SecurityMonkey AWS CloudFormation Template
Stand up an AWS CloudFormation stack running SecurityMonkey v0.6.0 (2016-08-29)
This CloudFormation stack creates a single EC2 instance in a public subnet of a VPC, running SecurityMonkey and storing data in an Postgresql RDS DB in MultiAZ configuration. Both the EC2 instance and RDS db will be created and configured with security groups. A VPC and subnets will be also created.
AWS resources it creates
- VPC with a public subnet in AZ1 and 2 RDS subnets in AZ1 and AZ2.
- An EC2 instance with Security Monkey installed: you can see all steps to install Security Monkey in the template, a self signed SSL certificate is created as part of the insallation script.
- RDS Postgresql MultiAZ instance
- Security Group for Security Monkey Server allowing SSH and HTTPS traffic from the specified network at deployment time. Another SG for RDS to allow the EC2 instance talk to the RDS instance.
This template downloads, installs and configures Security Monkey (master branch) and all its dependences on top of an official Ubuntu 14.04LTS AMI.
- AWS Account
- Access to the the AWS Admin Console UI.
- Key to deploy EC2 instances
- Preconfigured SecurityMonkeyInstanceProfile role. Follow all of these instructions: https://github.com/Netflix/security_monkey/blob/master/docs/quickstart.rst#setup-iam-roles
- Accept the Ubuntu terms and conditions in AWS Marketplace here http://aws.amazon.com/marketplace/pp?sku=b3dl4415quatdndl4qa6kcu45
You must provide values for the following parameters (look at the template for descriptions):
To customize the security profile of your stack, also override the default values of those parameters.
After deployment steps
- SSH to your Security Monkey Server and add your admin user using the Security Monkey manage.py tool.
ssh -i yourkey.pem ubuntu@PUBLIC_IP
- Add an admin user to Security Monkey:
export SECURITY_MONKEY_SETTINGS=/usr/local/src/security_monkey/env-config/config-deploy.py cd /usr/local/src/security_monkey python manage.py create_user email@example.com Admin
- Add your first AWS account (this can also be done through the web app):
python manage.py add_account --number AWSaccountID --name AccountName
- Each time you add an account securitymonkeyscheduler has to be restarted manually:
$ sudo supervisorctl supervisor> restart securitymonkeyscheduler
- If you haven't set up the email configuration properly at deployment you can do it by editing /usr/local/src/security_monkey/env-config/config-deploy.py and then restarting supervisor.
$ sudo service supervisor restart
- Security Monkey logs are in /var/log/security_monkey
- Supervisor logs are in /var/log/supervisor
- Instance where Security Monkey Server runs will have a Public IP address to make the access easier but it is not mandatory and not recommended for production.
- Security Monkey Log Level should not be DEBUG, INFO will be fine.
- Use you own SSL certificate instead of a self signed certificate.
- Read this: http://securitymonkey.readthedocs.io/en/latest/quickstart.html#productionalizing-security-monkey
- For more information about Security Monkey please refer to the official documentation site: http://securitymonkey.readthedocs.io/en/latest/
Part of this template is inspired on another template from https://github.com/trumant/securitymonkey_cloudformation but updated without using Ruby and with few more options in order to allow Security Monkey configuration from the template deployment form.