AI Runtime Security
AWS Cloud Account Onboarding Prerequisites
Table of Contents
Expand All
|
Collapse All
AI Runtime Security Docs
-
- AI Runtime Security Setup Prerequisites
- Manage Onboarded Cloud Accounts in Strata Cloud Manager
-
- Create and Associate a Deployment Profile for AI Runtime Security: API Intercept
- Manage Deployment Profile in the Customer Support Portal (CSP)
- Onboard AI Runtime Security: API Intercept in Strata Cloud Manager
- Manage AI Runtime Security: API Intercept Scan Logs
- Manage Applications, API Keys, and Security Profiles
AWS Cloud Account Onboarding Prerequisites
Discovery onboarding prerequisites for AWS.
On this page, you will:
- Create an AWS S3 Bucket
- AWS VPC Flow Logs
- Enable Access from AWS in EKS Authentication
- Associate a Role for VM Model Invocation
- Assign Role to Pods for Model Access
Where Can I Use This? | What Do I Need? |
---|---|
|
Create an AWS S3 Bucket
- Sign in to the AWS Management Console.
- Navigate to the S3 service.
- Click on Create bucket.
- View the AWS region where your bucket will be created. The region must be the same region in which you have your AI models.
- Enter a unique Bucket name.
- Configure options (if needed) and choose Create bucket.Refer to Creating a bucket - Amazon Simple Storage Service for more information.
AWS VPC Flow Logs
- Sign in to the AWS Management Console.
- Go to VPC dashboard > Subnets.
- Select the subnet for app VPC and switch to the Flow logs tab.
- Create a flow log or edit an existing flow log.
- Enter a Name.
- Under Destination, select Send to an Amazon S3 bucket you created in the previous section and provide the ARN for the S3 bucket.
- Enter the S3 bucket ARN.
- For Log record format, choose Custom Format and select all the Standard attributes.
- (Optional) To partition your flow logs per hour, choose Every 1 hour (60 mins) in Partition logs by time.
- Leave the remaining settings as default, unless your use case requires specific configurations.
- Choose Create flow log or Save.
- Go to theAWS Bedrock Console to manage model permissions and enable model access. Then, set up AWS CloudTrail for logging model access and revocation by following the steps in theAWS documentation.
Enable Access from AWS in EKS Authentication
- Sign in to the AWS Management Console.
- Go to Elastic Kubernetes Service.
- Navigate to the EKS Console.
- Click on your EKS cluster and select the Access tab within that cluster page.
- Click Manage access.
- Under Cluster authentication mode, select EKS API and ConfigMap.
- Save changes.
- In the IAM access entries section of the Access tab, click the Create access entry button.
- Find the IAM role that got created as part of the onboarding process when Terraform was executed.
- Click the Skip to Review and create button and finish the creation process.
- In the Access tab, find the IAM principal ARN that was added and select it.
- Click Add access policy.
- Under Policy name, select AmazonEKSViewPolicy.
- Click Add access policy.
- Navigate back to your cluster and select the Networking tab.
- Click Manage endpoint access.
- Under Cluster endpoint access, select Public access.
- Select Advanced settings to allow the perimeter firewall and add the following IP addresses to access this cluster:34.71.64.3/32 34.28.60.186/32Code copied to clipboardUnable to copy due to lack of browser support.
- Save changes.
Associate a Role for VM Model Invocation
- Sign in to the AWS Management Console.
- Navigate to IAM Roles.
- Create a new role or edit an existing one.
- Under Trust relationships Select Trusted Entity.
- Configure Trust Policy and add the following Trust Policy:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }Code copied to clipboardUnable to copy due to lack of browser support.This policy grants EC2 instances permission to assume the role, enabling them to use the permissions defined in the role's policy.
- Under the Permissions tab, click on your policy.
- Search and attach the Bedrock > InvokeModel services under Add actions. Click Next and Save changes.
- Or, Create or attach a policy with the following permissions:{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "bedrock:InvokeModel", "Resource": "*" } ] }Code copied to clipboardUnable to copy due to lack of browser support.This step ensures that the EC2 instances have the necessary permissions to invoke models using the Bedrock service.
- Review and Create Role.
- Choose Next: Tags, add any tags if needed, then choose Next: Review.
- Review your settings and select Create role.
Assign Role to Pods for Model Access
- Sign in to the AWS Management Console.
- Go to Elastic Kubernetes Service (EKS).
- Select your EKS cluster.
- Go to Access > Pod Identity associations.
- Create an IAM role with the AmazonEKSClusterPolicy and attach it to the Pod Identity configuration to enable the role for your Kubernetes service account.
- Use the following pod configuration in a YAML file and deploy it with `kubectl apply -f <filename>.yaml` to specify the service account and IAM role for your pods.Replace the example values with your specific values:apiVersion: v1 kind: Pod metadata: creationTimestamp: "2024-10-03T04:14:13Z" generateName: app1-awsbedrock-daycero-awsdisc1-54847845d5- labels: app: app1-awsbedrock-daycero pod-template-hash: 54847845d5 name: app1-awsbedrock-daycero-awsdisc1-54847845d5-4cctt namespace: app1-awsdisc1-day0 ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: ReplicaSet name: app1-awsbedrock-daycero-awsdisc1-54847845d5 uid: b1505220-6b7f-4fb6-a7d3-c681f6e17429 resourceVersion: "7859523" uid: 8988ce57-40f2-478e-8b68-6e7942889487 spec: automountServiceAccountToken: true containers: - env: - name: MY_POD_NAME value: metadata.name - name: MY_POD_NAMESPACE value: metadata.namespace - name: MY_POD_IP value: status.podIP - name: AWS_STS_REGIONAL_ENDPOINTS value: regional - name: AWS_DEFAULT_REGION value: us-east-1 - name: AWS_ROLE_ARN value: arn:aws:iam::0xxxx7215560:role/eks1-bedrock-role-awsdisc1-384014fd - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token image: 018147215560.dkr.ecr.us-west-2.amazonaws.com/aifwdisccnt:aws_bedrock_role_based imagePullPolicy: IfNotPresent name: app1-awsbedrock-dayceroawsdisc1 resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-r7rzc readOnly: true - mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount name: aws-iam-token readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true nodeName: ip-10-1-60-171.ec2.internal preemptionPolicy: PreemptLowerPriority priority: 0 restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: app1-awsdisc1-sa serviceAccountName: app1-awsdisc1-sa shareProcessNamespace: false terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 volumes: - name: aws-iam-token projected: defaultMode: 420 sources: - serviceAccountToken: audience: sts.amazonaws.com expirationSeconds: 86400 path: token - name: kube-api-access-r7rzc projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace