances. Search for your AMI image and Launch the file.
In the Launch Instance Wizard define the instance according to your company requirements and Launch.
Define HTTPS and SSH access to your instance.
Right-click your instance and navigate to Networking → Change Security Groups.
In the Change Security Groups pop-up, select HTTPS to be able to access the Broker VM Web UI, and SSH to allow for remote access when troubleshooting. Make sure to allow these connection to the broker from secure networks only.
Verify the broker VM has started correctly
Locate your instance, right-click and navigate to Instance Settings → Get Instance Screenshot.
You are directed to your broker VM console listing your broker details.

Configure the Broker VM and Register it with Cortex XDR.

Registration of the Broker VM to Cortex XDR can be done from the Broker VM Web Console

Obtain a registration token from Cortex XDR Web Console >> Settings >> Configurations >> Data Broker >> Broker VMs >> Generate Token
Determine the IP Address of the EC2 instance and use it to open the Broker VM Web Console (e.g. https://ip_address).
Complete the registration process by entering the token information.