Deploying Tanium Infrastructure

Follow these steps to deploy Tanium IaaS to an Amazon Web Services (AWS) virtual private cloud (VPC).

Before you begin

Tanium provides purpose-built templates for AWS Commercial VPC or AWS GovCloud VPC. There are separate templates for deploying into a new VPC or into an existing VPC.

Workflow to deploy to a new VPC

The deployment workflow assumes you have already designed your VPC network and configured the following AWS objects, which you select when you set up the Tanium component server stack:

Workflow when there is an existing VPC

The deployment workflow assumes you have already designed your VPC network and configured the following AWS objects, which you select when you set up the Tanium component server stack:

Create the Tanium component server stack

  1. Go to https://content.tanium.com/files/cloud/index.html.
  2. Accept the license.
  3. Browse to the Commercial Cloud Formation or GovCloud Formation template that you want to use and click the icon to launch the link.
  4. Make sure the correct region is selected for your VPC and click Next.
  5. Complete the configuration as described in the following table and click Next.
    SettingsGuidelines
    Stack nameMust be unique.
    Tanium Configuration
    Tanium Server Binary Download URIURI of the Tanium component server binary files. The URI is a temporary link provided to you by your TAM.
    Tanium Console PasswordPassword for the initial Tanium Console user named taniumconsole. It must be at least 8 characters and a maximum of 128 characters. The password can be any printable ASCII character except “/”, “”", or “@”.
    Network Security Configuration
    Web Console Access CIDR RangeIP address range allowed to make HTTPS connections to the Tanium Console. Specify the range in CIDR format.
    Bastion Host Access CIDR RangeIP address range of machines allowed to create SSH connections to the bastion host. Specify the range in CIDR format. Specify the range in CIDR format.
    Key NameSelect the name of the key pair used to make SSH connections to the Tanium deployment server instances.
    Network Configuration (if using the "no existing VPC" template)
    Availability ZonesList of Availability Zones to use for the subnets in the VPC. The logical order is preserved. Select two.
    Network Configuration (if using the "existing VPC" template)
    Target VPCThe name of the AWS VPC where you can to deploy the Tanium Infrastructure servers. You can find it in your AWS VPC Dashboard. For information about AWS VPC and VPC subnets, see Amazon Virtual Private Cloud User Guide: Default VPC Components.
    Public Subnet - Availability Zone 1Select the public subnet for the Tanium Zone Server 1 and bastion host instances.
    Public Subnet - Availability Zone 2 Select the public subnet for the Tanium Zone Server 2 instance. To support HA, specify a public subnet in a different availability zone from the Tanium Zone Server 1 instance.
    Private Subnet - Availability Zone 1Select the private subnet for the Tanium Server 1 and Module Server instances.
    Private Subnet - Availability Zone 2 Select the private subnet for the Tanium Server 2 instance. To support HA, specify a private subnet in a different availability zone from the Tanium Server 1 instance.
    Compute Sizing
    Tanium Server Size

    Initial size of Tanium Server Role Instances:

    • r5.large
    • r5.xlarge
    • r5.2xlarge
    • r5.4xlarge
    • m5.12xlarge
    • r5.12xlarge
    • r5.24xlarge
    • x1.16xlarge
    • x1.32xlarge
    Tanium Module Server Size

    Initial size of Tanium Module Server Role Instances:

    • m5.large
    • m5.xlarge
    • m5.2xlarge
    • m5.4xlarge
    • m5.12xlarge
    • m5.24xlarge
    Tanium Zone Server Size

    Initial size of Tanium Zone Server Role Instances:

    • c5.large
    • c5.xlarge
    • c5.2xlarge
    • c5.4xlarge
    • c5.9xlarge
    • c5.18xlarge
    RDS Instance Class

    Instance class for RDS (relational database server):

    • db.t2.small
    • db.t2.medium
    • db.m4.large
    • db.m4.xlarge
    • db.m4.2xlarge
    • db.m4.4xlarge
    • db.m4.10xlarge
    EC2 Instance Configuration
    Operating SystemSelect CentOS7 or RedHat7.
    Custom AMISpecify the name of a custom AMI. Only valid if Operating System is Custom.
    Tanium Server 1 Instance NameOptional. Change the default name for the server instance.
    Tanium Server 2 Instance NameOptional. Change the default name for the server instance.
    Tanium Module Server Instance NameOptional. Change the default name for the server instance.
    Tanium ZoneServer 1 Instance NameOptional. Change the default name for the server instance.
    Tanium Zone Server 2 Instance NameOptional. Change the default name for the server instance.
    Tanium Server Custom IAM Policy ARNOptional. Specify the Amazon Resource Name (ARN) for an Identity and Access Management (IAM) policy to add to the Tanium Server Instance Profile. See AWS: IAM Identifiers.
    Tanium Module Server Custom IAM Policy ARNOptional. Specify the ARN for an IAM policy to add to the Tanium Module Server Instance Profile.
    Tanium Zone Server Custom IAM Policy ARNOptional. Specify the ARN for an IAM policy to add to the Tanium Zone Server Instance Profile.
    VPC Endpoint Service Connectivity
    Enable VPC Endpoint Service for Tanium Web TrafficSelect True to provision a VPC Endpoint Service for Tanium Console traffic.
    Enable VPC Endpoint Service for Tanium Client TrafficSelect True to provision a VPC Endpoint Service for Tanium Client traffic.
    Optional Monitoring Features
    Monitoring EnabledSelect True to enable CloudWatch log gathering and metric gathering.
    Log Retention in Days Select a number of days to store logs. The default is 7 days.
    Enable CloudWatch Dashboard Select True to enable the CloudWatch Dashboard.
    CloudWatch Dashboard NameOptional. Change the default name of the dashboard.
    Enable Simple Notification Service Email AlertsSelect True to enable the AWS Simple Notification Service to send email based alerts on alarms.
    Email Alert To AddressSpecify an email address to receive alerts.
    EC2 Autoscaling Enabled Select True to enable EC2 Instance Autoscaling based on CPU and memory.
    EBS Autoscaling EnabledSelect True to enable Tanium disks to autoscale on low freespace.
    Optional Management Features
    Enable Tanium Disk BackupSelect True to enable the Data Lifecycle Manager Policy for Tanium disk backups (the /opt volume).
    Enable Automatic Patching

    Select a target level for yum-cron:

    • default
    • security
    • security-severity:Critical
    • minimal security
    • minimal security-severity:Critical
    • Disable
    Enable HardeningSelect True to enable execution of OS hardening scripts. The hardening scripts target CIS level 1 server compliance.
    Enable Zone Server EC2 InstancesSelect True to enable deployment of Zone Servers to public subnets.
    Optional YUM Configuration
    Enable EPEL RepositorySelect True to enable the Extra Packages for Enterprise Linux (EPEL) repository. If not enabled, all required RPMs must be available from other sources.
    Additional Yum Repository Specify the location of an alternate Yum repository to add using yum-config-manager --add-repo.
    Optional Initialization Script
    Tanium Server Initialization Script URIOptional. If directed to do so by your TAM, specify the URI for a custom pre-initialization script for the Tanium Server role.
    Tanium Module Server Initialization Script URIOptional. If directed to do so by your TAM, specify the URI for a custom pre-initialization script for the Tanium Module Server role.
    Tanium Zone Server Initialization Script URIOptional. If directed to do so by your TAM, specify the URI for a custom pre-initialization script for the Tanium Zone Server role.
    Deployment Material Location
    CloudFormations Base URIPopulated with the appropriate AWS URI for most deployments. Change this only if instructed by your TAM.
    Configuration Script Base URIPopulated with the appropriate Tanium URI for most deployments. Change this only if instructed by your TAM.
    Configuration Script Download MethodSelect wget or aws s3.
  6. Optional. Add additional key value pairs, configure advanced AWS CloudFormation options, and click Next.
  7. Review the configuration, select the acknowledgment that the deployment creates IAM role, and click Create.

    It takes approximately 40 minutes to build the component server instances. When the process is complete, the tanium.pub file is copied to your S3 storage.

Download the Tanium Server public key file

Go to your Amazon S3 bucket for the Tanium Server role and download the Tanium Server public key file (tanium.pub) so you can include it in Tanium Client deployment packages.

Install the Tanium license

Go to your Amazon S3 (storage) bucket for the Tanium Server role and upload the tanium.license file.

A job has been set up on the Tanium Server to copy the uploaded license to the Tanium Server instance. When the job is completed, the license file is added to the /opt/Tanium/TaniumServer directory, and the Tanium Server is restarted to apply the license file.

What to do next

Verify the deployment.

Last updated: 4/4/2019 3:35 PM | Feedback