Set up Broker VM on Amazon Web Services - Learn how to set up your Cortex XSIAM Broker virtual machine (VM) on AWS. - Administrator Guide - Cortex XSIAM - Cortex

Set up Broker VM on Amazon Web Services - Learn how to set up your Cortex XSIAM Broker virtual machine (VM) on AWS. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product

Cortex XSIAM

Creation date

2024-03-06

Last date published

2026-05-14

Prerequisite

Download a Cortex XSIAM Broker VM VMDK image. For more information, see the virtual machine compatibility requirements in Set up and configure Broker VM.
You need to set up an AWS VM Import role (vmimport) before you continue with the steps to convert the image as it is required for the import-snapshot CLI command. You can use a different role, if the role vmimport doesn't exist or doesn't have the required permissions. You'll need an Administrator role or the necessary permissions to create these permissions. For more information on setting up an AWS VM Import role and the permissions required, see Required service role.

To convert the image to AWS, perform the following procedures in the order listed below.

Task 1. Create an IAM User with Proper Permissions

You need to log in using an AWS Identity and Access Management (IAM) user, where the permissions are defined in the IAM policy to use the virtual machine Import and export.

Log in to the AWS IAM Console, and in the navigation pane, select Access Management → Users → Add Users.
Select Access key - Programmatic access as the AWS credential type, and click Next: Permissions.
Select Attach Existing Policies directly → Create Policy,

In the JSON tab, copy and paste the following syntax to define the policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": ["arn:aws:s3:::mys3bucket","arn:aws:s3:::mys3bucket/*"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CancelConversionTask",
        "ec2:CancelExportTask",
        "ec2:CreateImage",
        "ec2:CreateInstanceExportTask",
        "ec2:CreateTags",
        "ec2:DescribeConversionTasks",
        "ec2:DescribeExportTasks",
        "ec2:DescribeExportImageTasks",
        "ec2:DescribeImages",
        "ec2:DescribeInstanceStatus",
        "ec2:DescribeInstances",
        "ec2:DescribeSnapshots",
        "ec2:DescribeTags",
        "ec2:ExportImage",
        "ec2:ImportInstance",
        "ec2:ImportVolume",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "ec2:TerminateInstances",
        "ec2:ImportImage",
        "ec2:ImportSnapshot",
        "ec2:DescribeImportImageTasks",
        "ec2:DescribeImportSnapshotTasks",
        "ec2:CancelImportTask"
      ],
      "Resource": "*"
    }
  ]
}

Click Next until you can specify the Policy name, and then click Create Policy.
Select the policy that you created above based on the syntax you added.
Complete the user creation process.
After confirmation that the user is created, record the following user information, which you will need later.
- User name
- Access key ID
- Secret access key

Task 2. Setup AWS CLI

You can run the AWS CLI commands using one of the two options below.

Install the AWS CLI and configure it with the IAM user that you created.

Login to the server with admin privilege and install the AWS CLI.
```
# sudo bash
# apt update
# apt install awscli
```
Run the following command to configure the AWS CLI:
```
# aws configure
```
You need to specify the proper configurations for the following:
- AWS Access Key ID: The Access key ID for the IAM user you created.
- AWS Secret Access Key: The Secret access key for the IAM user you created.
- Default region name: The Region where you've defined the IAM user you created.
You are now ready to implement commands in the AWS CLI.

Task 3. Create an AMI Image

To create an AMI image, you need to download Broker VM VMDK file from the Cortex XSIAM Web Console, import this file to your S3 bucket, and then convert the VMDK file to an AMI Image.

In the Cortex XSIAM Web Console , select Settings → Configurations → Data Broker → Broker VMs → Add Broker → VMDK.
Download the VMDK file, such as broker-vm-<broker-vm-version>.vmdk, to your ubuntu computer.
Navigate and log in to your AWS account.
In the AWS Console, navigate to Services → Storage → S3 → Buckets.
In the S3 buckets page, + Create bucket to upload your Broker VM image to this bucket.
Specify a unique name for the S3 bucket and use the default configurations.
Upload the Broker VM VMDK you downloaded from Cortex XSIAM to the AWS S3 bucket.
Run
# aws s3 cp ~/<path/to/broker-vm-version.vmdk> s3://<your_bucket/broker-vm-version.vmdk>

Prepare the following configurations files on your hard drive.

Run the following command in the terminal.
```
# vi role-policy.json
```

Copy and paste the following syntax into the json file. Replace the <disk-image-file-bucket> and <export-bucket> with the correct bucket name. You can specify * to configure access to all your S3 buckets.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect": "Allow",
         "Action": [
            "s3:GetBucketLocation",
            "s3:GetObject",
            "s3:ListBucket" 
         ],
         "Resource": [
            "arn:aws:s3:::<disk-image-file-bucket>",
            "arn:aws:s3:::<disk-image-file-bucket>/*"
         ]
      },
      {
         "Effect": "Allow",
         "Action": [
            "s3:GetBucketLocation",
            "s3:GetObject",
            "s3:ListBucket",
            "s3:PutObject",
            "s3:GetBucketAcl"
         ],
         "Resource": [
            "arn:aws:s3:::<export-bucket>",
            "arn:aws:s3:::<export-bucket>/*"
         ]
      },
      {
         "Effect": "Allow",
         "Action": [
            "ec2:ModifySnapshotAttribute",
            "ec2:CopySnapshot",
            "ec2:RegisterImage",
            "ec2:Describe*",
            "ec2:ImportSnapshot", 
            "ec2:DescribeImportSnapshotTasks"
         ],
         "Resource": "*"
      }
   ]
}

Use the create-role command to create a role named vmimport and grant VM import and export access to the trust-policy.json file.
# aws iam create-role --role-name vmimport --assume-role-policy-document "file://trust-policy.json"
Use the put-role-policy command to attach the policy to the vmimport role created above.
# aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file:// role-policy.json"

Create a snapshot from the VMDK file.

Run the following command to start the import process:

# aws ec2 import-snapshot --description "<Cortex XSIAM Broker VM <Version>" --disk-container "file://configuration.json"

To track the progress, use the task id value from the output and run:

# aws ec2 describe-import-snapshot-tasks --import-task-ids import-snap-<task-id>

Example 90.

Completed status output example:

{
    "ImportSnapshotTasks": [
        {
            "Description": "Broker VM <version> snapshot import",
            "ImportTaskId": "import-snap-12346b69617c1395t",
            "SnapshotTaskDetail": {
                ...
                "DiskImageSize": 2976817664.0,
                "Format": "vmdk",
                "SnapshotId": "snap-1234567890",
                "Status": "completed",
                "UserBucket": {
                    "S3Bucket": "broker-vm",
                    "S3Key": "broker-vm-<version>.vmdk"
                }
            },
            "Tags": []
        }
    ]
}

Register the AMI from the snapshot.
Once the describe-import-snapshot-tasks command shows a status of completed, a new Snapshot has been created in your account. You must now register this snapshot as an AMI.
1. Locate the snapshot ID.
  In the output of your completed task, find the SnapshotId, for example snap-0123456789abcdef0. Alternatively, you can find it in the AWS Console:
  1. Navigate to Services → EC2
  2. In the left sidebar, under Elastic Block Store, select Snapshots.
  3. Locate the snapshot with the description you provided during the import.
2. Create the image from the snapshot.
  1. Select the checkbox next to your snapshot.
  2. Select Actions → Create image from snapshot.
3. Specify mandatory settings in the Create image from snapshot section.
  To ensure the Broker VM functions correctly, configure these settings in the following sections:
  - Image settings
    Architecture: x86_64
    Root device name: /dev/sda1
    Virtualization type: Hardware-assisted virtualization
    Boot mode: Legacy BIOS
  - Block device mappings - optional
    Size (GIB): 480GB
    Volume type: General Purpose SSD (gp3)
    IOPS: 3000
    Throughput (MB/s): 125
Once the task is complete, the AMI Image is ready for use.
(Optional) After the AMI image has been created, you can define a new name for the image.
Select Services → EC2 → IMAGES → AMIs and locate your AMI image using the task ID. Select the pencil icon to specify a new name.

Task 4. Launch a Broker VM Instance in AWS EC2

You can launch the a Broker VM instance in AWS EC2 using the AMI Image created.

Important

A t3.xlarge (16 GB RAM) is the lowest machine type that can be used as an instance type to meet the mandatory 4 vCPU requirement.

To view the AMI image that you added, select Services → EC2 → Images → AMIs.
Select EC2 → Instances, and click Launch instances to create an instance of the AMI image.
In the Launch Instance Wizard define the instance according to your company requirements and Launch.
(Optional) In the Instances page, locate your instance and use the pencil icon to rename the instance Name.
Define HTTPS and SSH access (optional) to your instance.
Right-click your instance, and select Networking → Change Security Groups.
In the Change Security Groups pop-up, select HTTPS to be able to access the Broker VM Web UI, and SSH to allow for remote access when troubleshooting. Make sure to allow these connections to the Broker VM from secure networks only.
Note
Assigning security groups can take up to 15 minutes.
Verify the Broker VM has started correctly.
Locate your instance, right-click, and select Instance Settings → Get Instance Screenshot.
You are directed to your Broker VM console listing your Broker details.

Task 5. Register the Broker VM

Registration of the Broker VM to Cortex XSIAM is performed from the Broker VM Web Console.

Obtain a registration token from the Cortex XSIAM Web Console by selecting Settings → Configurations → Data Broker → Broker VMs → Add Broker → Generate Token.
Determine the IP Address of the EC2 instance and use it to open the Broker VM Web Console, such as https://<ip_address>:4443.
Complete the registration process by entering the token information.