After you review the requirements and make sure that your Amazon Web Services (AWS) environment is configured as needed, you can deploy the AWS Sensor. Using the AWS CloudFormation Template provided by LevelBlue, you automatically deploy USM Anywhere as a service into your environment. The following procedure describes how to launch the AWS Sensor when provisioning the USM Anywhere service for the first time. In this process, you launch the USM Anywhere product from the AWS Management Console using the AWS CloudFormation template.
Important: If you are using these instructions to redeploy an existing AWS Sensor, your IP address will not be the same as for your previous sensor. After these steps are complete, you must also update any syslog or NXLog log collection, and any port mirroring to use the new IP address.
To create a new sensor in the AWS Management Console
  1. Log in to the AWS Management Console.
  2. Under Find Services, enter a name, keyword, or acronym to launch the AWS CloudFormation service page.
  3. In the upper right corner, click Create stack, and then select With new resources (standard).
  4. Go to the USM Anywhere Sensor Downloads page, click the icon of your specific sensor, and copy the URL.
  5. Use the copied URL in the Amazon Simple Storage Service (S3) URL field.
  6. Click Next, and then click Next again to continue.
  7. On the Specify stack details page, in the Stack name text box, enter a name to identify the stack. The name must be one word. Use hyphens if desired. For example, you could call the stack “USM-sensor-1”.
  8. Set parameters for the AWS Sensor:
    Note: The volume size should be prefilled. You can leave this setting at the default value.
    • In the USM Anywhere Sensor Name text box, enter a name for the sensor. This is usually the same as the stack name.
    • In the Key Name list, select the key pair that allows SSH connections to the sensor. See AWS documentation, Create or import a key pair, for more information.
    • In the Traffic Mirroring Mode list, select Yes to deploy a sensor ready for VPC traffic mirroring, or select No to deploy a sensor without those additional considerations.
      Note: See Enabling VPC Traffic Mirroring for more information on this feature.
    • In the HTTP Access Range text box, specify the IP address range that allows HTTP access to the sensor.
    • In the SSH Access Range text box, specify the IP address range that allows SSH access to the sensor.
  9. Click Next.
  10. Select the appropriate VPC ID and subnet ID, specify whether to use a public or private IP address, and then click Next.
    Important: If you choose to deploy your sensor with a public IP address, the subnet you select must have Auto-assign public IPv4 address enabled.
  11. (Optional.) On the Configure stack options page, set tags for the instance, and then click Next.
  12. On the Review page, select the checkbox at the bottom of the page next to the statement “I acknowledge that AWS CloudFormation might create IAM resources.”
  13. Click Create stack.
  14. In the Stacks page, confirm that your newly-created stack status reads like this: CREATE_IN_PROGRESS Stack creation typically takes about 15 minutes. When the stack build is complete, you see the following confirmation: CREATE_COMPLETE
    Note: See the Troubleshooting CloudFormation page for more information about the possible errors with your AWS CloudFormation stack.
  15. After your new stack is complete, click the Outputs tab and locate the URL.
    This URL is based on the public address of your deployed sensor (http://<ip-address>). Make note of this address so that you have it for configuring your data sources to send data to the AWS Sensor. See the AWS documentation for more information about managing public IPv4 addresses.
  16. Click the URL link to launch the USM Anywhere Sensor Setup page.
See Connect the AWS Sensor to USM Anywhere.