>
    AWS Cloud Account Onboarding Prerequisites
    Focus
    Download PDF
    Focus
    1. Home
    2. AI Runtime Security
    3. Onboard and Activate a Cloud Account in SCM
    4. AWS
    5. AWS Cloud Account Onboarding Prerequisites
    Download PDF
    AI Runtime Security

    AWS Cloud Account Onboarding Prerequisites

    Table of Contents

    AWS Cloud Account Onboarding Prerequisites

    Discovery onboarding prerequisites for AWS.
    This section outlines the prerequisites for onboarding an AWS cloud account in Strata Cloud Manager (SCM).
    On this page, you’ll:
    Where Can I Use This?What Do I Need?
    • AI Runtime Security in AWS

    Create an AWS S3 Bucket

    1. Sign in to the AWS Management Console.
    2. Navigate to the S3 service.
    3. Click on Create bucket.
    4. View the AWS region where your bucket will be created. The region must be the same region in which you have your AI models.
    5. Enter a unique Bucket name.
    6. Configure options (if needed) and choose Create bucket.
      Refer to Creating a bucket - Amazon Simple Storage Service for more information.

    AWS VPC Flow Logs

    1. Sign in to the AWS Management Console.
    2. Go to VPC dashboard > Subnets.
    3. Select the subnet for app VPC and switch to the Flow logs tab.
    4. Create a flow log or edit an existing flow log.
      • Enter a Name.
      • Under Destination, select Send to an Amazon S3 bucket you created in the previous section and provide the ARN for the S3 bucket.
      • For Log record format, choose Custom Format and select all the Standard attributes.
      • (Optional) To partition your flow logs per hour, choose Every 1 hour (60 mins) in Partition logs by time.
      • Leave the remaining settings as default, unless your use case requires specific configurations.
      • Choose Create flow log or Save.
    5. Go to the AWS Bedrock Console to enable model access and revocation logging.

    Enable Access from AWS in EKS Authentication

    Allow the EKS clusters to authenticate users based on their IAM roles. Configure the following so the AI Runtime Security instance can discover the pod assets.
    1. Sign in to the AWS Management Console.
    2. Go to Elastic Kubernetes Service.
    3. Navigate to the EKS Console.
    4. Click on your EKS cluster name and select the Configuration tab.
    5. Under Cluster authentication mode, select EKS API and ConfigMap.
    6. Choose Next.
    7. In the IAM access entries section of the Access tab, click the Create access entry button.
    8. Find the IAM role that got created as part of the onboarding process when Terraform was executed.
    9. Click the Skip to Review and create button and finish the creation process.
    10. In the Access tab, find the IAM role ARN that was added and select it.
    11. Choose Add access policy.
    12. Add the access policy AmazonEKSViewPolicy.
    13. Navigate to Networking > Manage endpoint access.
    14. Under cluster endpoint access, select Public access.
    15. Go to Advanced settings to allow the perimeter firewall and add the following IP addresses to access this cluster: 
      34.71.64.3
34.28.60.186
    16. Save changes.

    Associate a Role for VM Model Invocation

    Grant EC2 instances permissions to invoke Bedrock models. Associate a role to log actions under that role, enhancing security and simplifying permission management without using local keys.
    1. Sign in to the AWS Management Console.
    2. Go to Elastic Kubernetes Service.
    3. Navigate to IAM Roles.
    4. Create a new role or edit an existing one.
    5. Under Trust relationships Select Trusted Entity.
    6. Configure Trust Policy and enter the following Trust Policy:
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
      This policy grants EC2 instances permission to assume the role, enabling them to use the permissions defined in the role's policy.
    7. Attach Permissions Policy: Create or attach a policy with the following permissions:
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "bedrock:InvokeModel",
            "Resource": "*"
        }
    ]
}
      This step ensures that the EC2 instances have the necessary permissions to invoke models using the Bedrock service.
    8. Review and Create Role.
    9. Choose Next: Tags, add any tags if needed, then choose Next: Review.
    10. Review your settings and select Create role.

    Assign Role to Pods for Model Access

    Assign a role to the pods to enable access to the models, similar to the configuration for unprotected VM traffic.
    1. Sign in to the AWS Management Console.
    2. Go to Elastic Kubernetes Service.
    3. Select your EKS cluster.
    4. Go to the Configuration tab.
    5. Manage IAM roles under the Authentication section.
    6. Use the following pod configuration to assign the service account and IAM role:
      apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: "2024-10-03T04:14:13Z"
  generateName: app1-awsbedrock-daycero-awsdisc1-54847845d5-
  labels:
    app: app1-awsbedrock-daycero
    pod-template-hash: 54847845d5
  name: app1-awsbedrock-daycero-awsdisc1-54847845d5-4cctt
  namespace: app1-awsdisc1-day0
  ownerReferences:
  - apiVersion: apps/v1
    blockOwnerDeletion: true
    controller: true
    kind: ReplicaSet
    name: app1-awsbedrock-daycero-awsdisc1-54847845d5
    uid: b1505220-6b7f-4fb6-a7d3-c681f6e17429
  resourceVersion: "7859523"
  uid: 8988ce57-40f2-478e-8b68-6e7942889487
spec:
  automountServiceAccountToken: true
  containers:
  - env:
    - name: MY_POD_NAME
      value: metadata.name
    - name: MY_POD_NAMESPACE
      value: metadata.namespace
    - name: MY_POD_IP
      value: status.podIP
    - name: AWS_STS_REGIONAL_ENDPOINTS
      value: regional
    - name: AWS_DEFAULT_REGION
      value: us-east-1
    - name: AWS_ROLE_ARN
      value: arn:aws:iam::0xxxx7215560:role/eks1-bedrock-role-awsdisc1-384014fd
    - name: AWS_WEB_IDENTITY_TOKEN_FILE
      value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
    image: 018147215560.dkr.ecr.us-west-2.amazonaws.com/aifwdisccnt:aws_bedrock_role_based
    imagePullPolicy: IfNotPresent
    name: app1-awsbedrock-dayceroawsdisc1
    resources: {}
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-r7rzc
      readOnly: true
    - mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
      name: aws-iam-token
      readOnly: true
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  nodeName: ip-10-1-60-171.ec2.internal
  preemptionPolicy: PreemptLowerPriority
  priority: 0
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext: {}
  serviceAccount: app1-awsdisc1-sa
  serviceAccountName: app1-awsdisc1-sa
  shareProcessNamespace: false
  terminationGracePeriodSeconds: 30
  tolerations:
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  volumes:
  - name: aws-iam-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: sts.amazonaws.com
          expirationSeconds: 86400
          path: token
  - name: kube-api-access-r7rzc
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - downwardAPI:
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
            path: namespace

    © 2024 Palo Alto Networks, Inc. All rights reserved.