Using AWS Cloudformation

Install K2 Agents on EC2 instance using AWS Cloudformation templates.

Prerequisites

Register at k2io.net to get customerId, k2 agents release information etc.
Go through all the parameters in “Setup Configuration” and update them as per your need.
Make sure to have docker included in your EC2 AMI if you are installing Docker version of the K2.

Steps

STEP 1: Have your existing EC2 Cloudformation template ready.
- Steps below will show you how to include K2’s yml in your EC2 CFT
STEP 2: Setup Configuration :
- Update the following parameters from the sample yml below
  - k2IsDocker : Set docker or non docker install of K2 agents, true for docker install and vice versa.
  - k2IsPrivileged : Set privileged mode installation of K2 agents, true for privileged mode and vice versa.
  - k2VersionNumber : Set the K2 agents version for download for e.g. 1.10.10
  - k2CustomerId: Set your K2 customer Id for e.g. 1101
  - k2TempToken : Set the temp token for K2 agents tarball download, You can get it from K2 Manager UI.
- Copy the sample yml below with updated parameters into your EC2 CFT yml

############################ K2 Configuration #1 Starts Here  ############################
  k2IsDocker:
    Type: String
    Default: "true" #Configurable Section2
    Description: If you want to install k2 agent in docker mode then set this parameter
                 to true otherwise if in non docker mode then set it to false.
    AllowedValues:
      ["true",
      "false"]
  # k2IsPrivileged:
  #   Type: String
  #   Default: "false" #Configurable Section3
  #   Description: If you want to install k2 agent in privileged mode then set this parameter
  #                to true otherwise if in non privileged mode then set it to false.
  #   AllowedValues:
  #     ["true",
  #     "false"]
  k2VersionNumber:
    Type: String
    Default: "1.10.10" #Configurable Section4
    Description: Version of K2 agents
  k2CustomerId:
    Type: String
    Default: "1047"
    Description: Provide your customer id as provided in k2 portal.
  k2TempToken:
    Type: String
    Default: "150098005586521625452908150271764917436" #Configurable Section5
    Description: Temp token to install k2 agents tarball, You can get it from your account at k2io.net currently .
############################ K2 Configuration #1 Ends Here ############################

Step 3: Installation of K2 Agents :
- Add following yml snippet to your EC2 cloudformation provisioning section in the existing template
  - Cloudformation Init Configuration - Here we are adding helper scripts to invoke agent installation during ec2 provision.
  - K2 Agents Installation
  - K2 Demo Vulnerable App Installation

    Metadata:
############################ K2 Configuration #2 Starts Here  ############################
      AWS::CloudFormation::Init:
        configSets:
          ascending:
            - cfn_init_configuration
            - k2_install
        cfn_init_configuration:
          files:
             '/etc/cfn/cfn-hup.conf':
               content: !Sub |
                 [main]
                 stack=${AWS::StackId}
                 region=${AWS::Region}
                 interval=1
               mode: '000400'
               owner: root
               group: root
             '/lib/systemd/system/cfn-hup.service':
                content: |
                  [Unit]
                  Description=cfn-hup daemon
                  [Service]
                  Type=simple
                  ExecStart=/opt/aws/bin/cfn-hup
                  Restart=always
                  [Install]
                  WantedBy=multi-user.target
          commands:
            01enable_cfn_hup:
              command:
                systemctl enable cfn-hup.service
            02start_cfn_hup:
              command:
                systemctl start cfn-hup.service
        k2_install:
          files:
            /tmp/k2tmpinstall.sh:
              content: !Sub |
                #!/bin/bash
                sudo wget -O vm-all.zip 'k2io.net/centralmanager/api/v1/help/installers/${k2VersionNumber}/download/${k2CustomerId}/${k2TempToken}/vm-all.zip?isDocker=${k2IsDocker}&groupName=PRODUCTION&agentDeploymentEnvironment=PRODUCTION&pullPolicyRequired=false'
                sudo unzip vm-all.zip
                sudo chown -R root:root k2install
                sudo chmod 755 k2install
                cd k2install
                sudo bash k2install.sh -i prevent-web
              mode: "000777"
              owner: "root"
              group: "root"
          commands:
            k2command:
              command: bash /tmp/k2tmpinstall.sh > /tmp/k2out.log 2>&1
              cwd: /tmp/
    Properties:
      UserData:
        Fn::Base64: !Sub |
          #!/bin/bash
          distribution=`cat /etc/os-release | grep -w NAME | awk -F= '{print $2}' | tr -d '"'`
          if [[ -z $distribution ]]; then
            distribution=`cat /etc/*release | head -1 | awk -F' ' '{print $1}' | tr -d '"'`
            version_id=`cat /etc/*release | head -1 | awk -F' ' '{print $3}' | tr -d '"'`
          fi
          if [[ ($distribution == "Ubuntu") ]]; then
              apt-get update -y
              apt-get install -y python-setuptools
              apt-get install -y wget
              apt-get install -y unzip
          elif [[ (($distribution == "Fedora" ) || ($distribution == "CentOS Linux") || ( $distribution == "Red Hat Enterprise Linux Server") || ($distribution == "Red Hat Enterprise Linux") || ($distribution == "Amazon Linux") || ($distribution == "Amazon Linux AMI")) ]]; then
              yum update -y
              yum install -y python-setuptools
              yum install -y wget
              yum install -y unzip
          else
            echo "Didn't Update and not able to install prereqs"
          fi
          mkdir -p /opt/aws/bin
          wget https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz
          python -m easy_install --script-dir /opt/aws/bin aws-cfn-bootstrap-latest.tar.gz > /tmp/cfn-install.log 2>&1
          /opt/aws/bin/cfn-init -vvv --stack ${AWS::StackName} --resource EC2Instance -c ascending --region ${AWS::Region} > /tmp/cfn-init.log 2>&1
          /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource EC2Instance --region ${AWS::Region} > /tmp/cfn-signal.log 2>&1
############################ K2 Configuration #2 Ends Here  ############################

Step 4: Once your template is ready and valid, Run it via EC2 console or AWS CLI
Step 5: Launch your application with K2
- Here we are launching a demo app and final cft template is below

    Metadata:
############################ K2 Configuration #2 Starts Here  ############################
      AWS::CloudFormation::Init:
        configSets:
          ascending:
            - cfn_init_configuration
            - k2_install
            - k2_demo_app #Optional Comment it out if we don't need it.
        cfn_init_configuration:
          files:
             '/etc/cfn/cfn-hup.conf':
               content: !Sub |
                 [main]
                 stack=${AWS::StackId}
                 region=${AWS::Region}
                 interval=1
               mode: '000400'
               owner: root
               group: root
             '/lib/systemd/system/cfn-hup.service':
                content: |
                  [Unit]
                  Description=cfn-hup daemon
                  [Service]
                  Type=simple
                  ExecStart=/opt/aws/bin/cfn-hup
                  Restart=always
                  [Install]
                  WantedBy=multi-user.target
          commands:
            01enable_cfn_hup:
              command:
                systemctl enable cfn-hup.service
            02start_cfn_hup:
              command:
                systemctl start cfn-hup.service
        k2_install:
          files:
            /tmp/k2tmpinstall.sh:
              content: !Sub |
                #!/bin/bash
                sudo wget -O vm-all.zip 'k2io.net/centralmanager/api/v1/help/installers/${k2VersionNumber}/download/${k2CustomerId}/${k2TempToken}/vm-all.zip?isDocker=${k2IsDocker}&groupName=PRODUCTION&agentDeploymentEnvironment=PRODUCTION&pullPolicyRequired=false'
                sudo unzip vm-all.zip
                sudo chown -R root:root k2install
                sudo chmod 755 k2install
                cd k2install
                sudo bash k2install.sh -i prevent-web
              mode: "000777"
              owner: "root"
              group: "root"
          commands:
            k2command:
              command: bash /tmp/k2tmpinstall.sh > /tmp/k2out.log 2>&1
              cwd: /tmp/
        k2_demo_app:
          commands:
            demoapp:
              command: docker run -v /opt/k2-ic:/opt/k2-ic -itd -p 8080:8080 -e JAVA_OPTS=" -javaagent:/opt/k2-ic/K2-JavaAgent-1.0.0-jar-with-dependencies.jar" --name k2-demo-application k2cyber/ic-test-application:single-container-application
              cwd: /tmp/
    Properties:
      UserData:
        Fn::Base64: !Sub |
          #!/bin/bash
          distribution=`cat /etc/os-release | grep -w NAME | awk -F= '{print $2}' | tr -d '"'`
          if [[ -z $distribution ]]; then
            distribution=`cat /etc/*release | head -1 | awk -F' ' '{print $1}' | tr -d '"'`
            version_id=`cat /etc/*release | head -1 | awk -F' ' '{print $3}' | tr -d '"'`
          fi
          if [[ ($distribution == "Ubuntu") ]]; then
              apt-get update -y
              apt-get install -y python-setuptools
              apt-get install -y wget
              apt-get install -y unzip
          elif [[ (($distribution == "Fedora" ) || ($distribution == "CentOS Linux") || ( $distribution == "Red Hat Enterprise Linux Server") || ($distribution == "Red Hat Enterprise Linux") || ($distribution == "Amazon Linux") || ($distribution == "Amazon Linux AMI")) ]]; then
              yum update -y
              yum install -y python-setuptools
              yum install -y wget
              yum install -y unzip
          else
            echo "Didn't Update and not able to install prereqs"
          fi
          mkdir -p /opt/aws/bin
          wget https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz
          python -m easy_install --script-dir /opt/aws/bin aws-cfn-bootstrap-latest.tar.gz > /tmp/cfn-install.log 2>&1
          /opt/aws/bin/cfn-init -vvv --stack ${AWS::StackName} --resource EC2Instance -c ascending --region ${AWS::Region} > /tmp/cfn-init.log 2>&1
          /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource EC2Instance --region ${AWS::Region} > /tmp/cfn-signal.log 2>&1
############################ K2 Configuration #2 Ends Here  ############################

Complete Example

Follow some steps and use below template to deploy ec2 instance along with k2 agents

Go through all the parameters and define their default values as per your setup or pass them in cloudformation command
Provide AMIID in Mappings section as per region, you can only change one region also for your deployment.
Save the file as k2linux.yml
Run the template
- Using AWS Console
- Using AWS Cli For e.g.
  - aws cloudformation create-stack --region ${REGION_NAME} --stack-name ${PROVIDE_STACKNAME_HERE} --template-body file://${PROVIDE_TEMPLATE_NAME}
  - Example Command is below
  - aws cloudformation create-stack --region us-west-1 --stack-name ec2-k2 --template-body file://k2linux.yml

Cloudformation Template :

Setup and Configure parameters in below template as per you environment :

StackName: Name of parent stack created where VPC and networking is provisioned, it is needed to define subnet and vpc in which new EC2 instance will be created.
KeyName: Name of Key Pair from your region for public private authentication to EC2 instance, Either create a new key pair or use existing ones.
AllowedAddress: Define the addresses from where you want to give access to web server ports.
InstanceType : Define instance type for your new EC2 instance
SSHLocation : Define the addresses from where you want to give SSH access.
k2IsDocker : Set docker or non docker install of K2 agents, true for docker install and vice versa.
k2IsPrivileged : Set privileged mode installation of K2 agents, true for privileged mode and vice versa.
k2VersionNumber : Set the K2 agents version for download for e.g. 1.10.10
k2CustomerId: Set your K2 customer Id for e.g. 1101
k2TempToken : Set the temp token for K2 agents tarball download, You can get it from K2 Manager UI.

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Sample EC2 Template to deploy EC2 instance along with installing k2 agents'
Parameters:
  StackName:
    Type: String
    Default: vsrx-vpc #Configurable Section1
    Description: The name of the parent cluster stack that you created. Necessary
                 to locate and reference resources created by that stack.
  KeyName:
    Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
    Default: cftwest1 #Configurable Section1
    Type: AWS::EC2::KeyPair::KeyName
    ConstraintDescription: must be the name of an existing EC2 KeyPair.
  AllowedAddress:
    Description: Source IP address (CIDR notation) from which any access to vSRXs is allowed
    Type: String
    Default: 0.0.0.0/0
  InstanceType:
    Description: WebServer EC2 instance type
    Type: String
    Default: t2.medium
    AllowedValues: [t2.nano, t2.micro, t2.small, t2.medium, t2.large, t2.xlarge, t2.2xlarge,
      t3.nano, t3.micro, t3.small, t3.medium, t3.large, t3.xlarge, t3.2xlarge,
      m4.large, m4.xlarge, m4.2xlarge, m4.4xlarge, m4.10xlarge,
      m5.large, m5.xlarge, m5.2xlarge, m5.4xlarge,
      c5.large, c5.xlarge, c5.2xlarge, c5.4xlarge, c5.9xlarge,
      g3.8xlarge,
      r5.large, r5.xlarge, r5.2xlarge, r5.4xlarge,
      i3.xlarge, i3.2xlarge, i3.4xlarge, i3.8xlarge,
      d2.xlarge, d2.2xlarge, d2.4xlarge, d2.8xlarge]
    ConstraintDescription: must be a valid EC2 instance type.
  SSHLocation:
    Description: The IP address range that can be used to SSH to the EC2 instances
    Type: String
    MinLength: 9
    MaxLength: 18
    Default: 0.0.0.0/0
    AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})
    ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
############################ K2 Configuration #1 Starts Here  ############################
  k2IsDocker:
    Type: String
    Default: "true" #Configurable Section2
    Description: If you want to install k2 agent in docker mode then set this parameter
                 to true otherwise if in non docker mode then set it to false.
    AllowedValues:
      ["true",
      "false"]
  # k2IsPrivileged:
  #   Type: String
  #   Default: "false" #Configurable Section3
  #   Description: If you want to install k2 agent in privileged mode then set this parameter
  #                to true otherwise if in non privileged mode then set it to false.
  #   AllowedValues:
  #     ["true",
  #     "false"]
  k2VersionNumber:
    Type: String
    Default: "1.10.10" #Configurable Section4
    Description: Version of K2 agents
  k2CustomerId:
    Type: String
    Default: "1047"
    Description: Provide your customer id as provided in k2 portal.
  k2TempToken:
    Type: String
    Default: "150098005586521625452908150271764917436" #Configurable Section5
    Description: Temp token to install k2 agents tarball.
############################ K2 Configuration #1 Ends Here ############################

Mappings:
  AWSRegionAMIEC2:
    us-east-1:
      CentOS7: ami-0dd3922502962f0ae
    us-west-2:
      CentOS7: ami-b55a51cc
    us-west-1:
      CentOS7: ami-05db5717b629827c2
    eu-west-1:
      CentOS7: ami-f1978897
    eu-central-1:
      CentOS7: ami-0e258161
    ap-northeast-1:
      CentOS7: ami-5c9a933b
    ap-southeast-1:
      CentOS7: ami-cb981aa8
    ap-southeast-2:
      CentOS7: ami-9a3322f9

Resources:
  EC2Instance:
    Type: AWS::EC2::Instance
    Metadata:
############################ K2 Configuration #2 Starts Here  ############################
      AWS::CloudFormation::Init:
        configSets:
          ascending:
            - cfn_init_configuration
            - k2_install
            - k2_demo_app #Optional Comment it out if we don't need it.
        cfn_init_configuration:
          files:
             '/etc/cfn/cfn-hup.conf':
               content: !Sub |
                 [main]
                 stack=${AWS::StackId}
                 region=${AWS::Region}
                 interval=1
               mode: '000400'
               owner: root
               group: root
             '/lib/systemd/system/cfn-hup.service':
                content: |
                  [Unit]
                  Description=cfn-hup daemon
                  [Service]
                  Type=simple
                  ExecStart=/opt/aws/bin/cfn-hup
                  Restart=always
                  [Install]
                  WantedBy=multi-user.target
          commands:
            01enable_cfn_hup:
              command:
                systemctl enable cfn-hup.service
            02start_cfn_hup:
              command:
                systemctl start cfn-hup.service
        k2_install:
          files:
            /tmp/k2tmpinstall.sh:
              content: !Sub |
                #!/bin/bash
                sudo wget -O vm-all.zip 'k2io.net/centralmanager/api/v1/help/installers/${k2VersionNumber}/download/${k2CustomerId}/${k2TempToken}/vm-all.zip?isDocker=${k2IsDocker}&groupName=PRODUCTION&agentDeploymentEnvironment=PRODUCTION&pullPolicyRequired=false'
                sudo unzip vm-all.zip
                sudo chown -R root:root k2install
                sudo chmod 755 k2install
                cd k2install
                sudo bash k2install.sh -i prevent-web
              mode: "000777"
              owner: "root"
              group: "root"
          commands:
            k2command:
              command: bash /tmp/k2tmpinstall.sh > /tmp/k2out.log 2>&1
              cwd: /tmp/
        k2_demo_app:
          commands:
            demoapp:
              command: docker run -v /opt/k2-ic:/opt/k2-ic -itd -p 8080:8080 -e JAVA_OPTS=" -javaagent:/opt/k2-ic/K2-JavaAgent-1.0.0-jar-with-dependencies.jar" --name k2-demo-application k2cyber/ic-test-application:single-container-application
              cwd: /tmp/
    Properties:
      UserData:
        Fn::Base64: !Sub |
          #!/bin/bash
          distribution=`cat /etc/os-release | grep -w NAME | awk -F= '{print $2}' | tr -d '"'`
          if [[ -z $distribution ]]; then
            distribution=`cat /etc/*release | head -1 | awk -F' ' '{print $1}' | tr -d '"'`
            version_id=`cat /etc/*release | head -1 | awk -F' ' '{print $3}' | tr -d '"'`
          fi
          if [[ ($distribution == "Ubuntu") ]]; then
              apt-get update -y
              apt-get install -y python-setuptools
              apt-get install -y wget
              apt-get install -y unzip
          elif [[ (($distribution == "Fedora" ) || ($distribution == "CentOS Linux") || ( $distribution == "Red Hat Enterprise Linux Server") || ($distribution == "Red Hat Enterprise Linux") || ($distribution == "Amazon Linux") || ($distribution == "Amazon Linux AMI")) ]]; then
              yum update -y
              yum install -y python-setuptools
              yum install -y wget
              yum install -y unzip
          else
            echo "Didn't Update and not able to install prereqs"
          fi
          mkdir -p /opt/aws/bin
          wget https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz
          python -m easy_install --script-dir /opt/aws/bin aws-cfn-bootstrap-latest.tar.gz > /tmp/cfn-install.log 2>&1
          /opt/aws/bin/cfn-init -vvv --stack ${AWS::StackName} --resource EC2Instance -c ascending --region ${AWS::Region} > /tmp/cfn-init.log 2>&1
          /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource EC2Instance --region ${AWS::Region} > /tmp/cfn-signal.log 2>&1
############################ K2 Configuration #2 Ends Here  ############################
# Below Parts will come from customer
      ImageId: !FindInMap
        - AWSRegionAMIEC2
        - !Ref 'AWS::Region'
        - CentOS7
      InstanceType: !Ref 'InstanceType'
      SecurityGroupIds: [{ "Fn::GetAtt" : ["InstanceSecurityGroup", "GroupId"] }]
      KeyName: !Ref 'KeyName'
      BlockDeviceMappings:
      - DeviceName: "/dev/sda1"
        Ebs:
          VolumeType: "gp2"
          DeleteOnTermination: true
          VolumeSize: 200
      SubnetId:
        Fn::ImportValue:
          !Join [':', [!Ref 'StackName', 'VPCPriSub11']] #Configurable Section1
      Tags:
        - Key: Name
          Value: Vulnerable APP with K2Agent Installed
  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Enable SSH access via port 22
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 22
        ToPort: 22
        CidrIp: !Ref 'SSHLocation'
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: !Ref AllowedAddress
      - IpProtocol: tcp
        FromPort: 8080
        ToPort: 8080
        CidrIp: !Ref AllowedAddress
      VpcId:
        Fn::ImportValue:
          !Join [':', [!Ref 'StackName', 'vSRXVPC']] #Configurable Section2
Outputs:
  InstanceId:
    Description: InstanceId of the newly created EC2 instance
    Value: !Ref 'EC2Instance'
  AZ:
    Description: Availability Zone of the newly created EC2 instance
    Value: !GetAtt [EC2Instance, AvailabilityZone]

PreviousFAQs NextKubernetes

Last updated 4 years ago

Was this helpful?