Last Updated: 2023-06-01
Purpose
This article describes how to import a HIAB image on AWS environment.
Introduction
This article provides a comprehensive guide on importing a HIAB image into an AWS environment. It outlines the prerequisites, including having an AWS account and the AWS CLI installed, and details the steps for downloading the HIAB image, uploading it to an S3 bucket, and importing it using AWS commands. Additionally, it emphasizes the need for specific disk space requirements and includes instructions for creating necessary IAM roles and policies for the import process. Finally, it concludes with steps to launch the image and enroll the server after the import is complete.
Prerequisites
-
AWS account
-
AWS CLI installed:
https://aws.amazon.com/cli/
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html
Download HIAB Image from OUTSCAN
To download the HIAB image, go to Downloads on Portal and click on the AWS image .
To start testing the HIAB in your environment you need a minimum of 40 GB to handle targets, findings, logs and reports. When going fully into production we do however recommend 60 GB. During it's life time the disc size may need to be extended as workload increases, and it is recommended to start monitoring disk space from the beginning to avoid future problems.
Also, a minimum of 350 MB of free space are required when updating the HIAB.
Upload HIAB Image to AWS S3
-
Create a non public S3 bucket.
-
Upload the HIAB image file on AWS.
Import HIAB Image from AWS S3
Follow the below procedure to import the image from AWS S3.
Create a service role
Refer to the below link for detailed information.
docs.aws.amazon.com/vm-import/latest/userguide/vmie_prereqs.html#iam-permissions-image
-
Create a file named
trust-policy.jsonon your computer. Add the following policy to the file:XML{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "Service": "vmie.amazonaws.com" }, "Condition": { "StringEquals":{ "sts:Externalid": "vmimport" } } } ] } -
Use the
create-rolecommand to create a role namedvmimportand grant VM Import/Export access to it. Ensure that you specify the full path to the location of thetrust-policy.jsonfile that you created in the previous step.Bashaws iam create-role --role-name vmimport --assume-role-policy-document "file://C:\import\trust-policy.json" -
Create a file named
role-policy.jsonwith the following policy, where disk-image-file-bucket is the bucket for disk images and export-bucket is the bucket for exported images:Bash{ "Version":"2012-10-17", "Statement":[ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::<HIAB_OVA_DESTINATION_BUCKET>", "arn:aws:s3:::<HIAB_OVA_DESTINATION_BUCKET>/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:GetBucketAcl" ], "Resource": [ "arn:aws:s3:::export-bucket", "arn:aws:s3:::export-bucket/*" ] }, { "Effect": "Allow", "Action": [ "ec2:ModifySnapshotAttribute", "ec2:CopySnapshot", "ec2:RegisterImage", "ec2:Describe*" ], "Resource": "*" } ] } -
Use the
put-role-policycommand to attach the policy to the role created above. Ensure that you specify the full path to the location of therole-policy.jsonfile.Bashaws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file://C:\import\role-policy.json" -
Add policy to import VM to the service role.
BashC:\Users\Test>aws --profile Test_new iam create-role --role-name vmimport --assume-role-policy-document "file://C:\Outpost24\Q&A\AWS Import-VM\trust-policy.json" { "Role": { "Path": "/", "RoleName": "vmimport", "RoleId": "[ROLE ID OUTPUT]", "Arn": "arn:aws:iam::[AWS ACCOUNT ID]:role/vmimport", "CreateDate": "2019-10-25T14:00:47Z", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vmie.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:Externalid": "vmimport" } } } ] } } } -
Add S3 access policy to service role.
XML{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket" ], "Resource":[ "arn:aws:s3:::<HIAB_OVA_DESTINATION_BUCKET>", "arn:aws:s3:::<HIAB_OVA_DESTINATION_BUCKET>/*" ] }, { "Effect":"Allow", "Action":[ "ec2:ModifySnapshotAttribute", "ec2:CopySnapshot", "ec2:RegisterImage", "ec2:Describe*" ], "Resource":"*" } ] }C:\Users\Test>aws --profile Test_new iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file://C:\Outpost24\Q&A\AWS Import-VM\role-policy.json" -
Import the HIAB image from the S3 bucket by giving the following command.
C:\Users\Test>aws ec2 import-image --disk-containers Format=ova,UserBucket="{S3Bucket=<HIAB_OVA_DESTINATION_BUCKET>,S3Key=image/<Outpost24-HIAB-x86_64-xxxxxxxxxx>}"
or by create JSON file to import the Image.XML[ { "Description": "HIAB", "Format": "ova", "UserBucket": { "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>", "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>" } } ]BashC:\Users\Test>aws --profile Test_new ec2 import-image --description "<Outpost24-HIAB-x86_64-xxxxxxxxxx>" --disk-containers "file://C:\Outpost24\Q&A\AWS Import-VM\hiab-aws-container.json" { "Description": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>", "ImportTaskId": "[import-ami-xxxxxxxxxxx]", "Progress": "2", "SnapshotDetails": [ { "DiskImageSize": 0.0, "Format": "OVA", "UserBucket": { "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>", "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>" } } ], "Status": "active", "StatusMessage": "pending" } -
Check the status.
BashC:\Users\Test>aws --profile Test_new ec2 describe-import-image-tasks --import-task-ids [import-ami-xxxxxxxxxxx] { "ImportImageTasks": [ { "Description": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>", "ImportTaskId": "[import-ami-xxxxxxxxxxx]", "Progress": "28", "SnapshotDetails": [ { "DiskImageSize": 2378187264.0, "Format": "VMDK", "Status": "active", "UserBucket": { "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>", "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>" } } ], "Status": "active", "StatusMessage": "converting" } ]BashC:\Users\Test>aws --profile Test_new ec2 describe-import-image-tasks --import-task-ids [import-ami-xxxxxxxxxxx] { "ImportImageTasks": [ { "Architecture": "x86_64", "Description": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>", "ImportTaskId": "[import-ami-xxxxxxxxxxx]", "LicenseType": "BYOL", "Platform": "Linux", "Progress": "52", "SnapshotDetails": [ { "DeviceName": "/dev/sda1", "DiskImageSize": 2378187264.0, "Format": "VMDK", "Status": "completed", "UserBucket": { "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>", "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>" } } ], "Status": "active", "StatusMessage": "preparing to boot" } ] }BashC:\Users\Test>aws --profile Test_new ec2 describe-import-image-tasks --import-task-ids [import-ami-xxxxxxxxxxx] { "ImportImageTasks": [ { "Architecture": "x86_64", "Description": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>", "ImportTaskId": "[import-ami-xxxxxxxxxxx]", "LicenseType": "BYOL", "Platform": "Linux", "Progress": "58", "SnapshotDetails": [ { "DeviceName": "/dev/sda1", "DiskImageSize": 2378187264.0, "Format": "VMDK", "Status": "completed", "UserBucket": { "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>", "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>" } } ], "Status": "active", "StatusMessage": "booting" } ] }BashC:\Users\Test>aws --profile Test_new ec2 describe-import-image-tasks --import-task-ids [import-ami-xxxxxxxxxxx] { "ImportImageTasks": [ { "Architecture": "x86_64", "Description": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>", "ImportTaskId": "[import-ami-xxxxxxxxxxx]", "LicenseType": "BYOL", "Platform": "Linux", "Progress": "69", "SnapshotDetails": [ { "DeviceName": "/dev/sda1", "DiskImageSize": 2378187264.0, "Format": "VMDK", "Status": "completed", "UserBucket": { "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>", "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>" } } ], "Status": "active", "StatusMessage": "booted" } ] }BashC:\Users\Test>aws --profile Test_new ec2 describe-import-image-tasks --import-task-ids [import-ami-xxxxxxxxxxx] { "ImportImageTasks": [ { "Architecture": "x86_64", "Description": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>", "ImportTaskId": "[import-ami-xxxxxxxxxxx]", "LicenseType": "BYOL", "Platform": "Linux", "Progress": "76", "SnapshotDetails": [ { "DeviceName": "/dev/sda1", "DiskImageSize": 2378187264.0, "Format": "VMDK", "Status": "completed", "UserBucket": { "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>", "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>" } } ], "Status": "active", "StatusMessage": "preparing ami" } ] }
BashC:\Users\Test>aws --profile Test_new ec2 describe-import-image-tasks --import-task-ids [import-ami-xxxxxxxxxxx] { "ImportImageTasks": [ { "Architecture": "x86_64", "Description": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>", "ImageId": "[ami-xxxxxxxxxxxxxxx]", "ImportTaskId": "[import-ami-xxxxxxxxxxx]", "LicenseType": "BYOL", "Platform": "Linux", "SnapshotDetails": [ { "DeviceName": "/dev/sda1", "DiskImageSize": 2378187264.0, "Format": "VMDK", "SnapshotId": "[snap-xxxxxxxxxxxxx]", "Status": "completed", "UserBucket": { "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>", "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>" } } ], "Status": "completed" } ] }
AWS console after importing the image.
Launch the Image
Click on Launch Instance to start using the newly created Image.
Enroll the Server
Provide the necessary information and enroll the server.
Reference
-
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html
-
https://docs.aws.amazon.com/cli/latest/reference/ec2/import-snapshot.html
Related Articles
- Docker Image Assessment
- How to Scan AWS ECR Images
- Generate Azure Credentials
- Container Inspection - Azure
- Import Cloud Image on AWS
- Google Cloud Platform Credentials
- Microsoft Azure Credentials
- Azure Cloud Discovery
- Docker Credentials
- Amazon
- Cloud Discovery
- Scan a Docker Image
- Configure Application Gateway for HIAB on Azure
- Amazon Web Services Credentials
- Change Hard Drive Size on HIAB in Amazon Web Services
- Change Instance Type on HIAB on Amazon Web Services
- Cloud Discovery on HIAB
- Generate AWS Credentials
- Extend HIAB Disk Space on Azure
- AWS Scanning with OUTSCAN
- Cloud Assessment
- Generate GCP Credentials
- Google Registries Scanning with Container Inspection
- Deploy HIAB on Amazon Web Services
- Cloudsec Scan Configuration
- Docker Image Discovery
- Importing Tags for AWS Discovery
- Deploy HIAB on Microsoft Azure
- Vulnerabilities