AI Runtime Security
AWS Cloud Account Onboarding Prerequisites
Table of Contents
AWS Cloud Account Onboarding Prerequisites
Discovery onboarding prerequisites for AWS.
On this page, you’ll:
| Where Can I Use This? | What Do I Need? |
|---|---|
|
Create an AWS S3 Bucket
- Sign in to the AWS Management Console.Navigate to the S3 service.Click on Create bucket.View the AWS region where your bucket will be created. The region must be the same region in which you have your AI models.Enter a unique Bucket name.Configure options (if needed) and choose Create bucket.Refer to Creating a bucket - Amazon Simple Storage Service for more information.
AWS VPC Flow Logs
- Sign in to the AWS Management Console.Go to VPC dashboard > Subnets.Select the subnet for app VPC and switch to the Flow logs tab.Create a flow log or edit an existing flow log.
![]()
- Enter a Name.
- Under Destination, select Send to an Amazon S3 bucket you created in the previous section and provide the ARN for the S3 bucket.
- Enter the S3 bucket ARN.
- For Log record format, choose Custom Format and select all the Standard attributes.
- (Optional) To partition your flow logs per hour, choose Every 1 hour (60 mins) in Partition logs by time.
- Leave the remaining settings as default, unless your use case requires specific configurations.
- Choose Create flow log or Save.
Go to theAWS Bedrock Console to manage model permissions and enable model access. Then, set up AWS CloudTrail for logging model access and revocation by following the steps in theAWS documentation.Enable Access from AWS in EKS Authentication
Allow the EKS clusters to authenticate users based on their IAM roles. Configure the following so the AI Runtime Security instance can discover the pod assets. - Sign in to the AWS Management Console.Go to Elastic Kubernetes Service.Navigate to the EKS Console.Click on your EKS cluster and select the Access tab within that cluster page.
- Click Manage access.Under Cluster authentication mode, select EKS API and ConfigMap.
![]()
Save changes.In the IAM access entries section of the Access tab, click the Create access entry button.Find the IAM role that got created as part of the onboarding process when Terraform was executed.Click the Skip to Review and create button and finish the creation process.In the Access tab, find the IAM principal ARN that was added and select it.- Click Add access policy.
- Under Policy name, select AmazonEKSViewPolicy.
- Click Add access policy.
Navigate back to your cluster and select the Networking tab.- Click Manage endpoint access.Under Cluster endpoint access, select Public access.Select Advanced settings to allow the perimeter firewall and add the following IP addresses to access this cluster:34.71.64.3/32 34.28.60.186/32
![]()
Save changes.Associate a Role for VM Model Invocation
Grant EC2 instances permissions to invoke Bedrock models. Associate a role to log actions under that role, enhancing security and simplifying permission management without using local keys. - Sign in to the AWS Management Console.Navigate to IAM Roles.Create a new role or edit an existing one.Under Trust relationships Select Trusted Entity.Configure Trust Policy and add the following Trust Policy:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }This policy grants EC2 instances permission to assume the role, enabling them to use the permissions defined in the role's policy.Under the Permissions tab, click on your policy.
- Search and attach the Bedrock > InvokeModel services under Add actions. Click Next and Save changes.Or, Create or attach a policy with the following permissions:{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "bedrock:InvokeModel", "Resource": "*" } ] }This step ensures that the EC2 instances have the necessary permissions to invoke models using the Bedrock service.Review and Create Role.Choose Next: Tags, add any tags if needed, then choose Next: Review.Review your settings and select Create role.
Assign Role to Pods for Model Access
Assign a role to the pods to enable access to the models, similar to the configuration for unprotected VM traffic. - Sign in to the AWS Management Console.Go to Elastic Kubernetes Service (EKS).Select your EKS cluster.Go to Access > Pod Identity associations.Create an IAM role with the AmazonEKSClusterPolicy and attach it to the Pod Identity configuration to enable the role for your Kubernetes service account.Use the following pod configuration in a YAML file and deploy it with `kubectl apply -f <filename>.yaml` to specify the service account and IAM role for your pods.Replace the example values with your specific values:apiVersion: v1 kind: Pod metadata: creationTimestamp: "2024-10-03T04:14:13Z" generateName: app1-awsbedrock-daycero-awsdisc1-54847845d5- labels: app: app1-awsbedrock-daycero pod-template-hash: 54847845d5 name: app1-awsbedrock-daycero-awsdisc1-54847845d5-4cctt namespace: app1-awsdisc1-day0 ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: ReplicaSet name: app1-awsbedrock-daycero-awsdisc1-54847845d5 uid: b1505220-6b7f-4fb6-a7d3-c681f6e17429 resourceVersion: "7859523" uid: 8988ce57-40f2-478e-8b68-6e7942889487 spec: automountServiceAccountToken: true containers: - env: - name: MY_POD_NAME value: metadata.name - name: MY_POD_NAMESPACE value: metadata.namespace - name: MY_POD_IP value: status.podIP - name: AWS_STS_REGIONAL_ENDPOINTS value: regional - name: AWS_DEFAULT_REGION value: us-east-1 - name: AWS_ROLE_ARN value: arn:aws:iam::0xxxx7215560:role/eks1-bedrock-role-awsdisc1-384014fd - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token image: 018147215560.dkr.ecr.us-west-2.amazonaws.com/aifwdisccnt:aws_bedrock_role_based imagePullPolicy: IfNotPresent name: app1-awsbedrock-dayceroawsdisc1 resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-r7rzc readOnly: true - mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount name: aws-iam-token readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true nodeName: ip-10-1-60-171.ec2.internal preemptionPolicy: PreemptLowerPriority priority: 0 restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: app1-awsdisc1-sa serviceAccountName: app1-awsdisc1-sa shareProcessNamespace: false terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 volumes: - name: aws-iam-token projected: defaultMode: 420 sources: - serviceAccountToken: audience: sts.amazonaws.com expirationSeconds: 86400 path: token - name: kube-api-access-r7rzc projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace
