Deploy AI Runtime Security Instance in AWS

Where Can I Use This?	What Do I Need?
AI Runtime Security instance deployment in AWS	Onboard AWS Cloud Account in SCM

This page guides you through deploying a customizable Terraform to add AI Runtime Security instance protection for AWS cloud resources.

On this page, you will configure an AI Runtime Security instance in SCM, download the corresponding Terraform configuration, and deploy it in your cloud environment. This setup will integrate the AI Runtime Security instance into your cloud network architecture, enabling comprehensive monitoring and protection of your assets.

After onboarding, the SCM Command Center dashboard will show asset discovery with no AI Runtime Security instance protection deployed. Unprotected traffic paths to and from apps, models, and the internet are marked in red until you add firewall protection. For more details, see Discover Your Cloud Resources.

1. Log in to SCM.
2. Select Insights → AI Runtime Security.
3. Select Add Protections ("+" icon).
4. Select Cloud Service Provider as AWS and choose Next.
5. In Firewall Placement, select:

   • All traffic to protect AI and non-AI applications.
   • Non AI traffic only to protect all traffic except the traffic between your applications and the AI models.
   • Select Next.
6. In Regions & Application(s):

   • Select your cloud account to secure.
   • Select a region in which you want to protect the applications.
   • In Selected applications,
     • Select the applications to secure from the drop-down list.
     • Select all applicable zones from the dropdown menu to secure traffic for each application.
     • Provide unused CIDR for each zone.
   • Enable protection for the Undiscovered VPC(s).
   • Select Next.
7. In Protection Settings:

   • Select AI Runtime Security based on the type of traffic you decided to protect under Firewall Placement in step 5.
   • Enter the number of firewalls to deploy.
   • Select zones to deploy firewalls.
     Ensure the firewall zones cover all selected application zones you selected for each application under Selected applications. For example, in AWS region us-west-1, if App1 uses ZoneA and ZoneE, and App2 uses ZoneB and ZoneD, the firewall must include ZoneA, ZoneB, ZoneD, and ZoneE. This ensures that when Terraform creates the GWLB service, all corresponding zones are covered.
   • Choose the instance type for the security VM (See Amazon EC2 instance types for details).

   • In IP addressing scheme:
     • Enter the CIDR for security VPC. (Go to AWS Management Console > VPC, select your VPC and get the CIDR for your VPC).
     • Choose Yes or No to Create transit gateway or not:
       • If you choose No, select the existing TGW ID from the drop-down list under Select transit gateway (Go to AWS Management Console > VPC dashboard > Transit Gateways to get the TGW ID).
       • If you choose Yes, you can optionally enter the Autonomous system number (ASN) for the new Transit Gateway. (Refer to create a transit gateway for more information).
       Create the TGW attachment and map the reference route. Refer to the Create a transit gateway using Amazon VPC Transit Gateways for details.
     • Enable the Cross-Zone load balancing check box to distribute incoming traffic evenly across targets in multiple availability zones. (This will create the NAT gateway and the egress traffic will route from the security VPC IGW via the NAT gateway).
   • In Licensing:
     • Select the Software version for your image.
     • Enter the Flex authentication code.
     • Enter the Device Certificate PIN ID.
     • Enter the Device Certificate PIN value.
   • In SCM management parameters:
     • Enable Centralize egress to configure egress traffic to leave each VPC through an egress only internet gateway.
     • List CIDR ranges to be allowed access to the management interface.
     • Select the SCM Folder to group the AI Runtime Security instance Workflows: Folders - Strata Cloud Manager.
     • Enter the SSH key to be used for login (see how to Create a key pair for your Amazon EC2 instance).
   • Select Next.
8. In Review architecture:

   • • Enter a unique Terraform template name. (Use only alphanumeric characters and hyphens, avoid using a hyphen at the beginning or end, and limit the name under 19 characters).
     • Review the topology for your AI network architecture.
     • Click Create terraform template.
     • Click Download terraform template.
     • Close the deployment workflow to exit.

   Before you deploy the Terraform template, authenticate with the AWS Console. Go to the AWS Marketplace and subscribe. Subscribe for the same image that you will use for the AI Runtime Security instance and the tag collector.
9. Unzip the downloaded file. Navigate to <unzipped-folder> that has 2 directories: `architecture` and `modules`. Deploy the Terraform templates in your cloud environment following the `README.md` file in the `architecture` folder.

   cd architecture
   
   cd security_project
   terraform init
   terraform plan
   terraform apply
   
   cd ../application_project
   terraform init
   terraform plan
   terraform apply
   

   For additional security measures to protect your Kubernetes clusters, follow the steps outlined in the Configure SCM to Protect VM Workloads and Kubernetes Clusters page.
10. After the Terraform is deployed, the SCM Command Center dashboard starts discovering the cloud assets, and it takes some time to populate the asset data.

    Refer to Network Traffic Risk Analysis.
11. Select Workflows → NGFW Setup → Device Management.

    1. In Available Devices, select the AI Runtime Security instance and move it to Cloud Managed Devices to be managed by SCM.

12. Switch to the Cloud Managed Devices tab to view and manage the connected state, the configuration sync state, and the licenses of the deployed AI Runtime Security instances.

    It takes a while before the Device Status shows as connected.
13. Configure SCM to Protect VM Workloads and Kubernetes Clusters and deploy pods.