Configuring Invicti Enterprise for Amazon Web Services

Invicti Enterprise can be configured to run scanner agents on Amazon Web Services (AWS). When you launch a new scan, Invicti Enterprise will create a new instance for the target scan and terminate it automatically once the scan is completed.

For further information Cloud Provider Settings.

This topic explains how to configure Invicti Enterprise to run scanner agents on AWS (Windows OS). To see the Linux version, see Configuring Invicti Enterprise for Linux on Amazon Web Services (Ubuntu).

Starting from the Invicti Enterprise On-Premises 2.3, our brand has been changed from Netsparker to Invicti. With this change, the installation path has also been updated. So, if you have any agents from the previous version, you need to remove them and re-install your agents by following this document.

AWS Configuration

First, you need to install and configure the scanner agent on an EC2 instance and then create a machine image (AMI) to use it as a base instance.

Each stage of this process is outlined below:

1. Selecting a Region
2. Creating S3 Buckets
3. Creating IAM Users
4. Creating an AMI for the Scanner Agent
5. Configuring Invicti Enterprise

Selecting a region

Invicti Enterprise uses AWS S3 buckets for object storage and EC2 service for launching new instances.

S3 and EC2 resources need to be in the same AWS region. For that reason, please choose an AWS region and create all resources in that region.

How to select a region

For information on how to select a region, see Amazon’s EMR documentation, Choose an AWS Region.

Creating S3 Buckets

Invicti Enterprise needs three different buckets to store scan data.

How to create S3 Buckets

1. Open the AWS console and navigate to the S3 service.
2. Create 3 buckets for raw scan data, screenshots and customizations. For example, you can use bucket names like this:
   • exampleinc.ne.scandata (for raw scan data)
   • exampleinc.ne.scanscreenshots (for form authentication screenshots)
   • exampleinc.ne.customizations (for customizations)

Recommended practices for S3 Buckets

You can apply the following precautions to harden your bucket.

1. Enable Encryption: Amazon provides a default encryption service or you can use your own keys. For further information, Amazon S3 default encryption for S3 buckets.
2. Monitoring and Auditing: Amazon provides ways to monitor and audit S3 buckets. For further information, Amazon S3 Monitoring and Auditing Best Practices.

Creating IAM Users

Next, you must create IAM Users.

How to create an access policy for the web application

1. Go to AWS console and navigate to the IAM service.
2. Select Policies.
3. Select Create Your Own Policy.
4. Enter a policy name (e.g. NEWebAppPolicy).
5. Enter your bucket names in the policy template code below and paste it into the Policy Document field.

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::ENTER_SCAN_DATA_BUCKET_NAME/*",
"arn:aws:s3:::ENTER_SCREENSHOTS_BUCKET_NAME/*",
"arn:aws:s3:::ENTER_CUSTOMIZATIONS_BUCKET_NAME/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeInstances",
 "ec2:RunInstances",
"ec2:TerminateInstances"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
]
}

6. Select Create Policy.

How to create an access policy for the scanner agent

1. Select Policies.
2. Select Create Your Own Policy.
3. Enter a policy name for scanner agent (e.g. NEAgentPolicy).
4. Enter your bucket names into the policy template code below, and paste it into the Policy Document field.

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Action": [
 "s3:DeleteObject",
 "s3:PutObject"
 ],
 "Effect": "Allow",
 "Resource": [
 "arn:aws:s3:::ENTER_SCAN_DATA_BUCKET_NAME/*",
 "arn:aws:s3:::ENTER_SCREENSHOTS_BUCKET_NAME/*"
 ]
 },
 {
 "Action": [
 "s3:ListBucket"
 ],
 "Effect": "Allow",
 "Resource": [
 "arn:aws:s3:::ENTER_CUSTOMIZATIONS_BUCKET_NAME",
 "arn:aws:s3:::ENTER_SCAN_DATA_BUCKET_NAME",
 "arn:aws:s3:::ENTER_SCREENSHOTS_BUCKET_NAME/*"
 ]
 },
 {
 "Action": [
 "s3:GetObject"
 ],
 "Effect": "Allow",
 "Resource": [
 "arn:aws:s3:::ENTER_CUSTOMIZATIONS_BUCKET_NAME/*",
 "arn:aws:s3:::ENTER_SCAN_DATA_BUCKET_NAME/*",
 "arn:aws:s3:::ENTER_SCREENSHOTS_BUCKET_NAME/*"
 ]
 }
 ]
}

5. Select Create Policy.

How to create a user for the web application

1. Select Users.
2. Select Add User.

3. Enter a user name (e.g. NEWebApp).
4. In the Access Type field, enable Programmatic access, and select Next.

5. Select Attach existing policies directly.
6. Choose the previously created web app policy (e.g. NEWebAppPolicy).
7. Select Next to create the web app user.
8. Save the access and security key (you will need it later).

How to create a user for scanner agent

1. Select Users.
2. Select Add User.
3. Enter a user name (e.g. NEAgent).
4. Choose Programmatic access for Access Type and select Next.

5. Select Attach existing policies directly.

6. Choose the previously created scanner agent policy (e.g. NEAgentPolicy).
7. Select Next to create the scanner agent user.
8. Save access and security key to use them later.

Creating an AMI for the scanner agent

There are three steps to this process:

1. Launching an instance for the scanner agent
2. Configuring the scanner agent instance
3. Creating a scanner agent image

Launching an instance for the scanner agent

First, you need to launch an instance for a Scanner Agent.

How to launch an instance for a scanner agent

1. Navigate to the EC2 service.
2. From the main menu, select Instances.
3. Select Launch Instance.
4. Choose Microsoft Windows Server 2019 Base as the AMI.

5. Select Choose Instance Type and select an Instance Type (c4.large is recommended).

6. Select Configure Instance.
7. Set the Auto-assign Public IP drop-down to Enable. (This is needed for RDP connections.)

8. Selectt Next: Add Storage and set the Disk Size (a minimum of 30 GB is recommended).
9. Select Next: Add Tags.
10. Select Next: Configure Security Group.
11. Select Review and Launch.

Configuring the scanner agent instance

Next, you need to install the Invicti Scanner Agent to the target EC2 instance.

How to configure a scanner agent instance

1. Navigate to the EC2 service.
2. From the main menu, select Instances.
3. Right-click the previously launched scanner agent instance and select Connect.

4. Connect to your instance with the supplied RDP information.
5. Ensure that you can connect to your on-premises Invicti Enterprise web application from this instance.
6. Download and extract InvictiEnterprise.zip AgentSetup.exe into your instance
7. Run AgentSetup.exe and install the scanner agent. Enter the required information asked by the agent installation wizard. For API Token, navigate to the Configure New Agent page by selecting Agents > Manage Agents > Configure New Agent.

8. Start a command prompt and type:

cd C:\Program Files (x86)\Invicti Enterprise Agent

9. By default, the scanner agent is not configured to run in AWS. Enter this command to uninstall the scanner agent’s Windows service:

Netsparker.Cloud.Agent.exe /u

10. Open the agent’s configuration file with a text editor: C:\Program Files (x86)\Invicti Enterprise Agent \appsettings.json.
11. Navigate to the AgentInfo section and set agentType to Cloud.

  "AgentInfo": {
    "AgentName": "Agent-1",
    "AgentType": "Cloud",
    "ApiRootUrl": "http://localhost:80",
    "ApiToken": ""
  },

12. Save the appsettings.json file.
13. Type this command to re-install scanner agent windows service:

Netsparker.Cloud.Agent.exe /i

14. The installed agent’s Windows Service’s Startup Type will be ‘Manual’ (it must stay that way).
15. Open a PowerShell command window and run the following command:

C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 –Schedule

Creating a scanner agent image

Next, you need to create an AMI that will be used as a base image for new scans.

How to create a scanner agent image

1. Open the EC2 instances page on the AWS console.
2. Select the EC2 instance and from the Actions menu, select Instance State > Stop/ Wait for the agent instance to be stopped.
3. Once the agent instance has stopped, right click on it, and select Create Image. Enter a name for your image and select Create Image.

4. Navigate to the AMIs page and save your AMI ID (you will need it later).

Configuring Invicti Enterprise

Next, you need to configure your AWS settings.

How to configure the Invicti Enterprise Web Application

1. Make an RDP connection to your Invicti Enterprise web application server.
2. Log in to Invicti Enterprise.
3. From the main menu, select Settings > Cloud Provider.
4. Enter your AWS settings.
   • You can find the settings for the Instance Type, Subnet ID and Key Pair Name in your stopped instance’s details in AWS.
   • Select Security Group to get the Security Group id (e.g. sg-abc3fec2).

5. You can now run new scans on your AWS environment.

Updating the web application

Next, you need to update the web application.

How to update the web application

1. From the main menu, select Settings > Licensing.
2. Select Check for Updates. Download the latest version.
3. Run WebAppSetup.exe to update the web application to the latest version.

Updating the scanner agent

Next, you need to update the Scanner Agent.

How to update the scanner agent

1. In the AWS EC2 console, open the AMI page. Right-click on your current scanner agent’s AMI, and launch an instance.
2. Once your scanner agent instance is ready, make an RDP connection to it.
3. Download the Invicti Enterprise installation bundle. After extracting the zip file, select the file AgentSetup.exe to start the agent installation wizard
4. Once the new scanner agent is installed, create a new AMI of your instance as described in How to Create a Scanner Agent Image.
5. Next, log in to Invicti Enterprise. From the main menu, select Settings > Cloud Provider Settings.

6. Enter your new AMI and select Save.