Register my AWS Account to CONS3RT

If you have your own AWS account, you can "bring your own cloud" (BYOC) to CONS3RT. To do this, register your AWS account as a "Cloud" in CONS3RT.

Step 1: Set up your AWS Account for CONS3RT

Set up an IAM Account for CONS3RT

  • Log in to AWS as an administrator with IAM access
  • Open the IAM Dashboard
Create an IAM Policy
  • Click on "Policies"
  • Click "Create Policy" and then click the "JSON" tab
  • Copy and paste the following JSON policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Cons3rtCloudApiPolicy0",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteAccessKey",
                "cloudtrail:StopLogging",
                "cloudtrail:StartLogging",
                "iam:DeleteGroup",
                "logs:DescribeLogStreams",
                "cloudtrail:GetTrailStatus",
                "iam:DeletePolicy",
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:CreateUser",
                "iam:CreateAccessKey",
                "iam:PassRole",
                "logs:CreateLogStream",
                "iam:RemoveUserFromGroup",
                "iam:AddUserToGroup",
                "iam:DetachGroupPolicy",
                "iam:ListAttachedGroupPolicies",
                "iam:ListAccessKeys",
                "iam:CreateGroup",
                "logs:DescribeLogGroups",
                "s3:*",
                "iam:DeleteUser",
                "logs:CreateLogGroup",
                "logs:PutLogEvents",
                "config:DeleteConfigurationRecorder",
                "cloudtrail:DescribeTrails",
                "iam:CreatePolicy",
                "iam:ListPolicyVersions",
                "config:DescribeConfigurationRecorders",
                "iam:ListGroupsForUser",
                "iam:AttachGroupPolicy",
                "cloudtrail:CreateTrail",
                "iam:ListAccountAliases",
                "iam:ListUsers",
                "iam:DeletePolicyVersion"
            ],
            "Resource": "*"
        }
    ]
}

  • Click "Review Policy" and ensure it is valid
  • Name the policy "AA-Cons3rtCloudApiUserPolicy", and click "Create Policy"
Create a Group
  • Next, click on "Groups" and click "Create Group"
  • For the group name, use "cons3rt-api-group", and click "Next step"
  • Attach the following 2 policies by checking the checkboxes:
    • AA-Cons3rtCloudApiUserPolicy (created in the previous steps)
    • AmazonEC2FullAccess (a standard AWS policy)
  • Click "Next Step", and click "Create Group"
Create a User with Programmatic Access
  • Next, click "Users", then click "Add User"
  • Type a username that you will remember like "cons3rt-cloud"
  • Check the only "Programmatic access" checkbox, and click "Next: Permissions"
  • Add the user to the "cons3rt-api-group" by checking the box, and click "Next: Review"
  • Click "Create User"
  • IMPORTANT be sure to copy the "Access key ID" and "Secret access key", this is the only chance to retrieve it

Determine the AMI ID for the NAT instances

Amazon provides Amazon Linux AMIs for performing network address translation (NAT) and port address translation (PAT) to and from EC2 instances in your virtual private cloud (VPC). When configuring your AWS account in CONS3RT, you need to provide an AMI ID to use as the NAT instances for your cloudspace. Each AWS region has several AMIs that you can use for this purpose, this is simply a list of recommended AMIs that have been tested by the CONS3RT team. You are also welcome to build your own AMIs for this purpose.

  • GovCloud (us-gov-west-1): ami-ac78c5cd
  • N. Virginia (us-east-1): ami-68115b02
  • Ohio (us-east-2): ami-8d5a00e8
  • Oregon (us-west-2): ami-d3f506b3

To find other NAT instances provided by Amazon:

  1. From the EC2 Dashboard, click "Launch Instance"
  2. Click on "Community AMIs"
  3. Type "nat" inthe search bar and hit enter
  4. Look for AMIs named something like "amzn-ami-vpc-nat-hvm..."

Add Elastic IPs

When creating a CONS3RT cloudspace in AWS, CONS3RT uses an elastic IP in your account, selected from a list that you provde when you configure your CONS3RT cloud. So you will need to allocate at least one AWS elastic IP address for later use in these instructions. Here is how:

  1. From the EC2 Dashboard, click "Elastic IPs"
  2. Select "Allocate new Address"
  3. If prompted to select between "VPC" and "EC2-Classic", select "VPC" and click "Allocate"
  4. Note the IP address for later use. Repeat if you need to create multiple cloudspaces.

AWS Service Limits

Keep in mind that AWS has default service limits by account, region, and service. Once you start using AWS, you may need to open a support ticket to increase service limits. This link details the AWS service limits. The service limits that may need to increase to support a CONS3RT cloudspace are:

  • VPCs per region
  • Elastic IP addresses per region
  • Internet Gateways per region
  • Overall EC2 instances per region

Step 2: Request a new Cloud

  • First, at enter a ticket by email support@cons3rt.com, or clicking the "Contact Us" button
  • You will receive a response from the community team when your CONS3RT Cloud is ready

Note: You may need to log out and back in again for the next step

Step 3: Configure your Cloud

  • From the main menu, select "Clouds"
  • Select your Cloud
  • Click the "Manage" button at the top-right to open the cloud configuration wizard

Manage Cloud

AWS Account Credentials

  • Click on the "Configuration" tab at the top of the manage wizard
  • Recommended: Select "Yes, I want to connect this cloud", and click "Next". Otherwise see TBD instructions to manually create your Cloudspace in AWS.
  • At the "Configure your Cloud" screen, select the desired AWS Region from the drop down menu. Note, if your account is for AWS GovCloud, please select AWS GovCloud
  • Enter your AWS account number, and the access key information created in Step 1
  • Click "Test connection" and ensure a green checkmark appears. If the connection test fails, please double check the region, access key information, and also ensure the account permissions in AWS IAM

Configure Cloud

  • Enter the AMI ID from Step 1. For instance size, t2.nano should suffice, but can be increased as needed
  • Add any elastic IP addresses created from Step 1, and click "Next"

Configure Cloud 2

Network Configuration

The next step allows you to configure networks that will be created in your cloudspaces. CONS3RT creates a VPC to contain your cloudspace resources, and for each network created at this step, CONS3RT creates a subnet, network ACLs, routing tables, and security groups to support the network firewall and NAT rules.

  • There is one default network called the "cons3rt-net". We recommend leaving this as-is, since this network enable communications with the CONS3RT application supporting provisioning and remote access to your EC2 instances
  • We also recommend creating a second "user-net" to enable communications to the Internet, and communications between your EC2 instances. Please see these instructions for configuring a standard user-net.
  • Configure other networks as desired
  • Click "Next" when done

Allocate a Cloudspace into your AWS Cloud!

  • Click "Create a Cloudspace" to tell CONS3RT to automatically set up all the required AWS resources
  • Enter a cloudspace name (exclude whitespaces, but dashes or underscores as needed)
  • Set the maximum virtual machine limit
  • Leave "Access Point" blank. CONS3RT will select an elastic IP address from the list of IPs added to your cloud
  • Click "Next", and CONS3RT will automatically create your cloudspace in your AWS account!
  • Click "Next"

Add Cloud Administrators

  • You can optionally click the "Add more" button to add other members of your team as cloud administrators. Cloud administrators can edit cloud configurations, and allocate new cloudspaces.
  • Click "Finish" to complete your Cloud configuration

Step 4: Configure your Cloudspace

  • From the main menu, select "Cloudspaces"
  • Select the cloudspace that you created for your new AWS cloud, you will be the cloudspace administrator
  • Ensure the "Connectivity" status is "online", if not, double check the AWS access keys

Add Projects

  • Click "Manage" then "Projects"
  • Click "Add", search for your project by name, select it, and click "Done"
  • Add additional projects to your cloudspace as needed

Add Cloudspace Administrators (optional)

  • Click "Manage", then "Administrators"
  • Add additional cloudspace administrators as desired

Add Operating System Templates

The CONS3RT community team has a standard set of AWS AMI templates in the us-east-1, us-east-2, us-west-2, and us-gov-west-1 AWS regions. To access these templates, you have 2 options described below:

Enter a support ticket

Enter a support ticket to support@cons3rt.com and the team will share these templates with your cloudspace.

Add CONS3RT Community AMIs by myself

You can also search for and register the community CONS3RT AMIs. Use these instructions to search for CONS3RT AMIs:

  • In the AWS EC2 dashboard, click on AMIs from the left pane
  • At the top selector, click on Public images
  • In the search bar, type the CONS3RT owner ID:
    • For GovCloud, use: 907795672550
    • For commercial AWS, use: 017800072961

This should display the full list of shared CONS3RT AMIs. See the AMI ID lists below (per AWS region) to select the specific OS AMI that you would like to add. And do the following to add to your Cloudspace:

  • Select the AMI you would like to add, and select the Tags tab at the bottom
  • Click Add/Edit Tags
  • Set Key to cons3rtenabled and set Value to true
  • Click Save

With the cons3rtenabled tag applied, your CONS3RT cloudspace can now "see" the AMI. Complete the next steps in CONS3RT to register the AMI to your cloudspace:

  • From the main menu, click Cloudspaces
  • Click on the Operating System Templates tab
  • Select Unregistered from the drop down
  • If you don't see the AMI that you expect, click the Refresh button, and any unregistered AMI with cons3rtenabled=true should appear as shown:

Unregistered AMIs

  • Click the Register button next to the AMI to register
  • Select the Operating System for the AMI
  • Specify the Service Management and Package Management
  • Set the Display Name as desired
  • For Available CPU, Available Memory, and Boot Disk slide the bars all the way right
  • Click the Add Remote Access button
  • For Windows, select RDP Remote Access and click Save
  • For Linux:
    • Select SSH Remote Access and click Save
    • Click the *Add Remote Access button again
    • Select VNC Remote Access, enter milCloud123 as the VNC password, and click Save
  • Under Default Credentials:
    • Set Username: cons3rt
    • Set Password: TMEroot!!
  • Check the "The CONS3RT agent has been installed" checkbox
  • Review your registration info, it should resemble this screenshot:

Register AMI

  • Click Save, then click Register
  • At this point, a new AMI tag called cons3rtuuid is added to the public CONS3RT AMI in AWS

Next, to make the AMI available as an OS template in CONS3RT:

  • From the dropdown menu at the top select All registered templates
  • For the AMI you just registered, click Publish

Congrats! You can now deploy that OS in your AWS cloudspace!

Community AMI IDs - AWS GovCloud

GovCloud (us-west-1):

  • Amazon Linux: ami-46e16727
  • CentOS 7: ami-d9e462b8
  • Red Hat 6: ami-b8eb6dd9
  • Red Hat 7: ami-4fc2442e
  • Ubuntu Server 14.04: ami-b2eb6dd3
  • Ubuntu Server 16.04: ami-fdc84e9c
  • Windows Server 2008 R2: ami-54b90535
  • Winder Server 2012 R2: ami-75bf0314

N. Virginia (us-east-1):

  • Red Hat 6: ami-62c7e374
  • Ubuntu Server 14.04: ami-1d4fc762
  • Ubuntu Server 16.04: ami-b7fb73c8

Ohio (us-east-2):

  • Red Hat 6: ami-ddb692b8

Oregon

  • Red Hat 6: ami-b04a8ad0