Activation & Onboarding
  • Activation & Onboarding
  • AI Runtime Security Documentation
  • All Documentation
>
AWS Cloud Account Onboarding Prerequisites
Focus
Download PDF
Focus
  1. Home
  2. AI Runtime Security
  3. Activation & Onboarding
  4. Onboard and Activate a Cloud Account in Strata Cloud Manager
  5. Onboard Cloud Account in AWS
  6. AWS Cloud Account Onboarding Prerequisites
Download PDF
AI Runtime Security

AWS Cloud Account Onboarding Prerequisites

Table of Contents
Prerequisites for onboarding a cloud account in AWS.
This section outlines the prerequisites for onboarding an AWS cloud account in Strata Cloud Manager.
On this page, you will:
  • Create an AWS S3 Bucket
  • AWS VPC Flow Logs
  • Enable Access from AWS in EKS Authentication
  • Associate a Role for VM Model Invocation
  • Assign Role to Pods for Model Access
Where Can I Use This?What Do I Need?
  • AI Runtime Security in AWS

Create an AWS S3 Bucket

  1. Sign in to the AWS Management Console.
  2. Navigate to the S3 service.
  3. Click on Create bucket.
  4. View the AWS region where your bucket will be created. The region must be the same region in which you have your AI models.
  5. Enter a unique Bucket name.
  6. Configure options (if needed) and choose Create bucket.
    Refer to Creating a bucket - Amazon Simple Storage Service for more information.

AWS VPC Flow Logs

  1. Sign in to the AWS Management Console.
  2. Go to VPC dashboard > Subnets.
  3. Select the subnet for application VPC and switch to the Flow logs tab.
  4. Create a flow log or edit an existing flow log.
    1. Enter a Name.
    2. Under Destination, select Send to an Amazon S3 bucket you created in the previous section and provide the ARN for the S3 bucket.
    3. Enter the S3 bucket ARN.
    4. For Log record format, choose Custom Format and select all the Standard attributes.
    5. (Optional) To partition your flow logs per hour, choose Every 1 hour (60 mins) in Partition logs by time.
    6. Leave the remaining settings as default, unless your use case requires specific configurations.
    7. Choose Create flow log or Save.
  5. Go to the AWS Bedrock Console to manage model permissions and enable model access.
    1. In the left navigation pane, select Settings under the Bedrock Configurations section.
    2. Toggle Model invocation logging to enable logging.
    3. Choose S3 only as the logging destination.
    4. In the S3 location field, select the S3 bucket name you created earlier for storing logs.
    5. Click Save settings to apply your changes.

Enable Access from AWS in EKS Authentication

Allow the EKS clusters to authenticate users based on their IAM roles. Configure the following so the AI Runtime Security: Network intercept can discover the pod assets.
Before you begin, make sure to create an Amazon EKS cluster in your cloud environment.
  1. Sign in to the AWS Management Console.
  2. Go to Elastic Kubernetes Service.
  3. Navigate to the EKS Console.
  4. Click on your EKS cluster and select the Access tab within that cluster page.
    1. Click Manage access.
    2. Under Cluster authentication mode, select EKS API and ConfigMap.
    3. Save changes.
    4. Add the following IP addresses to allow the Strata Cloud Manager to access your public cluster for discovery (This step is applicable when you have enabled Public access to your cluster endpoint):
      • Navigate back to your cluster and go to Networking > Manage endpoint access.
      • Under cluster endpoint access select Public.
      • Expand Advanced settings to allow the perimeter firewall and add the following IP addresses to access this cluster:
        34.71.64.3/32
34.28.60.186/32
        Code copied to clipboard
         
        Unable to copy due to lack of browser support.
  5. Save Changes.

Associate a Role for VM Model Invocation

Grant EC2 instances permissions to invoke Bedrock models. Associate a role to log actions under that role, enhancing security and simplifying permission management without using local keys.
  1. Sign in to the AWS Management Console.
  2. Navigate to IAM Roles.
  3. Create a new role or edit an existing one.
  4. Under Trust relationships Select Trusted Entity.
  5. Configure Trust Policy and add the following Trust Policy:
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        } 
    ]    
}
    Code copied to clipboard
     
    Unable to copy due to lack of browser support.
    This policy grants EC2 instances permission to assume the role, enabling them to use the permissions defined in the role's policy.
  6. Under the Permissions tab, click on your policy.
    1. Search and attach the Bedrock > InvokeModel services under Add actions.
    2. Click Next and Save changes.
    3. Or, create or attach a policy with the following permissions:
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "bedrock:InvokeModel",
            "Resource": "*"
        }
    ]
}
      Code copied to clipboard
       
      Unable to copy due to lack of browser support.
      This step ensures that the EC2 instances have the necessary permissions to invoke models using the Bedrock service.
    4. Review and Create Role.
  7. Choose Next: Tags, add any tags if needed, then choose Next: Review.
  8. Review your settings and select Create role.

Assign Role to Pods for Model Access

Assign a role to the pods to enable access to the models, similar to the configuration for unprotected VM traffic.
  1. Sign in to the AWS Management Console.
  2. Go to Elastic Kubernetes Service (EKS).
  3. Select your EKS cluster.
  4. Go to Access > Pod Identity associations.
  5. Assign IAM roles to Kubernetes service accounts - Amazon EKS.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.