Skip to content

Latest commit

 

History

History

aqua-ecs-ec2

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.adoc
README.adoc
 
 
aquaEcs-external.yaml
aquaEcs-external.yaml
 
 
aquaEcs.yaml
aquaEcs.yaml
 
 

README.adoc

Deploy Server on AWS ECS Cluster

Launch Stack

Overview

This page contains instructions for deploying Aqua Enterprise Self-Hosted edition on an Amazon ECS EC2 cluster. Using the deployment instructions in this page, you can deploy Server and Aqua Enforcer in one ECS cluster with advanced configurations. These configurations include:

  • A separate DB (Database) for Audit

  • External DB

  • SSL enablement for the Aqua console

  • Active-active Server mode

For high availability, you must deploy Aqua on 2 availability Zones (AZs).

Your deployment creates the following services:

  • Amazon Application Load Balancer

  • Aqua Console

  • Aqua Database, created on a new Amazon RDS instance, which includes 7 days of rolling backups

  • Aqua Audit Database, created on a new Amazon RDS instance, which includes 7 days of rolling backups

  • Aqua Gateway

  • Aqua Enforcer, each on an ECS instance

In addition, it creates an IAM role for granting Aqua Server, the access to ECR (Elastic Container Registry).

A CloudFormation template is used to deploy Aqua Enterprise. This can be done either with the AWS CloudFormation Management Console or the AWS Command Line interface (CLI), as explained below.

Prerequisites

  • An ECS cluster with at least 2 instances registered

  • A VPC with at least 2 subnets

  • A certificate through AWS Certificate Manager

  • From Aqua Security: your Aqua credentials (username and password) and Enterprise License Token

Pre-deployment

Step 1. Login to the Aqua Registry with your credentials.

 docker login registry.aquasec.com -u  -p

Step 2. Pull the Aqua product images for the Server (Console), Gateway, and Aqua Enforcer.

docker pull registry.aquasec.com/console:2022.4
docker pull registry.aquasec.com/gateway:2022.4
docker pull registry.aquasec.com/enforcer:2022.4

Step 3. Push all the images to ECR.

Deployment method 1: CloudFormation Management Console

Step 1. Click the Launch Stack icon at the top of this page. This will take you to the Create stack function of the AWS CloudFormation Management Console.

Step 2. Ensure that your AWS region is set to where you want to deploy Aqua Enterprise.

Step 3. Click Next.

Step 4. Set or modify any of the parameters as explained in the Advanced configurations section.

Step 5. Click Next to create the stack.

It will typically require up to 20 minutes for Aqua Enterprise to be deployed. When completed, you can obtain the DNS name of the Aqua Server UI from the console output, under key name AquaConsole.

Deployment method 2: CLI

Step 1. Copy the following command.

aws --region us-east-1 cloudformation create-stack --capabilities CAPABILITY_NAMED_IAM --stack-name aqua-ec2 --template-body file://aquaEcs.yaml \
--parameters ParameterKey=ECSClusterName,ParameterValue=xxxxx \
ParameterKey=VpcId,ParameterValue=vpc-xxxx \
ParameterKey=VpcCidr,ParameterValue=x.x.x.x/x \
ParameterKey=EcsInstanceSubnets,ParameterValue=\"subnet-xxxx,subnet-xxxx\" \
ParameterKey=LbSubnets,ParameterValue=\"subnet-xxxx,subnet-xxxx\" \
ParameterKey=SSLCert,ParameterValue=\"arn:aws:acm:us-east-1:1234567890:certificate/xxxxxxxxxxxx\"
ParameterKey=LBScheme,ParameterValue=\"internet-facing\"
ParameterKey=AquaConsoleAccess,ParameterValue=x.x.x.x/x \
ParameterKey=AquaServerImage,ParameterValue=xxxx.dkr.ecr.us-east-1.amazonaws.com/aqua:server-x.x \
ParameterKey=AquaGatewayImage,ParameterValue=xxxx.dkr.ecr.us-east-1.amazonaws.com/aqua:gateway-x.x \
ParameterKey=AquaEnforcerImage,ParameterValue=xxxx.dkr.ecr.us-east-1.amazonaws.com/aqua:enforcer-x.x \
ParameterKey=BatchinstallToken,ParameterValue=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx \
ParameterKey=RdsInstanceClass,ParameterValue=db.t3.medium \
ParameterKey=RdsStorage,ParameterValue=50 \
ParameterKey=MultiAzDatabase,ParameterValue=false \
ParameterKey=AuditRdsInstanceClass,ParameterValue=db.t3.medium \
ParameterKey=EcsSecurityGroupId,ParameterValue=XXXXX \
ParameterKey=ActiveActive,ParameterValue=XXXXX \

Step 2. Set the parameters as explained in the Advanced configurations section.

Step 3. Run the AWS create-stack CLI command.

It will typically require up to 20 minutes for your stack to be created and deployed. When completed, you can obtain the DNS name of the Aqua Server UI from the console output, under key name AquaConsole.

Advanced configurations

Active-Active Server deployment

For an Active-active Server configuration, select the ActiveActive parameter value as true while creating the stack.

Split DB deployment

Having a seprate DB for audit events is an optional parameter. Following are the values for this parameter:

  • Select Yes for AuditRDS parameter if you would like to create a separate RDS instance

  • Select No to use single RDS instance for both the Aqua DB and Audit DB

  • Default value for AuditRDS (or split DB) is No

External DB (Managed DB)

Launch Stack

If you have an existing PostgreSQL database and want to use the same for aqua deployment, use the cloudformation template aquaEcs-external.yaml from this directory, in the CLI shown above.

Configuring mTLS/TLS

By default, deploying Aqua Enterprise configures TLS-based encrypted communication, using self-signed certificates, between Aqua components. If you want to use self-signed certificates to establish mTLS between aqua components use the below instrictions to generate rootCA and component certificates

Create Root CA

Step 1. Create Root Key

openssl genrsa -des3 -out rootCA.key 4096

If you want a non password protected key just remove the -des3 option

Step 2. Create and self-sign the root certificate

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

Generate Aqua component certificates

Step 3. Generate keys

Create certificate keys for the Server, Gateway, and Aqua Enforcer.

openssl genrsa -out aqua-console.key 2048
openssl genrsa -out aqua-gateway.key 2048
openssl genrsa -out aqua-enforcer.key 2048

Step 4. Create Aqua Console certificate

Create the Aqua Console SSL config file

Specify the Aqua Console service name followed by the HTTPS port as common name and any other alternate names as SAN DNS entries:

cat >aqua-console.conf <<EOF
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (e.g., city)
organizationName = Organization Name (e.g., company)
commonName = Common Name (e.g., server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = <console host public DNS>
DNS.2 = <console service DNS e.g. aqua-web>
IP.1 = <console service IP e.g. 10.X.X.X>
EOF
Generate a CSR file for Aqua Console from the configuration above.
openssl req -new -sha256 -key aqua-console.key -config aqua-console.conf -out aqua-console.csr
Generate the certificate using the CSR along with appropriate private keys and get it signed by the CA root key.
openssl x509 -req -in aqua-console.csr -CA rootCA.crt\
-CAkey rootCA.key -CAcreateserial \
-out aqua-console.crt -days 500 -sha256 \
-extensions req_ext -extfile aqua-console.conf

Step 5. Create Aqua Gateway certificate

Create the Aqua Gateway SSL config file

Specify the Aqua Gateway service name as a common name and any other alternate names as SAN DNS entries.

cat >aqua-gateway.conf <<EOF
[ req ]default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (e.g., city)
organizationName = Organization Name (e.g., company)
commonName = Common Name (e.g., server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = <gateway host public DNS>
DNS.2 = <gateway service DNS e.g. aqua-gateway>
IP.1 = <gateway service IP e.g. 10.X.X.X>
EOF
Generate a CSR file for aqua_gateway from the configuration above.
openssl req -new -sha256 -key aqua-gateway.key -config aqua-gateway.conf -out aqua-gateway.csr
Generate the certificate using the CSR along with appropriate private keys and get it signed by the CA root key.
openssl x509 -req -in aqua-gateway.csr -CA rootCA.crt -CAkey rootCA.key \
-CAcreateserial -out aqua-gateway.crt -days 500 \
-sha256 -extensions req_ext -extfile aqua-gateway.conf

Step 6. Create Aqua Enforcer certificate

Create the Aqua Enforcer (DaemonSet) SSL config file

Specify the Aqua Enforcer service name as a common name.

openssl req -new -sha256 -key aqua-enforcer.key -subj "/C=US/ST=MA/O=aqua/CN=aqua-agent" -out aqua-enforcer.csr
Generate the certificate using the CSR along with appropriate private keys and get it signed by the CA root key.
openssl x509 -req -in aqua-enforcer.csr -CA rootCA.crt \
-CAkey rootCA.key -CAcreateserial -out aqua-enforcer.crt \
-days 500 -sha256

Step 7. Verify certificates (optional)

Verify the contents of all the certificates by running these commands.

openssl x509 -in aqua-console.crt -text -noout
openssl x509 -in aqua-gateway.crt -text -noout
openssl x509 -in aqua-enforcer.crt -text -noout

Step 8. Upload certificates and key to AWS secret manager

Upload the following certificates and keys to AWS secret manager:

  • rootCA.crt

  • aqua-console.crt

  • aqua-console.key

  • aqua-gateway.crt

  • aqua-gateway.key

  • aqua-enforcer.crt

  • aqua-enforcer.key

Step 9. Upload Aqua Console certificates and key to AWS certificate manager

Step 10. Update cloudformation stack

  • Enable TLSEnabled

  • Enable TlsVerify

  • Enter Aqua Console, Gateway and Enforcer secrets ARN

  • Replace SSLCert with the new ARN of the SSL certificate

Version upgrade

To upgrade your Aqua Enterprise version, modify the existing stack with the new Aqua product images.