Installing KeyControl Compliance Manager from an AMI

Before You Begin

Make sure that:

You have obtained the KeyControl Compliance Manager for AWS build from the Amazon Marketplace.
You know the IP address and any required network connection information, such as the domain name and the DNS and gateway IP addresses, for the machine on which you are installing KeyControl Compliance Manager.

Note: You must use an IPv4 address. KeyControl Compliance Manager does not support IPv6 addresses.
You have the required permissions to install software on the target system.
The target system meets the basic system requirements described in System Requirements.

Procedure

Open a web browser and navigate to the Amazon Web Services login page for your company. The default login page is https://aws.amazon.com/.
Log in to the AWS Management Console with your AWS user name and password.
In the top menu bar just after your login name, verify that the deployment region is correct. If you need to change it, click the current region and select the new region from the drop-down list.
Create a new VPC to use for the KeyControl node, or select an existing VPC.
In the top menu bar, select Services > Compute > EC2.
Click the blue Launch Instance button.
In the Step 1: Choose an Amazon Machine Image (AMI) page, click AWS Marketplace in the left-hand pane.
Search the Marketplace for "Entrust" and select Entrust KeyControl Compliance Manager for AWS BYOL (Bring Your Own License).
Review the details and click Continue.
In the Step 2: Choose an Instance Type page, select an instance type. You must choose a t3 image type family, and the minimum size is t3.large.
After you have selected the type, click Next: Configure Instance
Details.
On the Step 3: Configure Instance Details page, set the following options:
- Number of Instances —Specify the number of instances you want to launch in this field. All instances will run in the same region using the same VPC and instance settings.
  
  Tip: You can use this option to create a multi-node KeyControl Compliance Manager cluster on this VPC without needing to launch additional instances, but you can also add additional KeyControl Compliance Manager nodes to the cluster at any time after the initial node has been configured.
- Network —Select the VPC you want to use for the KeyControl Compliance Manager node.
- Set all other options on this page according to your corporate standards.
When you are done, click Next: Add Storage.
On the Step 4: Add Storage page, set the following options:
- Volume Size —Set the size of the disk based on your configuration requirements. The default setting of65 GB should work for most KeyControl Compliance Manager installations.
- Volume Type—For optimal performance, we recommend setting the volume type to one of the SSD options instead of the default Magnetic volume.
- Delete on Termination—If you select this option and the instance is deleted, all keys stored on this KeyControl Compliance Manager node will be deleted as well. In a single node configuration, this means that encrypted data cannot be decrypted, as the keys will be lost. If you want to use this option, make sure all data is decrypted before the instance is deleted.
When you are done, click Next: Add Tags.
On the Step 5: Add Tags page, click Add Tag and enter a Name tag for the instance:
- Key —Enter "Name".
- Value—Enter the name for this KeyControl node.
Add any other tags as desired.
When you are done, click Next: Configure Security Group.

In the Step 6: Configure Security Group page, do the following:

Make sure that the Assign a security group field is set to Create a new security group.

Note: You can use an existing security group as long as all of the required ports are open in that security group.
Optionally enter a custom security group name and description in the Security group name and Description fields.
For each of the required entries in the security group, set the Source IP addresses or security groups that can communicate with KeyControl through the associated ports. We strongly recommend that you do not use the default 0.0.0.0/0 notation, which indicates that the ports are open to the world.

KeyControl Compliance Manager webGUI requires the following ports:

Type	Protocol	Port Range	Source
SSH (22)	TCP	22	IP address list or another security group
HTTPS (443)	TCP	443	IP address list or another security group
Custom TCP Rule	TCP	5432	IP address list or another security group
Custom TCP Rule	TCP	8443	IP address list or another security group
Custom UDP Rule	UDP	123	IP address list or another security group

For details about specifying the source IP addresses or security groups, see your AWS documentation.

When you are done, click Review and Launch.
In the Step 7: Review Instance Launch page, verify your selections and click Launch.
At the prompt, either select an existing key pair or select Create a new key pair, specify a key pair name, and download the new private key file for the new key pair.
When you are done, click Launch Instances. AWS displays a confirmation page stating that your instance is being launched and displays the instance ID. Make a note of the ID, as it will be your initial KeyControl Compliance Manager password.
To verify the status of the instance, select Services > EC2 > Instances and locate the new instance in the table.

Tip: If you requested multiple instances on the Step 3: Configure Instance Details page, you will see multiple KeyControl Compliance Manager instances with the same name listed in the table. We recommend that you give each instance a unique name at this point so that you can tell them apart as you configure them. To do so, mouse over an instance name and click the pencil icon when it appears.

What to Do Next

Associate an Elastic IP address with the instance as described in Associating an Elastic IP Address with KeyControl Compliance Manager. An elastic IP address is required for every KeyControl Compliance Manager instance so that you can configure and maintain the instance using a static IPv4 address.

If you created multiple instances, you need to assign a different Elastic IP to each copy of the instance.