RapidFort Standalone AWS GovCloud Console Deployment
Deploy a standalone RapidFort EC2 instance from the AWS GovCloud Console
- Amazon EC2 instance
- Type:
c5.4xlarge
(16 vCPU and 32 GB memory) or better - Storage: 4 TB or more
- S3 Bucket for RapidFort data
- IAM EC2 Role and Policy OR IAM User with Read/Write/List permissions for the S3 bucket
- EC2 security group, VPC, and subnet with
- Inbound access to port 443
- Outbound access to *
- RapidFort needs outbound access to the following:
public.ecr.aws
(RapidFort software updates)api.rapidfort.com
(RapidFort vulnerabilities database updates)email-smtp.<aws_region>.amazonaws.com
(email)
- RapidFort Amazon Machine Image (AMI)
- Please contact RapidFort Support ([email protected]) and provide the following:
- AWS Account ID
- AWS Region
- RapidFort will share the AMI with your AWS Account
Before deploying RapidFort, you will need to create an S3 bucket and an IAM EC2 role or IAM user with Read/List/Write permissions for the S3 bucket.
Create an EC2 security group (e.g.
rapidfort-port-443
) with inbound access to port 443 and outbound access to * .Contact RapidFort for the AMI ID. RapidFort will share the AMI with you. Search for and select the AMI in Private Images.
Select instance type
c5.4xlarge
.Network/Subnet: Select the VPC and subnet.
RapidFort requires outbound access to *. This includes outbound access to the following:
public.ecr.aws
(RapidFort software updates)api.rapidfort.com
(RapidFort vulnerabilities database updates)email-smtp.<aws_region>.amazonaws.com
(email)
Furthermore, the environment where you will deploy and test your stub images (for example, Kubernetes or AWS Fargate) must have access to the RapidFort EC2 instance.
Auto-assign Public IP: If your EC2 instance should have a private IP address only, select Disable.
Please note that RapidFort does not require a public IP address. However, if a public IP address is assigned to the EC2 instance, then the public IP address will take precedence over the private IP address.
IAM role: Select the role that you created for RapidFort (e.g.
rapidfort-role
).User data: Copy and paste the following text to User Data.
User Data Template - IAM Role
RF_APP_HOST=
RF_APP_ADMIN=<admin_email_address>
RF_APP_ADMIN_PASSWD=<admin_password>
RF_ROLE_ARN=<rapidfort_role_arn>
RF_S3_BUCKET=<rapidfort_s3_bucket_name>
RF_STORAGE_TYPE=s3
User Data Template - IAM User
RF_APP_HOST=
RF_APP_ADMIN=<admin_email_address>
RF_APP_ADMIN_PASSWD=<admin_password>
AWS_ACCESS_KEY_ID=<rapidfort_access_key_id>
AWS_SECRET_ACCESS_KEY=<rapidfort_secret_access_key>
RF_S3_BUCKET=<rapidfort_s3_bucket_name>
RF_STORAGE_TYPE=s3
Update the following User Data variables:
RF_APP_HOST
- Dynamic IP Address: Set
RF_APP_HOST
to an empty string.RF_APP_HOST=
- Static IP Address: Set
RF_APP_HOST
to the static IP address.RF_APP_HOST=<static_ip_address>
- Load Balancer: If you plan to use RapidFort with a load balancer, set
RF_APP_HOST
to the hostname. Please note that your load balancer is not required to already be up and running when you initially deploy the RapidFort instance.RF_APP_HOST=<hostname>
RF_APP_ADMIN
- Specify your email address. A confirmation email will be sent to this email address.
RF_APP_ADMIN_PASSWD
- Specify a password. You can change your password after the RapidFort instance has been deployed.
RF_ROLE_ARN
- If you are using an IAM role, then specify the role ARN for the RapidFort role that you created earlier.
AWS_ACCESS_KEY_ID
- If you are using an IAM user, then specify the access key ID for the RapidFort user that you created earlier.
AWS_SECRET_ACCESS_KEY
- If you are using an IAM user, then specify the secret access key for the RapidFort user that you created earlier.
RF_S3_BUCKET
- Specify the name (not the ARN) of the S3 bucket that you created for RapidFort.For example, if your S3 bucket ARN is
arn:aws-us-gov:s3::::rapidfort-s3
, then the name israpidfort-s3
. SetRF_S3_BUCKET=rapidfort-s3
.
Make sure that you update all User Data variables or else the deployment will fail.
User Data Examples
These examples will show the appropriate User Data for launching a RapidFort instance with the following parameters:
- Email Address:
[email protected]
- Password:
P@ssw0rd!
- RapidFort Role ARN:
arn:aws-us-gov:iam::123456789010:role/rapidfort-role
- RapidFort S3 Bucket Name:
rapidfort-s3
Dynamic IP Address: To launch a RapidFort instance with a dynamic IP address, specify the following User Data:
Example User Data
RF_APP_HOST=
RF_APP_ADMIN=[email protected]
RF_APP_ADMIN_PASSWD=P@ssw0rd!
RF_ROLE_ARN=arn:aws-us-gov:iam::123456789010:role/rapidfort-role
RF_S3_BUCKET=rapidfort-s3
Static IP Address: To launch a RapidFort instance with a static IP address (
192.0.2.0
), specify the following User Data:Example User Data
RF_APP_HOST=192.0.2.0
RF_APP_ADMIN=[email protected]
RF_APP_ADMIN_PASSWD=P@ssw0rd!
RF_ROLE_ARN=arn:aws-us-gov:iam::123456789010:role/rapidfort-role
RF_S3_BUCKET=rapidfort-s3
Load Balancer: To launch a RapidFort instance that will use a load balancer (
rapidfort.example.com
), specify the following User Data:Example User Data
RF_APP_HOST=rapidfort.example.com
RF_APP_ADMIN=[email protected]
RF_APP_ADMIN_PASSWD=P@ssw0rd!
RF_ROLE_ARN=arn:aws-us-gov:iam::123456789010:role/rapidfort-role
RF_S3_BUCKET=rapidfort-s3
We recommend adding at least 4 TB of storage.
No special actions are required. Continue to the next step.
Select the security group that you created for RapidFort (e.g.
rapidfort-port-443
).Review the instance launch details and verify the following:
- The security group, VPC, and subnet allow
- Inbound access to port 443
- Outbound access to *
- The instance type is
c5.4xlarge
- At least 4 TB of storage has been added
- If you are using a static IP address or load balancer, then
RF_APP_HOST
is set to this value in the User Data - If the EC2 instance should not have a public IP address, then the Auto-assign Public IP option is disabled
- The environment where you will deploy and test your stub images (e.g. Kubernetes or AWS Fargate) has access to the RapidFort EC2 instance
Launch the EC2 instance.
Make a note of the hostname or IP address of the EC2 instance (
rapidfort_host
) since this is required for installing the RapidFort command line interface (CLI) tools and accessing the RapidFort dashboard.
When the RapidFort EC2 instance is up and running, run the following command to verify that the instance is reachable:
timeout 15 nc -vz <rapidfort_host> 443
If the RapidFort EC2 instance is not reachable, verify the following:
- The security group, VPC, and subnet allow access to the system on which connectivity is being verified (e.g. GitLab)
- The security group, VPC, and subnet allow inbound access to port 443
- The security group, VPC, and subnet allow outbound access to *
From the AWS Console, select Instance Settings -> Edit user data. Inspect the Current user data and verify that all variables have been updated.
You should receive a RapidFort confirmation email after approximately 15 minutes.
Click the magic link to visit the RapidFort dashboard and update your password. You can also open a web browser and navigate to
https://<rapidfort_host>/login
.If you do not receive a confirmation email, please review the EC2 instance details and verify the following:
- The security group, VPC, and subnet allow outbound access to
email-smtp.<aws_region>.amazonaws.com
- The User Data
RF_APP_ADMIN
variable specifies the correct email address
Note that you can log into the RapidFort dashboard using the email address and password specified in the User Data (
RF_APP_ADMIN
and RF_APP_ADMIN_PASSWD
).Please refer to the following page for instructions on getting a RapidFort license:
Run the following command to install the RapidFort Command Line Interface tools:
curl https://<rapidfort_host>/cli/ | bash