Links

RapidFort Standalone AWS GovCloud Console Deployment

Deploy a standalone RapidFort EC2 instance from the AWS GovCloud Console

Minimum Requirements

  • Amazon EC2 instance
    • Type: c5.4xlarge (16 vCPU and 32 GB memory) or better
    • Storage: 4 TB or more
  • S3 Bucket for RapidFort data
  • IAM EC2 Role and Policy OR IAM User with Read/Write/List permissions for the S3 bucket
  • EC2 security group, VPC, and subnet with
    • Inbound access to port 443
    • Outbound access to *
      • RapidFort needs outbound access to the following:
        • public.ecr.aws (RapidFort software updates)
        • api.rapidfort.com (RapidFort vulnerabilities database updates)
        • email-smtp.<aws_region>.amazonaws.com (email)
  • RapidFort Amazon Machine Image (AMI)
    • Please contact RapidFort Support ([email protected]) and provide the following:
      • AWS Account ID
      • AWS Region
    • RapidFort will share the AMI with your AWS Account

Deployment

Step 1: AWS Prerequisites

Step 1.1: Create an S3 Bucket and set up IAM

Before deploying RapidFort, you will need to create an S3 bucket and an IAM EC2 role or IAM user with Read/List/Write permissions for the S3 bucket.

Step 1.2: Create an EC2 Security Group

Create an EC2 security group (e.g. rapidfort-port-443) with inbound access to port 443 and outbound access to * .

2. Launch a RapidFort EC2 Instance

Step 2.1: Choose an Amazon Machine Image (AMI)

Contact RapidFort for the AMI ID. RapidFort will share the AMI with you. Search for and select the AMI in Private Images.

Step 2.2: Choose an Instance Type

Select instance type c5.4xlarge.

Step 2.3: Configure Instance Details

Network/Subnet: Select the VPC and subnet.
RapidFort requires outbound access to *. This includes outbound access to the following:
  • public.ecr.aws (RapidFort software updates)
  • api.rapidfort.com (RapidFort vulnerabilities database updates)
  • email-smtp.<aws_region>.amazonaws.com (email)
Furthermore, the environment where you will deploy and test your stub images (for example, Kubernetes or AWS Fargate) must have access to the RapidFort EC2 instance.
Auto-assign Public IP: If your EC2 instance should have a private IP address only, select Disable.
Please note that RapidFort does not require a public IP address. However, if a public IP address is assigned to the EC2 instance, then the public IP address will take precedence over the private IP address.
IAM role: Select the role that you created for RapidFort (e.g. rapidfort-role).
User data: Copy and paste the following text to User Data.
User Data Template - IAM Role
RF_APP_HOST=
RF_APP_ADMIN=<admin_email_address>
RF_APP_ADMIN_PASSWD=<admin_password>
RF_ROLE_ARN=<rapidfort_role_arn>
RF_S3_BUCKET=<rapidfort_s3_bucket_name>
RF_STORAGE_TYPE=s3
User Data Template - IAM User
RF_APP_HOST=
RF_APP_ADMIN=<admin_email_address>
RF_APP_ADMIN_PASSWD=<admin_password>
AWS_ACCESS_KEY_ID=<rapidfort_access_key_id>
AWS_SECRET_ACCESS_KEY=<rapidfort_secret_access_key>
RF_S3_BUCKET=<rapidfort_s3_bucket_name>
RF_STORAGE_TYPE=s3
Update the following User Data variables:
  • RF_APP_HOST
    • Dynamic IP Address: Set RF_APP_HOST to an empty string.
      • RF_APP_HOST=
    • Static IP Address: Set RF_APP_HOST to the static IP address.
      • RF_APP_HOST=<static_ip_address>
    • Load Balancer: If you plan to use RapidFort with a load balancer, set RF_APP_HOST to the hostname. Please note that your load balancer is not required to already be up and running when you initially deploy the RapidFort instance.
      • RF_APP_HOST=<hostname>
  • RF_APP_ADMIN
    • Specify your email address. A confirmation email will be sent to this email address.
  • RF_APP_ADMIN_PASSWD
    • Specify a password. You can change your password after the RapidFort instance has been deployed.
  • RF_ROLE_ARN
    • If you are using an IAM role, then specify the role ARN for the RapidFort role that you created earlier.
  • AWS_ACCESS_KEY_ID
    • If you are using an IAM user, then specify the access key ID for the RapidFort user that you created earlier.
  • AWS_SECRET_ACCESS_KEY
    • If you are using an IAM user, then specify the secret access key for the RapidFort user that you created earlier.
  • RF_S3_BUCKET
    • Specify the name (not the ARN) of the S3 bucket that you created for RapidFort.
      For example, if your S3 bucket ARN is arn:aws-us-gov:s3::::rapidfort-s3, then the name is rapidfort-s3. Set RF_S3_BUCKET=rapidfort-s3.
Make sure that you update all User Data variables or else the deployment will fail.
User Data Examples
These examples will show the appropriate User Data for launching a RapidFort instance with the following parameters:
  • Email Address: [email protected]
  • Password: P@ssw0rd!
  • RapidFort Role ARN: arn:aws-us-gov:iam::123456789010:role/rapidfort-role
  • RapidFort S3 Bucket Name: rapidfort-s3
Dynamic IP Address: To launch a RapidFort instance with a dynamic IP address, specify the following User Data:
Example User Data
RF_APP_HOST=
RF_APP_ADMIN=[email protected]
RF_APP_ADMIN_PASSWD=P@ssw0rd!
RF_ROLE_ARN=arn:aws-us-gov:iam::123456789010:role/rapidfort-role
RF_S3_BUCKET=rapidfort-s3
Static IP Address: To launch a RapidFort instance with a static IP address (192.0.2.0), specify the following User Data:
Example User Data
RF_APP_HOST=192.0.2.0
RF_APP_ADMIN=[email protected]
RF_APP_ADMIN_PASSWD=P@ssw0rd!
RF_ROLE_ARN=arn:aws-us-gov:iam::123456789010:role/rapidfort-role
RF_S3_BUCKET=rapidfort-s3
Load Balancer: To launch a RapidFort instance that will use a load balancer (rapidfort.example.com), specify the following User Data:
Example User Data
RF_APP_HOST=rapidfort.example.com
RF_APP_ADMIN=[email protected]
RF_APP_ADMIN_PASSWD=P@ssw0rd!
RF_ROLE_ARN=arn:aws-us-gov:iam::123456789010:role/rapidfort-role
RF_S3_BUCKET=rapidfort-s3

Step 2.4: Add Storage

We recommend adding at least 4 TB of storage.

Step 2.5: Add Tags

No special actions are required. Continue to the next step.

Step 2.6: Configure Security Group

Select the security group that you created for RapidFort (e.g. rapidfort-port-443).

Step 2.7: Review Instance Launch

Review the instance launch details and verify the following:
  • The security group, VPC, and subnet allow
    • Inbound access to port 443
    • Outbound access to *
  • The instance type is c5.4xlarge
  • At least 4 TB of storage has been added
  • If you are using a static IP address or load balancer, then RF_APP_HOST is set to this value in the User Data
  • If the EC2 instance should not have a public IP address, then the Auto-assign Public IP option is disabled
  • The environment where you will deploy and test your stub images (e.g. Kubernetes or AWS Fargate) has access to the RapidFort EC2 instance
Launch the EC2 instance.
Make a note of the hostname or IP address of the EC2 instance (rapidfort_host) since this is required for installing the RapidFort command line interface (CLI) tools and accessing the RapidFort dashboard.

Post-Deployment

Verify Connectivity

When the RapidFort EC2 instance is up and running, run the following command to verify that the instance is reachable:
timeout 15 nc -vz <rapidfort_host> 443
If the RapidFort EC2 instance is not reachable, verify the following:
  • The security group, VPC, and subnet allow access to the system on which connectivity is being verified (e.g. GitLab)
  • The security group, VPC, and subnet allow inbound access to port 443
  • The security group, VPC, and subnet allow outbound access to *

Review User Data

From the AWS Console, select Instance Settings -> Edit user data. Inspect the Current user data and verify that all variables have been updated.

Confirmation Email

You should receive a RapidFort confirmation email after approximately 15 minutes.
Click the magic link to visit the RapidFort dashboard and update your password. You can also open a web browser and navigate to https://<rapidfort_host>/login.
If you do not receive a confirmation email, please review the EC2 instance details and verify the following:
  • The security group, VPC, and subnet allow outbound access to email-smtp.<aws_region>.amazonaws.com
  • The User Data RF_APP_ADMIN variable specifies the correct email address
Note that you can log into the RapidFort dashboard using the email address and password specified in the User Data (RF_APP_ADMIN and RF_APP_ADMIN_PASSWD).

Get a RapidFort License

Please refer to the following page for instructions on getting a RapidFort license:

Install the RapidFort Command Line Interface Tools

Run the following command to install the RapidFort Command Line Interface tools:
curl https://<rapidfort_host>/cli/ | bash