• Product

      Product

      Application Security Platform

      Use Cases

      Shift Left & DevSecOps Supply Chain Security Software Bill of Materials (SBOM) Container Runtime Security & Compliance Cloud Native Application Security
      What is Deepfactor and How Does It Work?
      4-Minute Video
      What is Deepfactor and How Does It Work? >
  • Pricing
    • Pricing Plans
  • Resources

      Resources

      All Resources Next-Gen AppSec Series Case Studies Demos Videos Glossary Webinars Whitepapers Workshops Latest Blogs Documentation
      Implement Effective Next-Gen Container Runtime Security in Kubernetes and Cloud Native Apps
      Whitepaper
      Implement Effective Next-Gen Container Runtime Security in Kubernetes and Cloud Native Apps >
  • Company
    • About
    • Leadership
    • Partners
    • News and Events
    • Careers
    • Contact Us
  • LOGIN
Cisco Logo Deepfactor is now part of Cisco | Learn more
Learn more
Deepfactor Logo
  • Product

      Product

      Use Cases

      Application Security Platform

      Use Cases

      Shift Left & DevSecOps Supply Chain Security Software Bill of Materials (SBOM) Container Runtime Security & Compliance Cloud Native Application Security
      What is Deepfactor and How Does It Work?
      4-Minute Video
      What is Deepfactor and How Does It Work? >
  • Pricing
    • Pricing Plans
  • Resources

      Resources

      All Resources Next-Gen AppSec Series Case Studies Demos Videos Glossary
      Webinars Whitepapers Workshops Latest Blogs Documentation
      Next-Gen AppSec Series—Deepfactor SCA: 80% Less Noise, 50% Lower Cost
      Next-Gen AppSec Series
      Next-Gen AppSec Series—Deepfactor SCA: 80% Less Noise, 50% Lower Cost >
  • Company
    • About
    • Leadership
    • Partners
    • News and Events
    • Careers
    • Contact Us
LOGIN
Deepfactor's Application Security Platform will no longer be offered for sale or renewal effective September 20, 2024.

Getting Started

  • QuickStart Guide
  • Install Deepfactor CLI
  • Deepfactor Support Matrix

Tutorials

  • SBOM & SCA
    • Artifact Releases
    • Deepfactor Scanner
    • Integrate Deepfactor scanner in your CI/CD pipelines
    • Scanning container images from private registries using Deepfactor CLI
    • Scan container images in K8s cluster
      • Scanning images from private registries in K8s cluster using Deepfactor
      • Scanning container images from private registries with basic authentication support in K8s
      • Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on AWS Fargate
      • Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on AWS EC2
  • Runtime Security
    • Introduction to Deepfactor Runtime Security
    • Deepfactor CLI Reference
    • Kubernetes workload
      • Run your Kubernetes workload with Deepfactor
      • Install Deepfactor Mutating Webhook
      • Configure Deepfactor Kubernetes admission webhook
      • Install Deepfactor K8s webhook on EKS Fargate
      • Selecting the pods you want to run with Deepfactor
      • Configuring application name, component name and component version in K8s webhook
      • Install Deepfactor mutating admission webhook using Argo CD
      • Install Deepfactor portal & webhook using Argo CD and vault
      • Use image pull secret for Runtime images
    • Containers/Other orchestration platforms
      • Run your Container Images with Deepfactor
      • Run containers in ECS with Deepfactor
    • Non-containerized workloads
      • Running non-containerized applications with Deepfactor

Deepfactor Platform

  • Introduction to Deepfactor
  • Alert Policies
  • Alert States and Triaging Flows
  • Deepfactor’s Correlation Capabilities
  • Organization and Teams
  • Role Based Access Control
  • Insights Knowledge Base
    • Privilege Separation and Privilege Dropping
    • Buffer Overflow Alerts
  • Knowledge Base
    • Deepfactor scan errors
    • K8s Webhook & Runtime Troubleshooting Guide
    • Tools for viewing CycloneDX and SPDX SBOMs
    • Graceful handling of pod restarts
    • Deepfactor telemetry events
    • Deepfactor Instrumentation Warning Messages
    • Best Practices for running your applications with Deepfactor in production environments
    • Golang Specific Notes
    • How to access Deepfactor Portal in different AWS subnet types
    • How the Deepfactor Management Portal Communicates With The Outside World
    • Language Specific Agents (LSA)
    • Mixed libc environments
    • Sensitive Information and Secrets in Process Environment Remediation
    • Running HAProxy with Deepfactor
    • Augmenting Alert Evidence with Runtime Stack Traces
  • FAQs
    • General FAQs
    • Open Source Disclosure

Integrations

  • Single Sign On (SSO) for authentication to Deepfactor
  • Integrate Jira with Deepfactor
  • Integrate Slack with Deepfactor
  • Okta
  • Deepfactor HTTPS webhook

Self managed Deepfactor portal

  • Deepfactor Portal architecture & deployment options
  • Install Self managed Deepfactor portal
    • Kubernetes Cluster
      • Prerequisites for deploying Deepfactor portal in Kubernetes Cluster
      • Deploying Deepfactor Portal in your Kubernetes Cluster
      • Install Deepfactor portal using Helm
      • Customizing Deepfactor portal deployment
        • Customizing your Deepfactor Portal Deployment in K8s
        • Deploy Deepfactor Portal With Resource Limits
        • Deploying Deepfactor Portal using external IP
        • Deepfactor Portal Installation with Existing Ingress Controller
    • AWS EC2
      • Prerequisites for installing Deepfactor Portal in AWS Cloud
      • Deploying Deepfactor on AWS using CFT
      • Install AWS Certificate Manager(ACM) certificate on Deepfactor portal EC2 instance
    • VMWare vSphere
      • Deepfactor Portal Proxy Configuration for OVA deployments
      • Prerequisites for deploying Deepfactor portal in VWware vSphere
      • Deploying Deepfactor on VMware vSphere
  • Manage Deepfactor Portal
    • Using Deepfactor APIs
    • Managing Users
    • Updating your Deepfactor Portal
    • Updating Deepfactor portal certificate
  • Deepfactor Portal Certificate
    • Generate certificate using cert-manager for Deepfactor portal
    • Create self-signed certificate for Deepfactor Portal on your K8s cluster
    • Create AWS Private CA Certificate for Deepfactor Portal on your K8s cluster
    • Create Let’s Encrypt certificate for Deepfactor Portal on your K8s cluster

Release Notes

  • Deepfactor Release Notes
  • Home
  • Docs
  • Self managed Deepfactor portal
  • Install Self managed Deepfactor portal
  • AWS EC2

Install AWS Certificate Manager(ACM) certificate on Deepfactor portal EC2 instance

The following article describes the steps required to use TLS certificate managed in AWS Certificate Manager (ACM) with Deepfactor portal installed using Cloudformation Template (CFT).

 

Step 1: Install Deepfactor portal using CFT #

Install Deepfactor portal using CFT downloaded from my.deepfactor.io. Please refer to the following document to view the steps required to install.

Deploying Deepfactor on AWS using CFT

 

Step 2: Add kube config for root user #

# ssh into the EC2 machine
ssh ubuntu@<ip_address_of_ec2_instance>
# run as root
sudo su
cd /microk8s/
mkdir ~/.kube
# add kube config for root user
microk8s config view > ~/.kube/config

 

Step 3: Update Deepfactor override.yaml #

Make the following changes

  • Disable TLS termination on Deepfactor nginx pod
  • Run Deepfactor frontend service on port 80 (HTTP)
  • Run Deepfactor proxy service (used for running DAST scans) on TCP port 13080.

Open override.yaml file present in /microk8s/ folder

vi /microk8s/override.yaml

 

Update the nginx block in the override.yaml as follows

nginx:
  hostNetwork: true
  ingress:
    enabled: false
  tls: false
  service:
    proxyPort: 13080
    servicePort: 80

 

Add apisvc block above nginx block in the override.yaml

apisvc:
  proxyPort: "13443"

 

The updated config should be as shown

apisvc:
  proxyPort: "13443"

nginx:
  hostNetwork: true
  ingress:
    enabled: false
  tls: false
  service:
    proxyPort: 13080
    servicePort: 80

 

Step 4: Delete TLS secret and root CA secret #

Since nginx pod on Deepfactor portal will not be terminating TLS, we can remove the TLS and root CA certificates

kubectl -n deepfactor delete secret df-certs-ingress deepfactor-certs

 

Step 5: Download root CA of your certificate and create a Kubernetes secret #

Depending upon the certificate provider you will need to download the root CA and create a kubernetes secret. This will be used to encrypt telemetry traffic between your applications and the Deepfactor portal.

For GoDaddy:

wget https://certs.godaddy.com/repository/gdroot-g2.crt
kubectl -n deepfactor create secret generic deepfactor-certs --from-file class="token operator">=portalca.crt class="token operator">=gdroot-g2.crt

 

For AWS public CA:

wget https://www.amazontrust.com/repository/AmazonRootCA1.pem
kubectl -n deepfactor create secret generic deepfactor-certs --from-file class="token operator">=portalca.crt class="token operator">=AmazonRootCA1.pem

 

For Let’s Encrypt:

wget https://letsencrypt.org/certs/isrgrootx1.pem
kubectl -n deepfactor create secret generic deepfactor-certs --from-file class="token operator">=portalca.crt class="token operator">=isrgrootx1.pem

 

Step 6: Update the Deepfactor deployment on your EC2 instance #

Use the following commands to update the Deepfactor Kubernetes helm chart on your EC2 instance

helm repo add deepfactor https://static.deepfactor.io/helm-charts
helm repo update
helm upgrade df-stable -n deepfactor deepfactor/deepfactor -f /microk8s/override.yaml

 

Step 7: Wait for Deepfactor pods to start with the new configuration #

Run the following command to check if all the pods in the deepfactor namespace are in the ‘running’ state

kubectl get pods -n deepfactor

 

Step 8: Allow incoming traffic on port 13080 and 80 on EC2 instance #

Clone the security group (sg-1) attached to the Deepfactor EC2 instance by selecting the security group on the EC2 dashboard and click on Actions -> Copy to new security group (sg-2).

Make the following changes to the cloned security group (sg-2).

  1. Remove port 13443 and 443 from inbound rules section
  2. Allow incoming traffic from the original security group (sg-1) on ports 80 and 13080 in the inbound rules section

Remove the original security group (sg-1) and attach the new security group (sg-2) to the Deepfactor EC2 instance. The original security group (sg-1) will be attached to the load balancer (created in the next step) so traffic from the load balancer will be allowed to the EC2 instance on ports 80 and 13080.

 

Step 9: Create a Classic Load Balancer on AWS #

Create a classic load balancer and use your certificate from AWS Certificate Manager (ACM).

Note: We use a classic load balancer because we need to allow traffic on 13443 port for running DAST scans over Deepfactor proxy.

Define the load balancer configuration as shown in the screenshot. Please select the VPC you would like to install the load balancer in.
Note: If you are using a private VPC, please check the ‘Create an Internal load balancer’ checkbox.

Attach the original security group (sg-1) to the classic load balancer. This security group will allow traffic on 13443 and 443 ports from your applications to the load balancer.

 

Step 10: Select the certificate from AWS Certificate Manager (ACM) #

This step assumes that you have already created a TLS certificate for the hostname assigned to the Deepfactor portal specified in the CFT parameters and imported it to AWS Certificate Manager (ACM).

Select the certificate from AWS Certificate Manager and attach it to the load balancer.

 

Step 11: Configure health check #

Configure health check as shown in the below screenshot

 

Add Deepfactor instance as a target for the load balancer.

 

Step 12: Add a DNS record for Deepfactor portal hostname on your Route 53 #

Create an ALIAS record for the hostname specified in Deepfactor CFT parameters and point it to the classic load balancer created above.

 

Now you can access the Deepfactor portal using the portal hostname specified in the CFT parameters. The traffic will be encrypted using the certificate from AWS Certificate Manager (ACM) and TLS termination will be done at the classic load balancer.

Was this article helpful?
Still stuck? How can we help?

How can we help?

Updated on February 13, 2023
Deploying Deepfactor on AWS using CFT

Powered by BetterDocs

Table of Contents
  • Step 1: Install Deepfactor portal using CFT
  • Step 2: Add kube config for root user
  • Step 3: Update Deepfactor override.yaml
  • Step 4: Delete TLS secret and root CA secret
  • Step 5: Download root CA of your certificate and create a Kubernetes secret
  • Step 6: Update the Deepfactor deployment on your EC2 instance
  • Step 7: Wait for Deepfactor pods to start with the new configuration
  • Step 8: Allow incoming traffic on port 13080 and 80 on EC2 instance
  • Step 9: Create a Classic Load Balancer on AWS
  • Step 10: Select the certificate from AWS Certificate Manager (ACM)
  • Step 11: Configure health check
  • Step 12: Add a DNS record for Deepfactor portal hostname on your Route 53
Deepfactor Icon

Deepfactor is a next-gen application security platform, using static container scan data + runtime analysis to prioritize vulnerabilities to those representing true risk to a business—based on reachability, runtime usage, deployment context, and exploit maturity.

Product Pricing Resources Company Documentation Login

SUBSCRIBE TO OUR NEWSLETTER!

Sign Up
LinkedIn Icon YouTube Icon GitHub Icon Twitter Icon

© 2025 Deepfactor, Inc. All Rights Reserved.

Privacy Statement | Terms of Service | Open Source Disclosure