Import Cloud Image on AWS
Purpose
This document describes how to import a HIAB image on AWS environment.
Introduction
The HIAB is available as downloadable image files, ready to be set up in a AWS cloud environment. They are available for Amazon Web Services environments. Following the guide enables you to download the image and set it up on you AWS environment.
Prerequisites
- AWS account
- AWS CLI installed:
https://aws.amazon.com/cli/
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html
Download HIAB Image from OUTSCAN
To download the HIAB image, go to Downloads on Portal and click on the AWS image .
To start testing the HIAB in your environment you need a minimum of 40 GB to handle targets, findings, logs and reports. When going fully into production we do however recommend 60 GB. During it's life time the disc size may need to be extended as workload increases, and it is recommended to start monitoring disk space from the beginning to avoid future problems.
Also, a minimum of 350 MB of free space are required when updating the HIAB.
Upload HIAB Image to AWS S3
- Create a non public S3 bucket.
- Upload the HIAB image file on AWS.
Import HIAB Image from AWS S3
Follow the below procedure to import the image from AWS S3.
Create a service role
Refer to the below link for detailed information.
docs.aws.amazon.com/vm-import/latest/userguide/vmie_prereqs.html#iam-permissions-image
Create a file named
trust-policy.jsonon your computer. Add the following policy to the file:XML{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "Service": "vmie.amazonaws.com" }, "Condition": { "StringEquals":{ "sts:Externalid": "vmimport" } } } ] }Use the
create-rolecommand to create a role namedvmimportand grant VM Import/Export access to it. Ensure that you specify the full path to the location of thetrust-policy.jsonfile that you created in the previous step.BASHaws iam create-role --role-name vmimport --assume-role-policy-document "file://C:\import\trust-policy.json"Create a file named
role-policy.jsonwith the following policy, where disk-image-file-bucket is the bucket for disk images and export-bucket is the bucket for exported images:BASH{ "Version":"2012-10-17", "Statement":[ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::<HIAB_OVA_DESTINATION_BUCKET>", "arn:aws:s3:::<HIAB_OVA_DESTINATION_BUCKET>/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:GetBucketAcl" ], "Resource": [ "arn:aws:s3:::export-bucket", "arn:aws:s3:::export-bucket/*" ] }, { "Effect": "Allow", "Action": [ "ec2:ModifySnapshotAttribute", "ec2:CopySnapshot", "ec2:RegisterImage", "ec2:Describe*" ], "Resource": "*" } ] }Use the
put-role-policycommand to attach the policy to the role created above. Ensure that you specify the full path to the location of therole-policy.jsonfile.BASHaws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file://C:\import\role-policy.json"Add policy to import VM to the service role.
BASHC:\Users\Test>aws --profile Test_new iam create-role --role-name vmimport --assume-role-policy-document "file://C:\Outpost24\Q&A\AWS Import-VM\trust-policy.json" { "Role": { "Path": "/", "RoleName": "vmimport", "RoleId": "[ROLE ID OUTPUT]", "Arn": "arn:aws:iam::[AWS ACCOUNT ID]:role/vmimport", "CreateDate": "2019-10-25T14:00:47Z", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vmie.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:Externalid": "vmimport" } } } ] } } }Add S3 access policy to service role.
XML{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket" ], "Resource":[ "arn:aws:s3:::<HIAB_OVA_DESTINATION_BUCKET>", "arn:aws:s3:::<HIAB_OVA_DESTINATION_BUCKET>/*" ] }, { "Effect":"Allow", "Action":[ "ec2:ModifySnapshotAttribute", "ec2:CopySnapshot", "ec2:RegisterImage", "ec2:Describe*" ], "Resource":"*" } ] }C:\Users\Test>aws --profile Test_new iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file://C:\Outpost24\Q&A\AWS Import-VM\role-policy.json"Import the HIAB image from the S3 bucket by giving the following command.
C:\Users\Test>aws ec2 import-image --disk-containers Format=ova,UserBucket="{S3Bucket=<HIAB_OVA_DESTINATION_BUCKET>,S3Key=image/<Outpost24-HIAB-x86_64-xxxxxxxxxx>}"
or by create JSON file to import the Image.XML[ { "Description": "HIAB", "Format": "ova", "UserBucket": { "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>", "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>" } } ]BASHC:\Users\Test>aws --profile Test_new ec2 import-image --description "<Outpost24-HIAB-x86_64-xxxxxxxxxx>" --disk-containers "file://C:\Outpost24\Q&A\AWS Import-VM\hiab-aws-container.json" { "Description": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>", "ImportTaskId": "[import-ami-xxxxxxxxxxx]", "Progress": "2", "SnapshotDetails": [ { "DiskImageSize": 0.0, "Format": "OVA", "UserBucket": { "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>", "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>" } } ], "Status": "active", "StatusMessage": "pending" }Check the status.
BASHC:\Users\Test>aws --profile Test_new ec2 describe-import-image-tasks --import-task-ids [import-ami-xxxxxxxxxxx] { "ImportImageTasks": [ { "Description": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>", "ImportTaskId": "[import-ami-xxxxxxxxxxx]", "Progress": "28", "SnapshotDetails": [ { "DiskImageSize": 2378187264.0, "Format": "VMDK", "Status": "active", "UserBucket": { "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>", "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>" } } ], "Status": "active", "StatusMessage": "converting" } ]BASHC:\Users\Test>aws --profile Test_new ec2 describe-import-image-tasks --import-task-ids [import-ami-xxxxxxxxxxx] { "ImportImageTasks": [ { "Architecture": "x86_64", "Description": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>", "ImportTaskId": "[import-ami-xxxxxxxxxxx]", "LicenseType": "BYOL", "Platform": "Linux", "Progress": "52", "SnapshotDetails": [ { "DeviceName": "/dev/sda1", "DiskImageSize": 2378187264.0, "Format": "VMDK", "Status": "completed", "UserBucket": { "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>", "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>" } } ], "Status": "active", "StatusMessage": "preparing to boot" } ] }BASHC:\Users\Test>aws --profile Test_new ec2 describe-import-image-tasks --import-task-ids [import-ami-xxxxxxxxxxx] { "ImportImageTasks": [ { "Architecture": "x86_64", "Description": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>", "ImportTaskId": "[import-ami-xxxxxxxxxxx]", "LicenseType": "BYOL", "Platform": "Linux", "Progress": "58", "SnapshotDetails": [ { "DeviceName": "/dev/sda1", "DiskImageSize": 2378187264.0, "Format": "VMDK", "Status": "completed", "UserBucket": { "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>", "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>" } } ], "Status": "active", "StatusMessage": "booting" } ] }BASHC:\Users\Test>aws --profile Test_new ec2 describe-import-image-tasks --import-task-ids [import-ami-xxxxxxxxxxx] { "ImportImageTasks": [ { "Architecture": "x86_64", "Description": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>", "ImportTaskId": "[import-ami-xxxxxxxxxxx]", "LicenseType": "BYOL", "Platform": "Linux", "Progress": "69", "SnapshotDetails": [ { "DeviceName": "/dev/sda1", "DiskImageSize": 2378187264.0, "Format": "VMDK", "Status": "completed", "UserBucket": { "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>", "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>" } } ], "Status": "active", "StatusMessage": "booted" } ] }BASHC:\Users\Test>aws --profile Test_new ec2 describe-import-image-tasks --import-task-ids [import-ami-xxxxxxxxxxx] { "ImportImageTasks": [ { "Architecture": "x86_64", "Description": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>", "ImportTaskId": "[import-ami-xxxxxxxxxxx]", "LicenseType": "BYOL", "Platform": "Linux", "Progress": "76", "SnapshotDetails": [ { "DeviceName": "/dev/sda1", "DiskImageSize": 2378187264.0, "Format": "VMDK", "Status": "completed", "UserBucket": { "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>", "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>" } } ], "Status": "active", "StatusMessage": "preparing ami" } ] }
BASHC:\Users\Test>aws --profile Test_new ec2 describe-import-image-tasks --import-task-ids [import-ami-xxxxxxxxxxx] { "ImportImageTasks": [ { "Architecture": "x86_64", "Description": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>", "ImageId": "[ami-xxxxxxxxxxxxxxx]", "ImportTaskId": "[import-ami-xxxxxxxxxxx]", "LicenseType": "BYOL", "Platform": "Linux", "SnapshotDetails": [ { "DeviceName": "/dev/sda1", "DiskImageSize": 2378187264.0, "Format": "VMDK", "SnapshotId": "[snap-xxxxxxxxxxxxx]", "Status": "completed", "UserBucket": { "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>", "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>" } } ], "Status": "completed" } ] }
AWS console after importing the image.
Launch the Image
Click on Launch Instance to start using the newly created Image.
Enroll the Server
Provide the necessary information and enroll the server.
Copyright
© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Trademark
Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.