ENTERPRISE

Deploying Burp Suite Enterprise Edition on AWS

You deploy Burp Suite Enterprise Edition on AWS using a pair of CloudFormation templates. You can download these templates from the respective release notes for the version of Burp Suite Enterprise Edition that you want to deploy.

Main CloudFormation template

The main CloudFormation template creates almost all of the required AWS infrastructure. This includes:

The template also creates the following temporary resources so that it can deploy the application to the EKS cluster for you:

Note

You will be charged for the few minutes that these temporary resources are used during the deployment process. However, once the deployment is complete, they will no longer be used and there will be no further charge for them.

The following diagram shows an example of a Burp Suite Enterprise Edition deployment on AWS:

Example Burp Suite Enterprise Edition deployment on AWS

Nested templates

The main template actually comprises three nested templates. You can find the URLs for the nested templates by searching for the respective file names within the main template:

This gives you the option to use only part of the template if you prefer. For example, you may already have the required infrastructure or would prefer to set it up manually and, as a result, just want to use the template for the final deployment steps. In this case, instead of entering the top-level URL for the main template in AWS, you could just enter the URL for the nested deployment.yaml template instead.

IAM CloudFormation template

There is also a separate template for setting up the required Identity and Access Management (IAM) roles. This template is provided separately because, in many organizations, the user performing the actual deployment does not have the appropriate permissions to set up the IAM roles themselves.

How to deploy Burp Suite Enterprise Edition on AWS

The process for deploying Burp Suite Enterprise Edition on AWS involves the following steps:

Set up the IAM roles

The provided IAM CloudFormation template generates all of the required roles for you and creates a new group to which these roles are assigned. The user who will perform the actual deployment process needs to belong to this group.

If some of these roles already exist in your AWS environment, you can modify the template to add only the ones that you're missing. Alternatively, you can add the missing roles and create the group manually.

Note

If you would prefer to create the roles manually, you can inspect the template to see which roles are required. In this case, you will need to make a note of the Amazon Resource Names (ARNs) that correspond to each role; you need these later when deploying Burp Suite Enterprise Edition.

To set up the IAM roles using the CloudFormation template:

  1. Go to the release notes for the version of Burp Suite Enterprise Edition that you want to deploy. Copy the URL for the IAM CloudFormation template.
  2. Log in to the AWS Management Console as a user with permission to create and manage IAM resources.
  3. Go to "Services" > "CloudFormation" to open the CloudFormation console.
  4. Click "Create Stack" > "With New Resources".
  5. In the "Amazon S3 URL" field, enter the URL for the IAM CloudFormation template that you copied from the release notes. Click "Next".
  6. In the "Stack Name" field, enter a name to help you identify the stack later, for example, burp-suite-enterprise-iam.
  7. Click "Next" and then click "Next" again.
  8. Select both of the following checkboxes:
    • I acknowledge that CloudFormation might create IAM resources
    • I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND
  9. Click "Create Stack". A new stack will appear in the list with the status CREATE_IN_PROGRESS.
  10. Wait for a few minutes while the stack is created. Eventually, the status will change to CREATE_COMPLETE. All of the roles and the new group burp-suite-enterprise-edition-CloudFormationUsers should now be available.
  11. Create a new user with minimal privileges. Set a password and make sure they have access to the AWS Management Console so that you can log in with this user.
  12. Add this user to the newly created group burp-suite-enterprise-edition-CloudFormationUsers. This is the user who will perform the actual deployment of Burp Suite Enterprise Edition. Although you can perform the deployment as an existing user by adding them to this group, we recommend creating a dedicated, low-privileged user specifically for this purpose.

Set up your own database (optional)

Unlike for on-premise installations, there is no bundled database option when running Burp Suite Enterprise Edition on the cloud. However, when deploying to AWS, the main CloudFormation template does provide the option to automatically create and set up a new PostgreSQL database for you. If you want to use this option, you can skip this section and move on to creating the main stack.

Alternatively, you can create a new database manually or connect Burp Suite Enterprise Edition to an existing one. You can use any of our supported database types. We recommend using Amazon's Relational Database Service (RDS) to create a database instance in a dedicated VPC.

Create the RDS instance

  1. Log in to the AWS Management Console as a user with permission to create and manage RDS resources.
  2. Go to RDS.
  3. Create an instance for one of our supported database types.

Configure the connection settings for the VPC security group

Once you've created the RDS instance, you need to configure the inbound connection rules for the VPC security group. This is to allow access from the subnets that you plan to allocate to Burp Suite Enterprise Edition's EKS cluster later.

By default, the subnets 10.0.0.128/26 and 10.0.0.192/26 are used. If you're happy with these defaults, you can enter the values exactly as described below. Alternatively, you can choose to allow connections from different subnets and override the default values later in the CloudFormation template.

Note

If you later change your mind about which subnets to use, remember to update these inbound connection rules accordingly.

  1. In the AWS Management Console, go to RDS.
  2. From the left-hand navigation panel, select "Databases".
  3. Select the database instance that you just created.
  4. On the "Connectivity & security" tab, click the name of the VPC security group that you assigned to the instance.
  5. On the "Inbound rules" tab, add a new inbound rule.
  6. Under "Type", select the database type that you're using, for example, PostgreSQL. The protocol and port should automatically be updated for you.
  7. Under "Source" select "Custom" and enter the following ranges (or custom ranges if you prefer):
    • 10.0.0.128/26
    • 10.0.0.192/26
  8. Save your changes.

Create the database and users for Burp Suite Enterprise Edition

Once you've created and configured the RDS instance, you need to connect to it and create the actual database.

  1. Connect to your RDS instance from a command prompt. The specific steps required to enable this access depend on your AWS environment. You may need to configure additional security groups and infrastructure. For details, please refer to the AWS documentation.
  2. Log in as the database admin user that you created when setting up the RDS instance.
  3. Enter the corresponding commands for your database type as described in our database setup documentation.

Unless you used custom values, this will create a database called burp_enterprise as well as two users, called burp_enterprise and burp_agent respectively. These are used by the Enterprise server and agents to connect to the database. Make a note of the passwords you set because you will need to provide these in the CloudFormation template later.

Create the main stack

You are now ready to create the stack and deploy the application using the main CloudFormation template.

Note

These instructions generally assume that you're using the full template. If you're only using one of the nested templates, some of these steps will not apply.

  1. Go to the release notes for the version of Burp Suite Enterprise Edition that you want to deploy. If you want to perform the full process using the main CloudFormation template, copy the top-level template URL. Alternatively, copy the URL for one of the nested templates instead.
  2. Log in to the AWS Management Console as a user that belongs to the group burp-suite-enterprise-edition-CloudFormationUsers. In most cases, this will be the new user that was created when setting up the IAM roles.
  3. Go to "Services" > "CloudFormation" to open the CloudFormation console.
  4. Click "Create Stack" > "With New Resources".
  5. In the "Amazon S3 URL" field, enter the template URL that you copied from the release notes. Click "Next".
  6. In the "Stack Names" field, enter a name to help you identify the stack later, for example, burp-suite-enterprise.

Network configuration

Under "Network Configuration", perform the following steps:

  1. Check that you're happy with the IP address range for the new VPC that will be created. The default range is 10.0.0.0/24. Be aware that the ranges that you allocate to the EKS cluster later will need to be subnets of this range.
  2. Enter two availability zones within your development region to use for the EKS cluster. Alternatively, you can leave these fields blank and the template will pick two availability zones for you.
  3. Check that you're happy with the small IP address range for the public subnet. By default, this is 10.0.0.0/28.
  4. Check that you're happy with the two IP address ranges that will be allocated to the nodes in the EKS cluster. The following ranges are used by default:
    • 10.0.0.128/26
    • 10.0.0.192/26

Note

If you adjust these ranges, you need to make sure that:

  • The new ranges you enter are subnets of the one that you allocated to the VPC earlier. We recommend allocating at least a quarter of a class C network to each subnet.
  • You have configured inbound connection rules to allow both of these ranges to access the RDS instance that you created earlier.

Database configuration

Under "Database Configuration", the details you need to enter depend on whether you want to use your own database or create a new one automatically via the template.

To connect to an existing database that you have created separately
  1. In the "Database URL" field, enter the JDBC URL for your database. You can find guidance on the expected format here.
  2. Leave the "Database Admin Username/Password" fields blank. From the "Database Instance Size" drop-down menu, select "N/A".
  3. In the "Enterprise Server Database Username/Password" fields, enter the credentials that the Enterprise server should use when connecting to the database. These are one of the sets of credentials that you created when setting up your database. By default, the username should be burp_enteprise.
  4. In the "Enterprise Agents Database Username/Password" fields, enter the credentials that agents should use when connecting to the database. These are one of the sets of the credentials that you created when setting up your database. By default, the username should be burp_agent.
To automatically create a new PostgreSQL database during the deployment
  1. Leave the "Database URL" field blank.
  2. In the "Database Admin Username/Password" fields, enter a new set of credentials that you want to create for the database admin user.
  3. Using the "Database Instance Size" drop-down menu, select the size of database that you want to create. Please refer to the AWS documentation for more details on the available options and pricing.
  4. In the "Enterprise Server Database Username/Password" fields, enter a new set of credentials that you want the Enterprise server to use when connecting to the database. We recommend the username burp_enterprise and a secure password of your choosing.
  5. In the "Enterprise Agents Database Username/Password" fields, enter a new set of credentials that you want agents to use when connecting the database. We recommend the username burp_agent and a secure password of your choosing.

Admin credentials

As part of the deployment process, you also create the initial admin user for Burp Suite Enterprise Edition. Once you have finished the deployment, you will need to log in using these credentials in order to perform the initial configuration and create other users.

  1. Under "Admin User", enter the login credentials and email address that you want to set for the initial admin user in Burp Suite Enterprise Edition.
  2. Make a note of these credentials somewhere secure. This is important because you cannot retrieve them later if you forget them.
  3. Click "Next".

Kick off the deployment

  1. Optionally, enter suitable tags for the stack and resources according to your organization's policy.
  2. Under "Permissions", select the IAM role name burp-suite-enterprise-edition-CloudFormationServiceRole to pass this role to the template.
  3. Click "Next".
  4. Select both of the following checkboxes:
    • I acknowledge that CloudFormation might create IAM resources
    • I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND
  5. Click "Create Stack". A new stack will appear in the list with the status CREATE_IN_PROGRESS.
  6. Wait while the stack is created. This usually takes about 25-30 minutes. Eventually, the status will change to CREATE_COMPLETE.

Get the DNS name for launching Burp Suite Enterprise Edition

Now that the application is deployed, you need to get the associated DNS name so that you can launch Burp Suite Enterprise Edition in your browser.

  1. Log in to the AWS Management Console as a user with permission to view the resources of your Burp Suite Enterprise Edition deployment.
  2. Go to "Services" > "EC2" to open the EC2 console.
  3. Click "Load Balancers".
  4. In the filter bar at the top of the page, enter Name : <your-stack-name>. This is the name that you specified earlier when creating the stack, for example: Name : burp-suite-enterprise. Please note that you need to include the spaces before and after the colon.
  5. Press the enter key to apply the filter. Only one result should be returned. Select this entry.
    If you do not see any results, please wait a few minutes and try again. After the stack is created, it can sometimes take a while before the load balancer is up and running.
  6. From the "Description" tab, copy the "DNS name".

Set up routing and access the application

You can access the Burp Suite Enterprise Edition login page by visiting the DNS name you just copied in your browser. Note that this is not available from the public internet and can only be accessed via your VPC. Therefore, you will need to set up the appropriate routing from your client browser into the VPC, for example, using a VPN or VPC peering.

You can then log in using the admin username and password that you set during the main deployment. You will be prompted to activate your license and perform the initial configuration for Burp Suite Enterprise Edition. The remainder of this process is the same as for an on-premise installation.