>
    AWS Cloud Account Onboarding Prerequisites
    Focus
    Download PDF
    Focus
    1. Home
    2. AI Runtime Security
    3. Activation & Onboarding
    4. Onboard and Activate a Cloud Account in Strata Cloud Manager
    5. Onboard Cloud Account in AWS
    6. AWS Cloud Account Onboarding Prerequisites
    Download PDF
    AI Runtime Security

    AWS Cloud Account Onboarding Prerequisites

    Table of Contents

    AWS Cloud Account Onboarding Prerequisites

    Discovery onboarding prerequisites for AWS.
    This section outlines the prerequisites for onboarding an AWS cloud account in Strata Cloud Manager.
    On this page, you will:
    Where Can I Use This?What Do I Need?
    • AI Runtime Security in AWS

    Create an AWS S3 Bucket

    1. Sign in to the AWS Management Console.
    2. Navigate to the S3 service.
    3. Click on Create bucket.
    4. View the AWS region where your bucket will be created. The region must be the same region in which you have your AI models.
    5. Enter a unique Bucket name.
    6. Configure options (if needed) and choose Create bucket.
      Refer to Creating a bucket - Amazon Simple Storage Service for more information.

    AWS VPC Flow Logs

    1. Sign in to the AWS Management Console.
    2. Go to VPC dashboard > Subnets.
    3. Select the subnet for application VPC and switch to the Flow logs tab.
    4. Create a flow log or edit an existing flow log.
      1. Enter a Name.
      2. Under Destination, select Send to an Amazon S3 bucket you created in the previous section and provide the ARN for the S3 bucket.
      3. Enter the S3 bucket ARN.
      4. For Log record format, choose Custom Format and select all the Standard attributes.
      5. (Optional) To partition your flow logs per hour, choose Every 1 hour (60 mins) in Partition logs by time.
      6. Leave the remaining settings as default, unless your use case requires specific configurations.
      7. Choose Create flow log or Save.
    5. Go to the AWS Bedrock Console to manage model permissions and enable model access.
      1. In the left navigation pane, select Settings under the Bedrock Configurations section.
      2. Toggle Model invocation logging to enable logging.
      3. Choose S3 only as the logging destination.
      4. In the S3 location field, select the S3 bucket name you created earlier for storing logs.
      5. Click Save settings to apply your changes.

    Enable Access from AWS in EKS Authentication

    Allow the EKS clusters to authenticate users based on their IAM roles. Configure the following so the AI Runtime Security: Network intercept (firewall instance) can discover the pod assets.
    Before you begin, make sure to create an Amazon EKS cluster in your cloud environment.
    1. Sign in to the AWS Management Console.
    2. Go to Elastic Kubernetes Service.
    3. Navigate to the EKS Console.
    4. Click on your EKS cluster and select the Access tab within that cluster page.
      1. Click Manage access.
      2. Under Cluster authentication mode, select EKS API and ConfigMap.
      3. Save changes.
      4. (Optional) If the cluster has public access, add the AmazonEKSAdminViewPolicy to your ARN role:
        • In the Access tab, click on the IAM principal ARN under IAM access entries section.
        • Click Add access policy.
        • Select and add AmazonEKSAdminViewPolicyfrom the dropdown list.
        • Select Add access policy.
      5. (Optional) If the cluster has public access:
        • Navigate back to your cluster and go to Networking > Manage endpoint access.
        • Under cluster endpoint access select Public.
        • Expand Advanced settings to allow the perimeter firewall and add the following IP addresses to access this cluster:
          34.71.64.3/32
34.28.60.186/32
    5. Save Changes.

    Associate a Role for VM Model Invocation

    Grant EC2 instances permissions to invoke Bedrock models. Associate a role to log actions under that role, enhancing security and simplifying permission management without using local keys.
    1. Sign in to the AWS Management Console.
    2. Navigate to IAM Roles.
    3. Create a new role or edit an existing one.
    4. Under Trust relationships Select Trusted Entity.
    5. Configure Trust Policy and add the following Trust Policy:
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        } 
    ]    
}
      This policy grants EC2 instances permission to assume the role, enabling them to use the permissions defined in the role's policy.
    6. Under the Permissions tab, click on your policy.
      1. Search and attach the Bedrock > InvokeModel services under Add actions.
      2. Click Next and Save changes.
      3. Or, create or attach a policy with the following permissions:
        {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "bedrock:InvokeModel",
            "Resource": "*"
        }
    ]
}
        This step ensures that the EC2 instances have the necessary permissions to invoke models using the Bedrock service.
      4. Review and Create Role.
    7. Choose Next: Tags, add any tags if needed, then choose Next: Review.
    8. Review your settings and select Create role.

    Assign Role to Pods for Model Access

    Assign a role to the pods to enable access to the models, similar to the configuration for unprotected VM traffic.
    1. Sign in to the AWS Management Console.
    2. Go to Elastic Kubernetes Service (EKS).
    3. Select your EKS cluster.
    4. Go to Access > Pod Identity associations.
    5. Assign IAM roles to Kubernetes service accounts - Amazon EKS.

    © 2025 Palo Alto Networks, Inc. All rights reserved.