Amazon Web Services — EC2 Console (GUI)¶
Deploy the RTA entirely from the AWS EC2 console. Your engagement lead shares a UEFI-boot AMI with your AWS account; you locate it in the console and launch an EC2 instance from it with a few clicks.
Before you start
Review the Amazon Web Services overview. You'll need the shared AMI ID and the AWS region from your engagement lead, an existing VPC subnet with outbound internet access (via NAT gateway or internet gateway), a key pair, and a security group that allows only outbound traffic.
1. Open the AMIs view¶
- Open the EC2 console and confirm the region (top-right corner) matches the region your engagement lead specified.
- In the left navigation pane, choose AMIs.
- In the first filter dropdown, choose Private images.
2. Select the shared AMI¶
- In the search bar, paste the AMI ID provided by your engagement lead
(e.g.
<SHARED_AMI_ID>). - Select the AMI in the results list.
- Choose Launch instance from AMI.
Can't see the AMI?
If the AMI doesn't appear, double-check you're in the correct region and that the Private images filter is active. See the overview troubleshooting for more detail.
3. Configure the instance¶
The Launch an instance wizard opens with the AMI pre-selected.
Name¶
Enter a descriptive name (e.g. rta-engagement-01).
Instance type¶
Choose a Nitro-based instance type — the RTA image uses UEFI boot mode and will not launch on older Xen-based families.
| Sizing | Instance type |
|---|---|
| Minimum (2 vCPU / 4 GB) | t3.medium |
| Recommended (2 vCPU / 8 GB) | t3.large |
| Preferred (4 vCPU / 16 GB) | t3.xlarge or m5.xlarge |
Avoid Xen-based types
Do not select t2, m4, c3, c4, r3, or other pre-Nitro families. The instance will fail to start or boot to a blank screen because they do not support UEFI.
Key pair¶
Select an existing key pair, or create one. You'll use it to SSH to the
appliance from inside your network. The default admin user is swag.
Network settings¶
Click Edit to expand the networking options.
- VPC — select the VPC where the appliance will run.
- Subnet — select a private subnet that has a NAT gateway or internet gateway for outbound access. Do not place the appliance in a subnet with no egress — the appliance must reach the Sophos headend on first boot.
- Auto-assign public IP — set to Disable. The appliance only needs outbound access; no public IP is required or desired.
- Firewall (security groups) — select an existing security group that has:
- No inbound rules (or only the rules needed for your internal SSH access from within the VPC).
- Outbound: all traffic allowed (the appliance establishes the tunnel outbound).
If you need to create a new security group, name it rta-outbound-only and
add only the outbound rule. Do not add inbound rules from the internet.
Configure storage¶
The root volume defaults to the AMI's size. Confirm it is set to 40 GB (gp3). Do not reduce it.
4. Launch¶
Review the summary panel on the right and choose Launch instance.
The instance moves through Pending → Running in 30–60 seconds. Because the AMI is a generic image, the appliance comes up in activation mode and displays an Appliance Registration screen with a one-time activation code — you do not need to log in.
Verify¶
- In the EC2 console, navigate to Instances and select the new instance.
- Confirm:
- Instance state: Running
- Public IPv4 address: — (none)
- Private IPv4 address: populated with your VPC address
To read the activation code, choose Actions → Monitor and troubleshoot → Get instance screenshot and look for the Appliance Registration screen. Give the code to your Sophos engagement lead. Once activated, the appliance provisions itself and the console switches to its live status dashboard.
Console access via Serial Console
For interactive access to the boot console, you can also use the EC2 Serial Console (requires the feature to be enabled at the account level). Navigate to Actions → Monitor and troubleshoot → EC2 Serial Console. This works on all Nitro instances without requiring network connectivity.
To SSH once the appliance is up:
ssh swag@<private-ip>
Run this from a host inside the same VPC (bastion, VPN endpoint, or direct connect peer).
Network access¶
The appliance makes one connection to do its job: an outbound tunnel to the Sophos headend. Nothing inbound is ever required — you never open or forward any ports to the appliance.
Allow this outbound destination
| Destination | connect.remotetesting.secureworks.com |
| IP addresses | 3.33.194.251 and 15.197.255.2 (static — these do not change) |
| Port / protocol | TCP 443, carrying OpenVPN (not HTTPS) |
| Direction | Outbound only |
Allow egress on TCP/443 to that destination from the appliance's network. On a next-generation firewall or NAC-controlled network, an L3 "allow 443" rule is often not enough — Layer-7 application control, TLS/SSL decryption, or NAC can still drop the tunnel even when the port is open. See Connectivity Troubleshooting for the exact firewall and NAC exceptions to request.
Troubleshooting¶
Deployed but something isn't right?
See Amazon Web Services troubleshooting for the most common issues on this platform and how to fix them.