AWS Cloud Resources¶

Overview¶

Before installing the Privacera Manager software, the following AWS Cloud resources need to be created:

Prerequisite	Description
AWS EC2 instance	EC2 instance to run the Privacera Manager software. Refer here for more details. For self-managed: Required. PrivaceraCloud Data plane: Required. PrivaceraCloud Data plane + Privacera Discovery: Required.
AWS EKS cluster	EKS cluster to run the Privacera software. Refer here for more details. For self-managed: Required. PrivaceraCloud Data plane: Required. PrivaceraCloud Data plane + Privacera Discovery: Required.
AWS RDS AuroraDB	RDS AuroraDB instance for the Privacera database. Refer here for more details. For self-managed: Required. PrivaceraCloud Data plane: Not Required. PrivaceraCloud Data plane + Privacera Discovery: Required.
AWS ACM certificate	ACM certificate for the domain name used for the Privacera service endpoints. Refer here for more details. For self-managed: Required. PrivaceraCloud Data plane: Required. PrivaceraCloud Data plane + Privacera Discovery: Required.

Appendix¶

AWS EC2 instance for running Privacera Manager¶

EC2 instance

Privacera Manager runs on an EC2 instance that has access to the Kubernetes cluster and has an IAM role that allows it to create and manage cloud resources.

Tip

The Privacera Manager installation on this EC2 instance will contain self-signed certificates and terraform state which are needed for subsequent upgrades. Therefore, it is recommended that this EC2 instance is not deleted and is protected from termination. It is also strongly recommended to backup the contents of the Privacera Manager folder on regular basis.

You don't need to run this instance 24x7. You can stop the instance when it is not in use.

EC2 configuration

An AWS EC2 instance needs to be provisioned to run the Privacera Manager software. At a minimum, the instance should have the following specifications:

AWS Linux 2 AMI
Minimum 1 vCPUs
Minimum 4 GB RAM
Minimum 50 GB disk space
SELinux should be disabled

Permissions to access the EKS cluster for running kubectl commands

In addition to the following IAM policy, you will need to take additional steps to authorize your EC2 instance to access the EKS cluster.

privacera-manager-eks-policy
{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": [
       "eks:describeCluster"
     ],
     "Resource": "*"
   }
 ]
}

Permissions to write to the S3 bucket (optional)

You will need an S3 bucket policy if you are going to configure the Privacera Discovery module.

Replace the following placeholders

BUCKET_NAME: The name of the S3 bucket where the Privacera Manager will write the data.

PATH: The path in the S3 bucket where the Privacera Manager will write the data.

privacera-manager-s3-policy
{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": [
       "s3:PutObject",
       "s3:GetObject",
       "s3:ListBucket",
       "s3:DeleteObject"
     ],
     "Resource": [
       "arn:aws:s3:::BUCKET_NAME/PATH/*",
       "arn:aws:s3:::BUCKET_NAME"
     ]
   }
 ]
}

Permissions to update the Route53 DNS entries (optional)

Privacera Manager can optionally add the DNS records using Route53 for the Privacera service endpoints. Update the hosted-zone-id in the policy below. You can find the hosted zone ID in the Route53 console.

Replace the following placeholders

HOSTED_ZONE_ID: The hosted zone id of your domain present in Route53.

privacera-manager-route53-policy
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "route53:GetChange"
      ],
      "Resource": [
        "arn:aws:route53:::change/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "route53:ChangeResourceRecordSets",
        "route53:ListResourceRecordSets",
        "route53:GetHostedZone"
      ],
      "Resource": [
      "arn:aws:route53:::hostedzone/HOSTED_ZONE_ID"
      ]
    }
  ]
}

Permissions to run eksctl to create IAM role for Service Account (optional)

You can use the IAM role from this link.

Following software should be installed on the EC2 instance:

docker

Bash
sudo yum update -y
sudo yum install -y docker
sudo sed -i 's/32768:65536/1024000:1024000/g' /etc/sysconfig/docker
sudo service docker start
sudo systemctl enable docker
sudo usermod -a -G docker ec2-user

# log out and log back into the EC2 instance to activate the new group
docker ps

kubectl

Follow the instructions on this link.

helm

Follow the instructions on this link.

Bash
curl -fsSL -o get_helm.sh \
  https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

AWS EKS cluster for running Privacera Software¶

AWS EKS

AWS EKS cluster with the following specifications:

Kubernetes version - For supported version check Privacera release notes
Node type - r5.2xlarge or similar
Auto-scaling node group - min 3 to max 10 nodes
EFS is recommended for multi-availability zone setup, follow these instructions
AWS load balancer for the EKS cluster follow these instructions

AWS RDS AuroraDB¶

AWS RDS AuroraDB

AWS RDS AuroraDB instance with the following specifications:

RDS AuroraDB (MySQL 5.7) 2.11.2 (MySQL 8 is also fine)
Minimum db.r6g.2xlarge = 8 cpu, 64 gb
Only password authentication is supported
Set default charset to latin1, collation latin1_swedish_ci

create privacera_db as the database by following these commands

SQL
create database privacera_db character set latin1 collate latin1_swedish_ci;

AWS ACM certificate¶

AWS ACM certificate ARN

AWS ACM certificate ARN for the key and certificate that you will use for the Privacera service endpoints.

The certificate requirements are given in TLS Certificate.
The process of importing the certificate is given in Importing AWS Certificate Manager.

Prev Prerequisites
Next AWS Setup