Learn how to set up your Cortex XDR Broker virtual machine (VM) on AWS.
After you download your Cortex XDR Broker VMDK image, you can convert the image to an Amazon Web Services (AWS) Amazon Machine Image (AMI) using the AWS CLI. The task below explains how to do this on Linux.
Prerequisite
Download a Cortex XDR Broker VM VMDK image. For more information, see the virtual machine compatibility requirements in Set up and configure Broker VM.
You need to set up an AWS VM Import role (
vmimport) before running theimport-snapshotCLI command. If the rolevmimportdoes not exist or does not have the required permissions, you can create it using the steps below or use a different role with the necessary permissions. You'll need an Administrator role or the required permissions to create or modify this role. For more information on setting up an AWS VM Import role and the permissions required, see Required service role.
To convert the image to AWS, perform the following procedures in the order listed below.
You need to log in using an AWS Identity and Access Management (IAM) user, where the permissions are defined in the IAM policy to use the virtual machine Import and export.
Log in to the AWS IAM Console, and in the navigation pane, select Access Management → Users, and click Create user.
Under User name, specify a username, and click Next.
In the Permissions options section, select Attach Existing Policies directly, and then in the Permissions policies section, click Create policy.
In the JSON tab, copy and paste the following syntax to define the policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:PutObject" ], "Resource": ["arn:aws:s3:::mys3bucket","arn:aws:s3:::mys3bucket/*"] }, { "Effect": "Allow", "Action": [ "ec2:CancelConversionTask", "ec2:CancelExportTask", "ec2:CreateImage", "ec2:CreateInstanceExportTask", "ec2:CreateTags", "ec2:DescribeConversionTasks", "ec2:DescribeExportTasks", "ec2:DescribeExportImageTasks", "ec2:DescribeImages", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:ExportImage", "ec2:ImportInstance", "ec2:ImportVolume", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:ImportImage", "ec2:ImportSnapshot", "ec2:DescribeImportImageTasks", "ec2:DescribeImportSnapshotTasks", "ec2:CancelImportTask" ], "Resource": "*" } ] }Click Next.
In the Policy details section, under Policy name, specify a name for the policy, and click Create policy.
Select the policy that you created above based on the syntax you added, and click Next.
Complete the user creation process by clicking Create user.
After confirmation that the user is created, select the user that you created.
Open the Security credentials tab, scroll down to the Access key section, and click Create access key.
In Step 1 Access key best practices & alternatives perform the following:
Select the Command Line Interface (CLI) option.
Select the Confirmation checkbox.
Click Next.
(Optional) In Step 2 Set description tag, you can enter a description for the access key, or leave it empty, and then click Create access key.
In Step 3 Retrieve access keys, copy the following user information, which you will need later:
User name
Access key ID
Secret access key
You can run the AWS CLI commands using one of the two options below.
AWS CloudShell is a browser-based shell that is pre-authenticated with your Console credentials.
Log in to the AWS Management Console.
Select the Region where your S3 bucket is located.
Click the CloudShell icon (
) on the top navigation bar.
Install the AWS CLI and configure it with the IAM user that you created.
Login to the server with admin privilege and install the AWS CLI.
# sudo bash # apt update # apt install awscli
Run the following command to configure the AWS CLI:
# aws configure
You need to specify the proper configurations for the following:
AWS Access Key ID: The Access key ID for the IAM user you created.
AWS Secret Access Key: The Secret access key for the IAM user you created.
Default region name: The Region where you've defined the IAM user you created.
You are now ready to implement commands in the AWS CLI.
To create an AMI image, you need to download Broker VM VMDK file from the Cortex XDR Web Console, import this file to your S3 bucket, and then convert the VMDK file to an AMI Image.
In the Cortex XDR Web Console , select Settings → Configurations → Data Broker → Broker VMs → Add Broker → VMDK.
Download the VMDK file, such as
broker-vm-<broker-vm-version>.vmdk, to your computer.Navigate and log in to your AWS account.
In the AWS Console, select All services → Storage → S3.
On the Buckets page, click Create bucket to upload your Broker VM image to this bucket.
Specify a unique name for the S3 bucket and use the default configurations.
Upload the Broker VM VMDK you downloaded from Cortex XDR to the AWS S3 bucket using one of the following methods:
Using the AWS Management Console:
On the Buckets page, select your bucket, and click Upload to upload the VMDK file.
Using an external terminal:
Run # aws s3 cp ~/<path/to/broker-vm-version.vmdk> s3://<your_bucket/broker-vm-version.vmdk>
Prepare the following configurations files on your hard drive.
Run the following command in the terminal:
# vi configuration.json
Copy and paste the following syntax into the json file.
In S3Bucket, replace <your_bucket> with the Bucket Name and not its ARN Name. S3Key is the VMDK filename, which you should replace instead of <broker-vm-version.vmdk>.
{ "Description":"Cortex XDR Broker VM <version>", "Format":"vmdk", "UserBucket":{ "S3Bucket":"<your_bucket>", "S3Key":"<broker-vm-version.vmdk>" } }
Run the following command in the terminal:
# vi trust-policy.json
Copy and paste the following syntax into the json file.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vmie.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals":{ "sts:Externalid": "vmimport" } } } ] }
Run the following command in the terminal.
# vi role-policy.json
Copy and paste the following syntax into the json file. Replace the <disk-image-file-bucket> and <export-bucket> with the correct bucket name. You can specify * to configure access to all your S3 buckets.
{ "Version":"2012-10-17", "Statement":[ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::<disk-image-file-bucket>", "arn:aws:s3:::<disk-image-file-bucket>/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:GetBucketAcl" ], "Resource": [ "arn:aws:s3:::<export-bucket>", "arn:aws:s3:::<export-bucket>/*" ] }, { "Effect": "Allow", "Action": [ "ec2:ModifySnapshotAttribute", "ec2:CopySnapshot", "ec2:RegisterImage", "ec2:Describe*", "ec2:ImportSnapshot", "ec2:DescribeImportSnapshotTasks" ], "Resource": "*" } ] }
Use the
create-rolecommand to create a role namedvmimportand grant VM import and export permissions using thetrust-policy.jsonfile.# aws iam create-role --role-name vmimport --assume-role-policy-document "file://trust-policy.json"
Use the
put-role-policycommand to attach the policy to thevmimportrole created above.# aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file:// role-policy.json"Create a snapshot from the VMDK file.
Run the following command to start the import process:
# aws ec2 import-snapshot --description "<Cortex XDR Broker VM <Version>" --disk-container "file://configuration.json"To track the progress, use the task
idvalue from the output and run:# aws ec2 describe-import-snapshot-tasks --import-task-ids import-snap-<task-id>
Example 46.Completed status output example:
{ "ImportSnapshotTasks": [ { "Description": "Broker VM <version> snapshot import", "ImportTaskId": "import-snap-12346b69617c1395t", "SnapshotTaskDetail": { ... "DiskImageSize": 2976817664.0, "Format": "vmdk", "SnapshotId": "snap-1234567890", "Status": "completed", "UserBucket": { "S3Bucket": "broker-vm", "S3Key": "broker-vm-<version>.vmdk" } }, "Tags": [] } ] }Register the AMI from the snapshot.
Once the
describe-import-snapshot-taskscommand shows a status ofcompleted, a new Snapshot has been created in your account. You must now register this snapshot as an AMI.Locate the snapshot ID.
In the output of your completed task, find the
SnapshotId, for examplesnap-0123456789abcdef0. Alternatively, you can find it in the AWS Console:Select All services → EC2.
In the left sidebar, under Elastic Block Store, select Snapshots.
Locate the snapshot with the description you provided during the import.
Create the image from the snapshot.
Select the checkbox next to your snapshot.
Select Actions → Create image from snapshot.
Specify mandatory settings in the Create image from snapshot section.
To ensure the Broker VM functions correctly, configure these settings in the following sections:
Image settings
Architecture: x86_64
Root device name:
/dev/sda1Virtualization type: Hardware-assisted virtualization
Boot mode: Legacy BIOS
Block device mappings - optional
Size (GIB):
480GBVolume type: General Purpose SSD (gp3)
IOPS:
3000Throughput (MB/s): 125
Once the task is complete, the AMI Image is ready for use.
(Optional) After the AMI image has been created, you can define a new name for the image.
Select All services → EC2 → IMAGES → AMIs and locate your AMI image using the task ID. Select the pencil icon to specify a new name.
You can launch the a Broker VM instance in AWS EC2 using the AMI Image created.
Important
A t3.xlarge (16 GB RAM) is the lowest machine type that can be used as an instance type to meet the mandatory 4 vCPU requirement.
To view the AMI image that you added, select All services → EC2 → Images → AMIs.
Select EC2 → Instances, and click Launch instances to create an instance of the AMI image.
In the Launch Instance Wizard define the instance according to your company requirements and Launch.
(Optional) In the Instances page, locate your instance and use the pencil icon to rename the instance Name.
Define HTTPS and SSH access (optional) to your instance.
Select your instance and then choose Actions → Security → Change security groups.
Attach a security group that allows HTTPS to access the Broker VM Web UI and SSH for remote access when troubleshooting. Make sure to allow these connections to the Broker VM from secure networks only.
Note
Assigning security groups can take up to 15 minutes.
Verify the Broker VM has started correctly.
On the Instances page, select your instance, and the choose Actions → Monitor and troubleshoot → Troubleshoot → Get instance screenshot.
You are directed to your Broker VM console listing your Broker details.