Using AWS Cloudformation
Install K2 Agents on EC2 instance using AWS Cloudformation templates.
Prerequisites
Register at k2io.net to get customerId, k2 agents release information etc.
Go through all the parameters in “Setup Configuration” and update them as per your need.
Make sure to have docker included in your EC2 AMI if you are installing Docker version of the K2.
Steps
STEP 1: Have your existing EC2 Cloudformation template ready.
Steps below will show you how to include K2’s yml in your EC2 CFT
STEP 2: Setup Configuration :
Update the following parameters from the sample yml below
k2IsDocker : Set docker or non docker install of K2 agents, true for docker install and vice versa.
k2IsPrivileged : Set privileged mode installation of K2 agents, true for privileged mode and vice versa.
k2VersionNumber : Set the K2 agents version for download for e.g. 1.10.10
k2CustomerId: Set your K2 customer Id for e.g. 1101
k2TempToken : Set the temp token for K2 agents tarball download, You can get it from K2 Manager UI.
Copy the sample yml below with updated parameters into your EC2 CFT yml
############################ K2 Configuration #1 Starts Here ############################
k2IsDocker:
Type: String
Default: "true" #Configurable Section2
Description: If you want to install k2 agent in docker mode then set this parameter
to true otherwise if in non docker mode then set it to false.
AllowedValues:
["true",
"false"]
# k2IsPrivileged:
# Type: String
# Default: "false" #Configurable Section3
# Description: If you want to install k2 agent in privileged mode then set this parameter
# to true otherwise if in non privileged mode then set it to false.
# AllowedValues:
# ["true",
# "false"]
k2VersionNumber:
Type: String
Default: "1.10.10" #Configurable Section4
Description: Version of K2 agents
k2CustomerId:
Type: String
Default: "1047"
Description: Provide your customer id as provided in k2 portal.
k2TempToken:
Type: String
Default: "150098005586521625452908150271764917436" #Configurable Section5
Description: Temp token to install k2 agents tarball, You can get it from your account at k2io.net currently .
############################ K2 Configuration #1 Ends Here ############################Step 3: Installation of K2 Agents :
Add following yml snippet to your EC2 cloudformation provisioning section in the existing template
Cloudformation Init Configuration - Here we are adding helper scripts to invoke agent installation during ec2 provision.
K2 Agents Installation
K2 Demo Vulnerable App Installation
Metadata:
############################ K2 Configuration #2 Starts Here ############################
AWS::CloudFormation::Init:
configSets:
ascending:
- cfn_init_configuration
- k2_install
cfn_init_configuration:
files:
'/etc/cfn/cfn-hup.conf':
content: !Sub |
[main]
stack=${AWS::StackId}
region=${AWS::Region}
interval=1
mode: '000400'
owner: root
group: root
'/lib/systemd/system/cfn-hup.service':
content: |
[Unit]
Description=cfn-hup daemon
[Service]
Type=simple
ExecStart=/opt/aws/bin/cfn-hup
Restart=always
[Install]
WantedBy=multi-user.target
commands:
01enable_cfn_hup:
command:
systemctl enable cfn-hup.service
02start_cfn_hup:
command:
systemctl start cfn-hup.service
k2_install:
files:
/tmp/k2tmpinstall.sh:
content: !Sub |
#!/bin/bash
sudo wget -O vm-all.zip 'k2io.net/centralmanager/api/v1/help/installers/${k2VersionNumber}/download/${k2CustomerId}/${k2TempToken}/vm-all.zip?isDocker=${k2IsDocker}&groupName=PRODUCTION&agentDeploymentEnvironment=PRODUCTION&pullPolicyRequired=false'
sudo unzip vm-all.zip
sudo chown -R root:root k2install
sudo chmod 755 k2install
cd k2install
sudo bash k2install.sh -i prevent-web
mode: "000777"
owner: "root"
group: "root"
commands:
k2command:
command: bash /tmp/k2tmpinstall.sh > /tmp/k2out.log 2>&1
cwd: /tmp/
Properties:
UserData:
Fn::Base64: !Sub |
#!/bin/bash
distribution=`cat /etc/os-release | grep -w NAME | awk -F= '{print $2}' | tr -d '"'`
if [[ -z $distribution ]]; then
distribution=`cat /etc/*release | head -1 | awk -F' ' '{print $1}' | tr -d '"'`
version_id=`cat /etc/*release | head -1 | awk -F' ' '{print $3}' | tr -d '"'`
fi
if [[ ($distribution == "Ubuntu") ]]; then
apt-get update -y
apt-get install -y python-setuptools
apt-get install -y wget
apt-get install -y unzip
elif [[ (($distribution == "Fedora" ) || ($distribution == "CentOS Linux") || ( $distribution == "Red Hat Enterprise Linux Server") || ($distribution == "Red Hat Enterprise Linux") || ($distribution == "Amazon Linux") || ($distribution == "Amazon Linux AMI")) ]]; then
yum update -y
yum install -y python-setuptools
yum install -y wget
yum install -y unzip
else
echo "Didn't Update and not able to install prereqs"
fi
mkdir -p /opt/aws/bin
wget https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz
python -m easy_install --script-dir /opt/aws/bin aws-cfn-bootstrap-latest.tar.gz > /tmp/cfn-install.log 2>&1
/opt/aws/bin/cfn-init -vvv --stack ${AWS::StackName} --resource EC2Instance -c ascending --region ${AWS::Region} > /tmp/cfn-init.log 2>&1
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource EC2Instance --region ${AWS::Region} > /tmp/cfn-signal.log 2>&1
############################ K2 Configuration #2 Ends Here ############################Step 4: Once your template is ready and valid, Run it via EC2 console or AWS CLI
Step 5: Launch your application with K2
Here we are launching a demo app and final cft template is below
Metadata:
############################ K2 Configuration #2 Starts Here ############################
AWS::CloudFormation::Init:
configSets:
ascending:
- cfn_init_configuration
- k2_install
- k2_demo_app #Optional Comment it out if we don't need it.
cfn_init_configuration:
files:
'/etc/cfn/cfn-hup.conf':
content: !Sub |
[main]
stack=${AWS::StackId}
region=${AWS::Region}
interval=1
mode: '000400'
owner: root
group: root
'/lib/systemd/system/cfn-hup.service':
content: |
[Unit]
Description=cfn-hup daemon
[Service]
Type=simple
ExecStart=/opt/aws/bin/cfn-hup
Restart=always
[Install]
WantedBy=multi-user.target
commands:
01enable_cfn_hup:
command:
systemctl enable cfn-hup.service
02start_cfn_hup:
command:
systemctl start cfn-hup.service
k2_install:
files:
/tmp/k2tmpinstall.sh:
content: !Sub |
#!/bin/bash
sudo wget -O vm-all.zip 'k2io.net/centralmanager/api/v1/help/installers/${k2VersionNumber}/download/${k2CustomerId}/${k2TempToken}/vm-all.zip?isDocker=${k2IsDocker}&groupName=PRODUCTION&agentDeploymentEnvironment=PRODUCTION&pullPolicyRequired=false'
sudo unzip vm-all.zip
sudo chown -R root:root k2install
sudo chmod 755 k2install
cd k2install
sudo bash k2install.sh -i prevent-web
mode: "000777"
owner: "root"
group: "root"
commands:
k2command:
command: bash /tmp/k2tmpinstall.sh > /tmp/k2out.log 2>&1
cwd: /tmp/
k2_demo_app:
commands:
demoapp:
command: docker run -v /opt/k2-ic:/opt/k2-ic -itd -p 8080:8080 -e JAVA_OPTS=" -javaagent:/opt/k2-ic/K2-JavaAgent-1.0.0-jar-with-dependencies.jar" --name k2-demo-application k2cyber/ic-test-application:single-container-application
cwd: /tmp/
Properties:
UserData:
Fn::Base64: !Sub |
#!/bin/bash
distribution=`cat /etc/os-release | grep -w NAME | awk -F= '{print $2}' | tr -d '"'`
if [[ -z $distribution ]]; then
distribution=`cat /etc/*release | head -1 | awk -F' ' '{print $1}' | tr -d '"'`
version_id=`cat /etc/*release | head -1 | awk -F' ' '{print $3}' | tr -d '"'`
fi
if [[ ($distribution == "Ubuntu") ]]; then
apt-get update -y
apt-get install -y python-setuptools
apt-get install -y wget
apt-get install -y unzip
elif [[ (($distribution == "Fedora" ) || ($distribution == "CentOS Linux") || ( $distribution == "Red Hat Enterprise Linux Server") || ($distribution == "Red Hat Enterprise Linux") || ($distribution == "Amazon Linux") || ($distribution == "Amazon Linux AMI")) ]]; then
yum update -y
yum install -y python-setuptools
yum install -y wget
yum install -y unzip
else
echo "Didn't Update and not able to install prereqs"
fi
mkdir -p /opt/aws/bin
wget https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz
python -m easy_install --script-dir /opt/aws/bin aws-cfn-bootstrap-latest.tar.gz > /tmp/cfn-install.log 2>&1
/opt/aws/bin/cfn-init -vvv --stack ${AWS::StackName} --resource EC2Instance -c ascending --region ${AWS::Region} > /tmp/cfn-init.log 2>&1
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource EC2Instance --region ${AWS::Region} > /tmp/cfn-signal.log 2>&1
############################ K2 Configuration #2 Ends Here ############################Complete Example
Follow some steps and use below template to deploy ec2 instance along with k2 agents
Go through all the parameters and define their default values as per your setup or pass them in cloudformation command
Provide AMIID in Mappings section as per region, you can only change one region also for your deployment.
Save the file as k2linux.yml
Run the template
Using AWS Console
Using AWS Cli For e.g.
aws cloudformation create-stack --region ${REGION_NAME} --stack-name ${PROVIDE_STACKNAME_HERE} --template-body file://${PROVIDE_TEMPLATE_NAME}Example Command is below
aws cloudformation create-stack --region us-west-1 --stack-name ec2-k2 --template-body file://k2linux.yml
Cloudformation Template :
Setup and Configure parameters in below template as per you environment :
StackName: Name of parent stack created where VPC and networking is provisioned, it is needed to define subnet and vpc in which new EC2 instance will be created.
KeyName: Name of Key Pair from your region for public private authentication to EC2 instance, Either create a new key pair or use existing ones.
AllowedAddress: Define the addresses from where you want to give access to web server ports.
InstanceType : Define instance type for your new EC2 instance
SSHLocation : Define the addresses from where you want to give SSH access.
k2IsDocker : Set docker or non docker install of K2 agents, true for docker install and vice versa.
k2IsPrivileged : Set privileged mode installation of K2 agents, true for privileged mode and vice versa.
k2VersionNumber : Set the K2 agents version for download for e.g. 1.10.10
k2CustomerId: Set your K2 customer Id for e.g. 1101
k2TempToken : Set the temp token for K2 agents tarball download, You can get it from K2 Manager UI.
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Sample EC2 Template to deploy EC2 instance along with installing k2 agents'
Parameters:
StackName:
Type: String
Default: vsrx-vpc #Configurable Section1
Description: The name of the parent cluster stack that you created. Necessary
to locate and reference resources created by that stack.
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
Default: cftwest1 #Configurable Section1
Type: AWS::EC2::KeyPair::KeyName
ConstraintDescription: must be the name of an existing EC2 KeyPair.
AllowedAddress:
Description: Source IP address (CIDR notation) from which any access to vSRXs is allowed
Type: String
Default: 0.0.0.0/0
InstanceType:
Description: WebServer EC2 instance type
Type: String
Default: t2.medium
AllowedValues: [t2.nano, t2.micro, t2.small, t2.medium, t2.large, t2.xlarge, t2.2xlarge,
t3.nano, t3.micro, t3.small, t3.medium, t3.large, t3.xlarge, t3.2xlarge,
m4.large, m4.xlarge, m4.2xlarge, m4.4xlarge, m4.10xlarge,
m5.large, m5.xlarge, m5.2xlarge, m5.4xlarge,
c5.large, c5.xlarge, c5.2xlarge, c5.4xlarge, c5.9xlarge,
g3.8xlarge,
r5.large, r5.xlarge, r5.2xlarge, r5.4xlarge,
i3.xlarge, i3.2xlarge, i3.4xlarge, i3.8xlarge,
d2.xlarge, d2.2xlarge, d2.4xlarge, d2.8xlarge]
ConstraintDescription: must be a valid EC2 instance type.
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: 9
MaxLength: 18
Default: 0.0.0.0/0
AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
############################ K2 Configuration #1 Starts Here ############################
k2IsDocker:
Type: String
Default: "true" #Configurable Section2
Description: If you want to install k2 agent in docker mode then set this parameter
to true otherwise if in non docker mode then set it to false.
AllowedValues:
["true",
"false"]
# k2IsPrivileged:
# Type: String
# Default: "false" #Configurable Section3
# Description: If you want to install k2 agent in privileged mode then set this parameter
# to true otherwise if in non privileged mode then set it to false.
# AllowedValues:
# ["true",
# "false"]
k2VersionNumber:
Type: String
Default: "1.10.10" #Configurable Section4
Description: Version of K2 agents
k2CustomerId:
Type: String
Default: "1047"
Description: Provide your customer id as provided in k2 portal.
k2TempToken:
Type: String
Default: "150098005586521625452908150271764917436" #Configurable Section5
Description: Temp token to install k2 agents tarball.
############################ K2 Configuration #1 Ends Here ############################
Mappings:
AWSRegionAMIEC2:
us-east-1:
CentOS7: ami-0dd3922502962f0ae
us-west-2:
CentOS7: ami-b55a51cc
us-west-1:
CentOS7: ami-05db5717b629827c2
eu-west-1:
CentOS7: ami-f1978897
eu-central-1:
CentOS7: ami-0e258161
ap-northeast-1:
CentOS7: ami-5c9a933b
ap-southeast-1:
CentOS7: ami-cb981aa8
ap-southeast-2:
CentOS7: ami-9a3322f9
Resources:
EC2Instance:
Type: AWS::EC2::Instance
Metadata:
############################ K2 Configuration #2 Starts Here ############################
AWS::CloudFormation::Init:
configSets:
ascending:
- cfn_init_configuration
- k2_install
- k2_demo_app #Optional Comment it out if we don't need it.
cfn_init_configuration:
files:
'/etc/cfn/cfn-hup.conf':
content: !Sub |
[main]
stack=${AWS::StackId}
region=${AWS::Region}
interval=1
mode: '000400'
owner: root
group: root
'/lib/systemd/system/cfn-hup.service':
content: |
[Unit]
Description=cfn-hup daemon
[Service]
Type=simple
ExecStart=/opt/aws/bin/cfn-hup
Restart=always
[Install]
WantedBy=multi-user.target
commands:
01enable_cfn_hup:
command:
systemctl enable cfn-hup.service
02start_cfn_hup:
command:
systemctl start cfn-hup.service
k2_install:
files:
/tmp/k2tmpinstall.sh:
content: !Sub |
#!/bin/bash
sudo wget -O vm-all.zip 'k2io.net/centralmanager/api/v1/help/installers/${k2VersionNumber}/download/${k2CustomerId}/${k2TempToken}/vm-all.zip?isDocker=${k2IsDocker}&groupName=PRODUCTION&agentDeploymentEnvironment=PRODUCTION&pullPolicyRequired=false'
sudo unzip vm-all.zip
sudo chown -R root:root k2install
sudo chmod 755 k2install
cd k2install
sudo bash k2install.sh -i prevent-web
mode: "000777"
owner: "root"
group: "root"
commands:
k2command:
command: bash /tmp/k2tmpinstall.sh > /tmp/k2out.log 2>&1
cwd: /tmp/
k2_demo_app:
commands:
demoapp:
command: docker run -v /opt/k2-ic:/opt/k2-ic -itd -p 8080:8080 -e JAVA_OPTS=" -javaagent:/opt/k2-ic/K2-JavaAgent-1.0.0-jar-with-dependencies.jar" --name k2-demo-application k2cyber/ic-test-application:single-container-application
cwd: /tmp/
Properties:
UserData:
Fn::Base64: !Sub |
#!/bin/bash
distribution=`cat /etc/os-release | grep -w NAME | awk -F= '{print $2}' | tr -d '"'`
if [[ -z $distribution ]]; then
distribution=`cat /etc/*release | head -1 | awk -F' ' '{print $1}' | tr -d '"'`
version_id=`cat /etc/*release | head -1 | awk -F' ' '{print $3}' | tr -d '"'`
fi
if [[ ($distribution == "Ubuntu") ]]; then
apt-get update -y
apt-get install -y python-setuptools
apt-get install -y wget
apt-get install -y unzip
elif [[ (($distribution == "Fedora" ) || ($distribution == "CentOS Linux") || ( $distribution == "Red Hat Enterprise Linux Server") || ($distribution == "Red Hat Enterprise Linux") || ($distribution == "Amazon Linux") || ($distribution == "Amazon Linux AMI")) ]]; then
yum update -y
yum install -y python-setuptools
yum install -y wget
yum install -y unzip
else
echo "Didn't Update and not able to install prereqs"
fi
mkdir -p /opt/aws/bin
wget https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz
python -m easy_install --script-dir /opt/aws/bin aws-cfn-bootstrap-latest.tar.gz > /tmp/cfn-install.log 2>&1
/opt/aws/bin/cfn-init -vvv --stack ${AWS::StackName} --resource EC2Instance -c ascending --region ${AWS::Region} > /tmp/cfn-init.log 2>&1
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource EC2Instance --region ${AWS::Region} > /tmp/cfn-signal.log 2>&1
############################ K2 Configuration #2 Ends Here ############################
# Below Parts will come from customer
ImageId: !FindInMap
- AWSRegionAMIEC2
- !Ref 'AWS::Region'
- CentOS7
InstanceType: !Ref 'InstanceType'
SecurityGroupIds: [{ "Fn::GetAtt" : ["InstanceSecurityGroup", "GroupId"] }]
KeyName: !Ref 'KeyName'
BlockDeviceMappings:
- DeviceName: "/dev/sda1"
Ebs:
VolumeType: "gp2"
DeleteOnTermination: true
VolumeSize: 200
SubnetId:
Fn::ImportValue:
!Join [':', [!Ref 'StackName', 'VPCPriSub11']] #Configurable Section1
Tags:
- Key: Name
Value: Vulnerable APP with K2Agent Installed
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: !Ref 'SSHLocation'
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: !Ref AllowedAddress
- IpProtocol: tcp
FromPort: 8080
ToPort: 8080
CidrIp: !Ref AllowedAddress
VpcId:
Fn::ImportValue:
!Join [':', [!Ref 'StackName', 'vSRXVPC']] #Configurable Section2
Outputs:
InstanceId:
Description: InstanceId of the newly created EC2 instance
Value: !Ref 'EC2Instance'
AZ:
Description: Availability Zone of the newly created EC2 instance
Value: !GetAtt [EC2Instance, AvailabilityZone]
Last updated
Was this helpful?