Skip to content

AWS Cloud Resources

Overview

Before installing the Privacera Manager software, the following AWS Cloud resources need to be created:

Prerequisite Description
AWS EC2 instance EC2 instance to run the Privacera Manager software. Refer here for more details.
🟢 For self-managed: Required.
🟢 PrivaceraCloud Data plane: Required.
🟢 PrivaceraCloud Data plane + Privacera Discovery: Required.
AWS EKS cluster EKS cluster to run the Privacera software. Refer here for more details.
🟢 For self-managed: Required.
🟢 PrivaceraCloud Data plane: Required.
🟢 PrivaceraCloud Data plane + Privacera Discovery: Required.
AWS RDS AuroraDB RDS AuroraDB instance for the Privacera database. Refer here for more details.
🟢 For self-managed: Required.
🔴 PrivaceraCloud Data plane: Not Required.
🟢 PrivaceraCloud Data plane + Privacera Discovery: Required.
AWS ACM certificate ACM certificate for the domain name used for the Privacera service endpoints. Refer here for more details.
🟢 For self-managed: Required.
🟢 PrivaceraCloud Data plane: Required.
🟢 PrivaceraCloud Data plane + Privacera Discovery: Required.

Appendix

AWS EC2 instance for running Privacera Manager

EC2 instance

Privacera Manager runs on an EC2 instance that has access to the Kubernetes cluster and has an IAM role that allows it to create and manage cloud resources.

Tip

The Privacera Manager installation on this EC2 instance will contain self-signed certificates and terraform state which are needed for subsequent upgrades. Therefore, it is recommended that this EC2 instance is not deleted and is protected from termination. It is also strongly recommended to backup the contents of the Privacera Manager folder on regular basis.

You don't need to run this instance 24x7. You can stop the instance when it is not in use.

EC2 configuration

An AWS EC2 instance needs to be provisioned to run the Privacera Manager software. At a minimum, the instance should have the following specifications:

  • AWS Linux 2 AMI
  • Minimum 1 vCPUs
  • Minimum 4 GB RAM
  • Minimum 50 GB disk space
  • SELinux should be disabled
Permissions to access the EKS cluster for running kubectl commands

In addition to the following IAM policy, you will need to take additional steps to authorize your EC2 instance to access the EKS cluster.

privacera-manager-eks-policy
{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": [
       "eks:describeCluster"
     ],
     "Resource": "*"
   }
 ]
}
Permissions to write to the S3 bucket (optional)

You will need an S3 bucket policy if you are going to configure the Privacera Discovery module.

Replace the following placeholders

BUCKET_NAME: The name of the S3 bucket where the Privacera Manager will write the data.

PATH: The path in the S3 bucket where the Privacera Manager will write the data.

privacera-manager-s3-policy
{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": [
       "s3:PutObject",
       "s3:GetObject",
       "s3:ListBucket",
       "s3:DeleteObject"
     ],
     "Resource": [
       "arn:aws:s3:::BUCKET_NAME/PATH/*",
       "arn:aws:s3:::BUCKET_NAME"
     ]
   }
 ]
}
Permissions to update the Route53 DNS entries (optional)

Privacera Manager can optionally add the DNS records using Route53 for the Privacera service endpoints. Update the hosted-zone-id in the policy below. You can find the hosted zone ID in the Route53 console.

Replace the following placeholders

HOSTED_ZONE_ID: The hosted zone id of your domain present in Route53.

privacera-manager-route53-policy
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "route53:GetChange"
      ],
      "Resource": [
        "arn:aws:route53:::change/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "route53:ChangeResourceRecordSets",
        "route53:ListResourceRecordSets",
        "route53:GetHostedZone"
      ],
      "Resource": [
      "arn:aws:route53:::hostedzone/HOSTED_ZONE_ID"
      ]
    }
  ]
}
Permissions to run eksctl to create IAM role for Service Account (optional)

You can use the IAM role from this link.

Following software should be installed on the EC2 instance:

docker
Bash
1
2
3
4
5
6
7
8
9
sudo yum update -y
sudo yum install -y docker
sudo sed -i 's/32768:65536/1024000:1024000/g' /etc/sysconfig/docker
sudo service docker start
sudo systemctl enable docker
sudo usermod -a -G docker ec2-user

# log out and log back into the EC2 instance to activate the new group
docker ps
kubectl

Follow the instructions on this link.

helm

Follow the instructions on this link.

Bash
1
2
3
4
curl -fsSL -o get_helm.sh \
  https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

AWS EKS cluster for running Privacera Software

AWS EKS

AWS EKS cluster with the following specifications:

AWS RDS AuroraDB

AWS RDS AuroraDB

AWS RDS AuroraDB instance with the following specifications:

  • RDS AuroraDB (MySQL 5.7) 2.11.2 (MySQL 8 is also fine)
  • Minimum db.r6g.2xlarge = 8 cpu, 64 gb
  • Only password authentication is supported
  • Set default charset to latin1, collation latin1_swedish_ci
  • create privacera_db as the database by following these commands
    SQL
    create database privacera_db character set latin1 collate latin1_swedish_ci;
    

IAM Authentication for AWS RDS

For using IAM roles to connect to AWS RDS refer to IAM Authentication for AWS RDS.

AWS ACM certificate

AWS ACM certificate ARN

AWS ACM certificate ARN for the key and certificate that you will use for the Privacera service endpoints.

Comments