Deploy Kaspersky Hybrid Cloud Security in AWS


Kaspersky Security Center 10


Deploy Kaspersky Hybrid Cloud Security in AWS

Back to "Hybrid Cloud Security"
Latest update: August 25, 2020 ID: 14334

Kaspersky Hybrid Cloud Security (KHCS) in the AWS Marketplace is a solution intended to protect EC2 Instances. It includes the following applications:

  • Kaspersky Security Center – Administration Server
  • Kaspersky Security for Windows Sever – Windows Security Agent
  • Kaspersky Endpoint Security for Linux – Linux Security Agent

After the deployment of Kaspersky Hybrid Cloud Security, you will get a virtual machine with Kaspersky Security Center installed and configured for the AWS infrastructure. The machine must be connected to Administration Server through RDP in order to have access to the Administration Console for deployment and security management for AWS EC2 instances.

The BYOL version requires a valid software license. You can find our reseller in your region at

I. Set up AWS cloud environment for KHCS

Before the deployment of the KHCS, configure your AWS cloud environment to provide permissions for Kaspersky Security to work with AWS services. You can do it manually using this instruction or using the AWS CloudFormation template: Setup_AWS_for_KHCS.json. The template will create:

Before using this CloudFormation template, find out your VPC (Virtual Private Cloud) ID parameter:
  1. In the list of AWS Services, choose your VPC under Networking & Content Delivery group.
  2. Choose VPC from the list and copy the VPC ID.

To run the template:

  1. In the list of AWS Services, select CloudFormation.
  2. Create Stack.
  3. Select Upload a template to Amazon S3 and choose Setup_AWS_for_KHCS.json.
  4. At the next step, indicate VPC ID.
  5. At the Review step, select  I acknowledge that AWS CloudFormation might create IAM resources with custom names.
  6. Click Create and wait until the status changes to CREATE_COMPLETE.

II. Subscribe to KHCS

  1. Subscribe to KHSC using one of the licensing options (BYOL or PPU) and choose KSCSecurityGroup in the list of Security groups.
  2. Wait until the EC2 instance with KHCS is ready (running and all the checks are passed). Usually it takes about 40 minutes. If the instance is stuck with the status other than "running" for a long time, contact technical support (see step V for details).
  3. Attach KSCRole IAM Role to the instance with KHCS. Select the instance with KHCS and in the list of Action choose Instance Settings, Attach/Replace IAM Role, attach KSCRole and click Apply.

III. Configure Administration Server to protect AWS cloud environment

  1. Connect to the instance with KHCS using RDP. If you have problems connecting to the instance, contact technical support (see step V for details).
  2. You will see Administration Console of the Kaspersky Security Center and Cloud Environment Configuration Wizard. If Administration Console is not running, start the application: Start → Programs → Kaspersky Security Center. For instructions on how to run Cloud Environment Configuration Wizard, see Online Help. If the application is missing from the Start menu or if Cloud Environment Configuration Wizard cannot start due to an error, contact technical support (see step V for details).  
  3. Go through the all the steps of the Cloud Environment Configuration Wizard.
  4. Follow the instructions in Online Help to check whether Kaspersky Security Center is properly configured for work in a cloud environment.
  5. Check if the data backup task was created and is active. For more information on how to use Data backup and recovery see Online Help.

IV. Deploy protection to EC2 instances

KHCS provides two options for deploying protection to EC2 instances:

Remote deployment from the Administration Server 

Systems Manager Agent (SSM Agent) should be installed on the protected machines. 

To deploy protection from the Administration Server do the following steps:

  1. Assign SecurityAgentRole IAM Role and SecurityAgentGroup Security Group to the EC2 instance.
  2. Connect to the Kaspersky Security Center, go to the Tasks and run Install protection for Linux or Install protection for Windows task.  For more information, see Online Help.
Deployment using Deployments Scrips 

Deploy protection using Deployment Scripts when Launch new instance with UserData option (refer to AWS guide Windows or Linux)

  1. Connect to the instance with Kaspersky Security Center and copy the correspondent Deployment Script from the folder <C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center\Share\Public\DeploymentScripts>:
  2. During the launch of the new instance, at Step 3: Configure Instance Details, in the Advanced Details section, in the User Data field paste the deployment script as a text.
  3. At Step 6: Configure Security Group, select SecurityAgentGroup Security Group.
  4. Launch the instance.

V. Support

Kaspersky Lab provides technical support to customers with a valid commercial or trial license.

To receive technical support for your Kaspersky Lab product, you can:

To read Support Service Terms and Conditions, follow this link.

If you still have any questions, please call us.

Was this information helpful?
Yes No
Thank you


How can we improve this article?

Your feedback will be used for content improvement purposes only. If you need assistance, please contact technical support.

Submit Submit

Thank you for your feedback!

Your suggestions will help improve this article.