Arctic Wolf Appliances

vScanner Installation in an AWS Environment

Updated Feb 20, 2024

Install a vScanner in an AWS Environment


  • vScanners do not support auto-scaling in Amazon Web Services (AWS)®.
  • Amazon GuardDuty flags vScanners as containing malware because vScanners contain code that is used to detect vulnerabilities. To avoid this behavior, create a suppression rule to exclude the vScanner from Amazon GuardDuty® monitoring. See the AWS documentation for more information.

You can install an Arctic Wolf® Virtual Scanner (vScanner) in an AWS environment.

Before you begin


  1. Provide AWS account IDs to Arctic Wolf.
  2. Create a vScanner instance.
  3. Configure network settings for the vScanner instance.
  4. Configure security group rules for the vScanner instance.
  5. Launch and verify the EC2 instance.
  6. Configure the vScanner.
  7. Activate the vScanner.

Step 1: Provide AWS account IDs to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, in the Account Type list, select Cloud Detection and Response.

  5. In the Search Services field, enter appliance.

  6. Click vSensor AMI.

  7. On the Add Account page, configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.
    • Account ID — Enter the AWS account number.
  8. Click Test and Submit Credentials.

Note: It can take up to 24 hours for the vScanner AMI to become visible.

Step 2: Create a vScanner instance

  1. Sign in to the AWS console.

  2. In the Amazon Machine Images (AMI) section, click Arctic Wolf Appliance-.

  3. Click Launch Instance from AMI.

  4. In the Name and tags section, enter a name for your vScanner.

  5. In the Application and OS Images (Amazon Machine Image) section, keep the default settings.

  6. In the Key pair (login) section, click Proceed without a key pair.

  7. In the Configure storage section, keep the default settings, unless you require more storage.

  8. In the Advanced details section, for Termination Protection, select the Enable checkbox.

  9. Click Save.

  10. In the Instance Type section, select c5n.2xlarge.

Step 3: Configure network settings for the vScanner instance

  1. In the AWS console, in the Network settings section, click Edit.
  2. Select one of these options:
    • VPC — The VPC to deploy the vScanner on.

    • Subnet — The subnet to deploy the vScanner on.


      • The private or public subnet option depends on your network. Arctic Wolf recommends that you use a private subnet.
      • Do not select No preference.
    • Auto-assign public IP — Select one of these options:

      • Enable
      • Disable — If you use a private subnet or if your environment requires you to enter a specific IP address.

Step 4: Configure security group rules for the vScanner instance

  1. Find the Firewall (security groups) section.

  2. Do one of these actions:

    • To use an existing security group — Click Select an existing security group, select the appropriate security group, and then continue to Launch and verify the EC2 instance.
    • To create a new security group — Click Create a new security group.
  3. Remove default security rules.

  4. In the Security group name section, enter a name for the security group.

  5. In the Description section, enter a description for the security group.

  6. Remove the default inbound security group rule.

  7. Add a rule to allow all outgoing traffic, if it does not already exist.

Step 5: Launch and verify the EC2 instance

  1. Click Launch Instance.

  2. Click the instance ID, where the ID value is i-<hexadecimals>.

  3. Click the instance ID to view details.

    Note: If the instance ID does not appear, refresh the page.

  4. Verify that the Instance state is Running.

Step 6: Configure the vScanner

Tip: During this procedure, see the Serial Console User Guide for more information.

  1. If you have not used the serial console before, complete these steps to configure serial console access:

    1. Click Actions > Account Attributes.
    2. In the Account Attributes section, select EC2 Serial Console.
    3. In the EC2 Serial Console section, select the Allow checkbox.
    4. Click Update.
  2. In the EC2 management console, select Instances, and then enter the vScanner instance ID.

  3. Click Actions > Monitor and Troubleshoot > EC2 Serial Console > Connect.

  4. When prompted, or if the screen is blank, press the Enter key three times.

    Note: If you selected an unsupported EC2 instance type, an error message displays. To continue, terminate the vSensor and create a new one with a supported EC2 instance type.

  5. Click Next.

    A series of connectivity checks begin.

  6. If a connectivity check fails, edit the VPC, subnet, or security group as needed, and then complete the connectivity checks again.

  7. When the connectivity check passes, click Next.

  8. In the Shorthand section, enter a name for the vScanner in the MDR Dashboard.

  9. Select the Scanner deployment type.

  10. Click Next.

Step 7: Activate the vScanner

Note: Only the user who completed Configure the vScanner can activate the vScanner.

  1. Sign in to the MDR Dashboard.

  2. Click Account > Arctic Wolf Appliance Management.

  3. Find the appliance that you want to activate.

  4. In the Actions column, click Activate <appliance>, and then click Activate <appliance> when prompted.

    The console displays Appliance activation in progress, please wait.

  5. When prompted, press Enter three times to activate the console.

Next steps

See also