Event Driven Access Management for Lake Formation Pull Mode¶

This document outlines the configuration of event-driven access management for the Lake Formation pull mode connector.

Event driven flow¶

sequenceDiagram
    participant AWS Cloudtrail 
    participant AWS EventBridge 
    participant AWS Lambda
    participant PrivaceraOpsServer
    participant PrivaceraConnector
    participant AWS LakeFormation
    participant PrivaceraPlatform


    AWS Cloudtrail ->> AWS EventBridge: Forward event 
    AWS EventBridge ->> AWS Lambda: Filter event by as per rules
    AWS Lambda ->> PrivaceraOpsServer: Forward event after pre-processed
    PrivaceraConnector ->> PrivaceraOpsServer: Pull event details 
    PrivaceraConnector ->> AWS LakeFormation: Fetch latest details (Tag/Polices/Resources) as per event 
    PrivaceraConnector ->> PrivaceraPlatform: Post changes of Polices/Tag/Resources

Prerequisites¶

Ensure that the following prerequisites are met before proceeding:

The Privacera Ops Server is up and running.
The On-Demand Sync feature is enabled for lakeformation pull mode.
You have the necessary AWS permissions to deploy a Lambda function for receiving events from AWS EventBridge.

Configuration¶

Enable Event Bridge Client in Ops Bridge¶

Edit the Ops Bridge configuration file:

Bash
1	`vi ~/privacera/privacera-manager/config/custom-vars/vars.ops-bridge.yml`

At the bottom of the configuration file, add the following properties. These properties are required for AWS Lambda to connect to your environment where the connector is deployed:

YAML
OPS_CONNECTOR_EVENT_BRIDGE_ENABLED: "PLEASE_CHANGE"
OPS_CONNECTOR_EVENT_BRIDGE_SUBNET_IDS: "PLEASE_CHANGE"
OPS_CONNECTOR_EVENT_BRIDGE_SECURITY_GROUP_ID: "PLEASE_CHANGE"

Example:

YAML
OPS_CONNECTOR_EVENT_BRIDGE_ENABLED: "true"
OPS_CONNECTOR_EVENT_BRIDGE_SUBNET_IDS: "subnet-0a12b34c, subnet-1d23e45f"
OPS_CONNECTOR_EVENT_BRIDGE_SECURITY_GROUP_ID: "sg-0123abcd"

Notes

Replace these sample values with the actual IDs from your AWS environment.
If you have trouble locating values in AWS, contact Privacera Support."

Apply the Configuration¶

After making all changes, start the connector by performing following steps:

Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

Bash
cd ~/privacera/privacera-manager
./privacera-manager.sh setup

Step 2 - Apply the Privacera Manager helm charts.

Bash
cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade

Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

Bash
cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

Create AWS Lambda¶

Use the CloudFormation template generated by Privacera Mananger to create an AWS Lambda function. The template is located at: ~/privacera/privacera-manager/output/ops-bridge/.

To prevent overwrites in future Privacera Manager runs, copy the CloudFormation templates into a separate directory:

Bash
mkdir -p ~/privacera/event-bridge-connector

# Copy ops-connector-event-bridge.yml 
cp ~/privacera/privacera-manager/output/ops-bridge/ops-connector-event-bridge.yml ~/privacera/event-bridge-connector

# Copy ops-eventbridge-cloudformation-env.json
cp ~/privacera/privacera-manager/output/ops-bridge/ops-eventbridge-cloudformation-env.json ~/privacera/event-bridge-connector

Before deployment, update the resource prefix in ops-eventbridge-cloudformation-env.json:

Bash
1	`vi ~/privacera/privacera-manager/output/ops-bridge/ops-eventbridge-cloudformation-env.json`

Modify the file to set the required prefix:

Bash
{
   "ParameterKey": "ResourcePrefix",
   "ParameterValue": "privacera",
   "UsePreviousValue": false
}

You can change ParameterValue to any custom string.

By default, leave the Lambda execution role parameter empty:

Bash
{
  "ParameterKey": "OpsLambdaExecutionRole",
  "ParameterValue": "",
  "UsePreviousValue": false
}

Use the AWS CloudFormation CLI to deploy the Lambda function:

Bash
aws cloudformation create-stack \
  --stack-name privacera-event-bridge-lambda-creation \
  --template-body file://~/privacera/event-bridge-connector/ops-connector-event-bridge.yml \
  --parameters file://~/privacera/event-bridge-connector/ops-eventbridge-cloudformation-env.json \
  --capabilities CAPABILITY_NAMED_IAM --tags Key=Application,Value="Ops Connector Event Bridge"

You can specify any name for the --stack-name parameter.

After deployment, verify the Lambda function by checking the Environment Variables in the AWS Console:
1. Navigate to the AWS Console.
2. Go to AWS Lambda > Functions.
3. Select the newly created Lambda function.
4. Under the Configuration tab, go to Environment Variables.
5. Ensure the following environment variables are present:
  - AWS_SECRET_REGION
  - IS_SELF_SIGNED
  - JWT_TOKEN
  - LOG_LEVEL
  - LOG_ONLY_MODE
  - OPS_BRIDGE_CONFIG_JSON
  - OPS_SERVER_URL

Validation¶

Log in to Privacera Portal.
Navigate to Access Management -> Resource Policies.
Select the Privacera_LakeFormation repository.
Ensure the refresh icon is visible.
Click the refresh icon.
Confirm that the event from AWS Lambda is reflected here.

Troubleshooting¶

To communicate with connectors, AWS Lambda requires the Subnet ID and Security Group ID. Follow the steps below to retrieve these values from the AWS Console.

Get the Subnet ID from the AWS console¶

Navigate to the AWS console.
Go to the EC2 dashboard.
In the left pane, click on Instances under the Instances section.
From the k9s, copy the private IP address of the ops-server.
Apply the Private IP address filter in the Instances list to find the specific instance.
Click on the Instance ID to view the instance details.
Under the Networking tab, find and copy the Subnet ID.

Get the Security Group ID from the AWS console¶

Navigate to the AWS console.
Go to the EC2 dashboard.
In the left pane, click on Security Groups under the Network & Security section.
Identify the appropriate Security Group ID associated with your instance.
Copy the Security Group ID for reference.

Prev topic: Advanced Configuration