Last updated: July 20, 2021
Read time: 10 Minutes
You deploy Burp Suite Enterprise Edition on AWS using a pair of CloudFormation templates. You can download these templates from the respective release notes for the version of Burp Suite Enterprise Edition that you want to deploy.
The main CloudFormation template creates almost all of the required AWS infrastructure. This includes:
The template also creates the following temporary resources so that it can deploy the application to the EKS cluster for you:
You will be charged for the few minutes that these temporary resources are used during the deployment process. However, once the deployment is complete, they will no longer be used and there will be no further charge for them.
The following diagram shows an example of a Burp Suite Enterprise Edition deployment on AWS:
The main template actually comprises three nested templates. You can find the URLs for the nested templates by searching for the respective file names within the main template:
This gives you the option to use only part of the template if you prefer. For example, you may already have the required infrastructure or would prefer to set it up manually and, as a result, just want to use the template for the final deployment steps. In this case, instead of entering the top-level URL for the main template in AWS, you could just enter the URL for the nested
deployment.yaml template instead.
There is also a separate template for setting up the required Identity and Access Management (IAM) roles. This template is provided separately because, in many organizations, the user performing the actual deployment does not have the appropriate permissions to set up the IAM roles themselves.
The process for deploying Burp Suite Enterprise Edition on AWS involves the following steps:
The provided IAM CloudFormation template generates all of the required roles for you and creates a new group to which these roles are assigned. The user who will perform the actual deployment process needs to belong to this group.
If some of these roles already exist in your AWS environment, you can modify the template to add only the ones that you're missing. Alternatively, you can add the missing roles and create the group manually.
If you would prefer to create the roles manually, you can inspect the template to see which roles are required. In this case, you will need to make a note of the Amazon Resource Names (ARNs) that correspond to each role; you need these later when deploying Burp Suite Enterprise Edition.
To set up the IAM roles using the CloudFormation template:
CREATE_COMPLETE. All of the roles and the new group
burp-suite-enterprise-edition-CloudFormationUsersshould now be available.
burp-suite-enterprise-edition-CloudFormationUsers. This is the user who will perform the actual deployment of Burp Suite Enterprise Edition. Although you can perform the deployment as an existing user by adding them to this group, we recommend creating a dedicated, low-privileged user specifically for this purpose.
Unlike for on-premise installations, there is no bundled database option when running Burp Suite Enterprise Edition on the cloud. However, when deploying to AWS, the main CloudFormation template does provide the option to automatically create and set up a new PostgreSQL database for you. If you want to use this option, you can skip this section and move on to creating the main stack.
Alternatively, you can create a new database manually or connect Burp Suite Enterprise Edition to an existing one. You can use any of our supported database types. We recommend using Amazon's Relational Database Service (RDS) to create a database instance in a dedicated VPC.
Once you've created the RDS instance, you need to configure the inbound connection rules for the VPC security group. This is to allow access from the subnets that you plan to allocate to Burp Suite Enterprise Edition's EKS cluster later.
By default, the subnets
10.0.0.192/26 are used. If you're happy with these defaults, you can enter the values exactly as described below. Alternatively, you can choose to allow connections from different subnets and override the default values later in the CloudFormation template.
If you later change your mind about which subnets to use, remember to update these inbound connection rules accordingly.
Once you've created and configured the RDS instance, you need to connect to it and create the actual database.
Unless you used custom values, this will create a database called
burp_enterprise as well as two users, called
burp_agent respectively. These are used by the Enterprise server and agents to connect to the database. Make a note of the passwords you set because you will need to provide these in the CloudFormation template later.
You are now ready to create the stack and deploy the application using the main CloudFormation template.
These instructions generally assume that you're using the full template. If you're only using one of the nested templates, some of these steps will not apply.
burp-suite-enterprise-edition-CloudFormationUsers. In most cases, this will be the new user that was created when setting up the IAM roles.
Under "Network Configuration", perform the following steps:
10.0.0.0/24. Be aware that the ranges that you allocate to the EKS cluster later will need to be subnets of this range.
If you adjust these ranges, you need to make sure that:
Under "Database Configuration", the details you need to enter depend on whether you want to use your own database or create a new one automatically via the template.
burp_enterpriseand a secure password of your choosing.
burp_agentand a secure password of your choosing.
As part of the deployment process, you also create the initial admin user for Burp Suite Enterprise Edition. Once you have finished the deployment, you will need to log in using these credentials in order to perform the initial configuration and create other users.
burp-suite-enterprise-edition-CloudFormationServiceRoleto pass this role to the template.
Now that the application is deployed, you need to get the associated DNS name so that you can launch Burp Suite Enterprise Edition in your browser.
Name : <your-stack-name>. This is the name that you specified earlier when creating the stack, for example:
Name : burp-suite-enterprise. Please note that you need to include the spaces before and after the colon.
You can access the Burp Suite Enterprise Edition login page by visiting the DNS name you just copied in your browser. Note that this is not available from the public internet and can only be accessed via your VPC. Therefore, you will need to set up the appropriate routing from your client browser into the VPC, for example, using a VPN or VPC peering.
You can then log in using the admin username and password that you set during the main deployment. You will be prompted to activate your license and perform the initial configuration for Burp Suite Enterprise Edition. The remainder of this process is the same as for an on-premise installation.