• Terraform
  • An AWS account
  • An IAM user and role for Terraform
    • An AWS keypair for that user


Expected time to completion: 25 minutes

By building DetectionLab in AWS, we can take advantage of the pre-built Windows AMIs that have already been completely provisioned. Here is what happens when terraform apply is called:

  1. A VPC is created
  2. A subnet is created
  3. An internet gateway is created to give our subnet access to the outside world
  4. A security group is created to allow inbound traffic from whitelisted IP addresses. These IP addresses are configured in the terraform.tfvars file you create in step 4 below.
  5. The logger host is fully provisioned from an Ubuntu base AMI.
  6. The Windows host are pre-provisioned and are spun up from an AMI. No provisioning is necessary.
  7. Instances can then be accessed via RDP, SSH, and via your browser.

Please remember that keeping your instances online for long periods of time will rack up your AWS bill. Don’t forget to terraform destroy your instances once you’re done using it!

Deployment Instructions

  1. Clone the DetectionLab repo to your filesystem: git clone
  2. In your AWS console, create and apply this policy to the IAM user whose keypair you will be using for terraform. This policy has been tailored to only use the required permissions needed for DetectionLab.
  3. Configure the AWS command line utility and set up a profile for Terraform via aws configure --profile terraform.
  4. Create a private/public keypair to use to SSH into logger: ssh-keygen -b 4096 -f ~/.ssh/id_logger
  5. Copy the file at DetectionLab/AWS/Terraform/terraform.tfvars.example to /DetectionLab/AWS/Terraform/terraform.tfvars
  6. In terraform.tfvars (the file you just copied), provide overrides for the variables specified in

    AMIs are currently only available in us-west-1 and us-east-1 due to storage costs. If you’d like to bring up DetectionLab in another region, please view deploying DetectionLab in a different AWS region.

    Failing to complete this step will cause the lab to be unreachable.

  7. From the DetectionLab/AWS/Terraform directory, run terraform init to setup the initial Terraform configuration
  8. Run terraform apply to begin the provisioning process

Quickstart Video

A sample video of the setup process can be viewed here: DetectionLab - Terraform

Building your own AMIs

For more information about creating your own AMIs (as opposed to using the pre-built ones), please read this wiki page: Terraform: Building Your Own AMIs