AWS Linux VM

Automatic installation of the Spyderbat AWS Agent on an AWS EC2 instance

This guide provides detailed instructions on how to deploy the Spyderbat AWS Agent on an AWS Virtual Machine (VM). The AWS Agent runs as a systemd service on the VM to ensure continuous operation. Deploying the agent on an AWS VM gives you complete control over the environment and configuration, allowing you to integrate AWS context into the Spyderbat Platform.

Prerequisites

Before deploying the Spyderbat AWS Agent on an AWS VM, make sure you have the following prerequisites in place:

Sudo Permissions: You will need sudo permissions to install the Spyderbat AWS Agent.
Outbound Network Access: The system you’re installing Spyderbat's AWS Agent on should have outbound access on port 443 to https://orc.spyderbat.com.
AWS Account: You need an AWS account with administrative access to create and configure resources. The VM must be launched within the AWS account that you wish to monitor.
VM Instance Profile with Required IAM Role: The VM must have an instance profile attached that includes an IAM Role with the following permissions:
- EC2: ec2:Describe*
- EKS: eks:List*, eks:Describe*
- IAM Roles and Policies: iam:Get*, iam:List*, iam:Put*
- ECR: ecr:Describe*, ecr:List*, ecr:Get*
- STS: sts:AssumeRole, sts:AssumeRoleWithWebIdentity
- Secrets Manager (Optional): Access to the ARN of the configured secret for the registration key.

Here is an example permissions policy that can be used when creating the role

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"ec2:Describe*",
				"eks:List*",
				"eks:Describe*",
				"organizations:ListDelegatedAdministrators",
				"organizations:DescribeOrganization",
				"organizations:DescribeOrganizationalUnit",
				"organizations:DescribeAccount",
				"organizations:ListAWSServiceAccessForOrganization",
				"iam:Get*",
				"iam:List*",
 				"iam:Put*",
				"ecr:Describe*",
				"ecr:List*",
				"ecr:Get*"
			],
			"Resource": "*"
		}
	]
}

Step-by-Step Deployment

Step 1: Launch an AWS VM

Launch an AWS VM within the AWS account you wish to monitor. The instance should be configured with the following settings:

Amazon Machine Image (AMI): Use an AMI that supports Linux (e.g., Amazon Linux 2, Ubuntu).
Instance Type: Choose an instance type suitable for your workload (e.g., t3.medium).
Network Settings: Ensure the instance has access to the internet or appropriate VPC configuration for accessing AWS APIs.
IAM Role: Attach the IAM Role created earlier with the required permissions.
Configure storage and other instance details as needed.

Step 2: Connect to the VM and Install Dependencies

Install Docker by following the official Docker installation guide.

Step 3: Install the Spyderbat AWS Agent

Log in to the Spyderbat UI
Navigate to the Sources menu (top left)
Click on the Add Source button, and select Install AWS Agent

This will bring you to the following screen:

The agent installation command is obtained from the Spyderbat UI that you can execute on the VM. Click on the tab 'curl' there, and then the command below will be provided that you can paste. If you do not have Curl installed on your system, select the 'wget' tab to copy this command instead. Then use that in the VM to install the agent.

Here's how the curl command will look like

curl --retry 5 https://orc.spyderbat.com/v1/reg/<registration-key>/script?agentType=aws_agent -o installSpyderbatAws.sh
sudo -E /bin/sh ./installSpyderbatAws.sh

Now execute this script on the AWS VM.

Step 4: Verify Integration

The CLI and UI both provide you with feedback on the process. In the UI, check marks of the install progress will be displayed. Once the Spyderbat AWS Agent is installed, registers with Spyderbat, and is transmitting data, you will see that the agent was installed successfully both in your terminal and in the Spyderbat UI.

Managing the AWS Agent Service

The Spyderbat AWS Agent runs as a systemd service (aws_agent.service) on the VM. You can use the following commands to manage the AWS Agent service:

Check Service Status:
```
sudo systemctl status aws_agent.service
```
Start the Service:
```
sudo systemctl start aws_agent.service
```
Stop the Service:
```
sudo systemctl stop aws_agent.service
```

Restart the Service:

sudo systemctl restart aws_agent.service

View Service Logs:
```
sudo journalctl -u aws_agent.service
```

Troubleshooting

Agent Logs: Check the agent logs using the following command:
```
sudo journalctl -u aws_agent.service
```
Permission Issues: Ensure the IAM Role attached to the VM has the correct permissions as listed in the prerequisites.
Network Connectivity: Verify that the VM has access to the internet or the required VPC endpoints to communicate with AWS services.

Next Steps

Once the AWS Agent is successfully deployed and integrated, you can proceed to use the spyderbat platform to monitor and investigate your assets.
The AWS Agents behavior can be customized using a configuration file. For more details on advanced configuration of the agent, consult they Spyderbat AWS Agent Configuration Guide

Last updated 9 months ago

Was this helpful?

hashtagPrerequisites

hashtagStep-by-Step Deployment

hashtagStep 1: Launch an AWS VM

hashtagStep 2: Connect to the VM and Install Dependencies

hashtagStep 3: Install the Spyderbat AWS Agent

hashtagStep 4: Verify Integration

hashtagManaging the AWS Agent Service

hashtagTroubleshooting

hashtagNext Steps