Skip to main content

Minimal Deployment Guide

This guide provides step-by-step instructions for deploying a Cado instance from the AWS console, aimed at helping you get up and running with the platform as quickly as possible

The initial deployment offers a basic working environment; however, certain functionalities are not included. Refer to the ‘Extensions’ section for details on missing features and instructions on how to add them.

Initial Deployment

Prerequisites

Before starting, make sure you have all the following:

  • The Cado version number you want to deploy. We recommend using our updates page to retrieve the latest version.
  • An S3 bucket for Cado to use. This should be for use exclusively by Cado - do not attempt to reuse/share an existing bucket
  • A Cado Instance IAM policy containing the following (IAM > Policies > Create policy > JSON)

Create Policy

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Sid": "RequiredForCadoHostAndPreservation",
     "Effect": "Allow",
     "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:RestoreObject",
        "s3:PutObjectTagging",
        "s3:GetObjectTagging"
     ],
     "Resource": "arn:aws:s3:::MY_CADO_BUCKET/*" // Replace MY_CADO_BUCKET with your bucket name and delete this comment
   },
   {
      "Sid": "RequiredForCadoHostAndPreservation2",
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::MY_CADO_BUCKET" // Replace MY_CADO_BUCKET with your bucket name and delete this comment
   }
 ]
}
  • A Role (“a Cado Instance Profile Role”), with your Cado Instance Policy attached.
    • To create an instance profile go to IAM > Roles > Create Role. Select ‘AWS Service’ for trusted entity type and EC2 for Use case. Click Next then select your policy and create.

Trusted Entity

  • A VPC to deploy into which has:

    • Outbound route to the public internet
    • Subnet
    • DNS hostnames enabled
    • DNS resolution enabled

  • An SSH key pair in the region you are deploying in

Instructions

  1. Visit the Launch an instance page in the AWS console

Launch Instance

  1. Enter a name and any tags required by your organization

Name and Tag

  1. Configure AMI:

    a. Click Browse more AMIs

AMI

b. Select Community AMIs tab

c. Paste the Cado AMI for your region (see prerequisites) into the search bar

d. Select the returned AMI. If you don’t get results here double check you have the AMI id from the region you are trying to deploy into

Cado AMI

  1. Configure Instance type: select t3.2xlarge (other Nitro based instance types may be supported)

Instance Type

  1. Select SSH Key pair

Key Pair

  1. Configure Network settings:

    a. Click Edit

    b. Select VPC from the prerequisites (which may be your default VPC)

    c. Select Subnet from prerequisites, or ‘No Preference’ If you don’t mind which subnet in the VPC is used and they all meet the requirements.

    d. Set Auto-assign public IP to ‘Enable’.

    e. Select ‘Create security group’

    f. Add an inbound security rule with Type ‘SSH’ and Source Type ‘My IP’.

    g. Add an inbound security rule with Type ‘HTTPS’ and Source Type ‘My IP’

    • Note: this allows access to the Cado Instance from your IP only! If you want to allow other IPs you can configure additional IPs here.

Network Settings

  1. Configure “Storage (volumes)”

    a. Select Advanced

    EBS Volume

    b. Select “Add new volume”

    Add Volume

    c. Set ‘Size’ to 100GB

    Set Disk Size

  2. Configure “Advanced details”

    a. Select your role in the “IAM instance profile” dropdown

    IAM Instance Role

    b. Replace MY_CADO_BUCKET in the text below, and paste into the “User data” block:

#!/bin/bash -x
echo "[FIRST_RUN]" > /home/admin/processor/first_run.cfg
echo "bucket = MY_CADO_BUCKET" >> /home/admin/processor/first_run.cfg

User Data

  1. Click Launch instance

Summary

  1. After launching it will take a few minutes for Cado to start.

Success

Optional Extensions

Workers

The initial deployment uses a single Compute instance, limiting imports to Cado Host captures and restricting simultaneous evidence processing to ensure stability. Additional EC2 instances are required to process more data or multiple evidence items concurrently.

To enable Workers follow the workers document - Enable Workers

Secret Manager

The initial deployment stores the key used to encrypt secrets in Cado locally on the machine. Enabling a Secret Manager allows Cado to instead store the key in AWS Secrets Manager.

To enable Secret Manager follow the secret manager document - Enable Secret Manager

NFS

The initial deployment deployment deploys without a Network File Share (NFS). Enabling an NFS allows Cado to keep a copy of every file processed on disk. This enables the re-running of analysis and the downloading of the original file in the UI for further analysis.

To enable NFS follow the NFS document - Enable NFS