RapidFort AWS Prerequisites
Set up AWS prerequisites for RapidFort
Before deploying RapidFort in your AWS environment, please set up the following:
- S3 Bucket for RapidFort data
- IAM User OR IAM EC2 Role
- The user or role must have Read/List/Write/Delete permissions for the RapidFort S3 bucket
- If using a role, the policy attached to the role must grant permissions to assume the role (
sts:AssumeRole
)
In addition to setting up an S3 bucket and IAM User or IAM EC2 Role, please verify that the environment in which RapidFort will be deployed has HTTPS access to the environment in which your container images will be deployed and tested (for example, Docker-Compose, Kubernetes, Amazon EKS, AWS Fargate, and so forth). Runtime tracing of stub images requires HTTPS access to the RapidFort server.
Create an S3 bucket (for example,
rapidfort-s3
) in the same region in which the RapidFort application will be deployed.Make a note of the S3 bucket ARN and name.
- Example: AWS Commercial
- ARN:
arn:aws:s3:::rapidfort-s3
- Name:
rapidfort-s3
- Example: AWS GovCloud
- ARN:
arn:aws-gov:s3:::rapidfort-s3
- Name:
rapidfort-s3
RapidFort needs Read/List/Write/Delete permissions for the S3 bucket.
You may either create an IAM User or IAM EC2 Role and attach a policy.
Sample JSON policies are provided for your reference. Please contact your AWS Solutions architect if your environment has additional requirements.
IAM User
IAM EC2 Role
In this section, we will configure an IAM User.
Please refer to the IAM EC2 Role tab for information on how to configure an IAM EC2 Role.
Create a RapidFort IAM user (for example,
rapidfort-user
). The RapidFort user does not need access to the AWS Console.Generate and download AWS credentials (AWS Access Key ID and AWS Secret Access Key) for the RapidFort user.
Replace the S3 bucket name in the sample JSON code below.
Attach the policy to the user created in the previous step.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:PutObject",
"s3:GetObject",
"s3:DescribeJob",
"s3:ListBucket"
],
"Resource": [
"<S3_BUCKET_ARN>",
"<S3_BUCKET_ARN>/*"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:PutObject",
"s3:GetObject",
"s3:DescribeJob",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::rapidfort-s3",
"arn:aws:s3:::rapidfort-s3/*"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:PutObject",
"s3:GetObject",
"s3:DescribeJob",
"s3:ListBucket"
],
"Resource": [
"arn:aws-gov:s3:::rapidfort-s3",
"arn:aws-gov:s3:::rapidfort-s3/*"
]
}
]
}
In this section, we will configure an IAM EC2 Role.
Please refer to the IAM User tab for information on how to configure an IAM User.
Create an IAM EC2 role (e.g.
rapidfort-role
). Do not attach a policy to the role yet.Make a note of the IAM Role ARN (for example,
arn:aws:iam::012345678910:role/rapidfort-role
or arn:aws-gov:iam::012345678910:role/rapidfort-role
).Create an IAM EC2 policy (e.g.
rapidfort-policy
).Replace the S3 bucket name and the IAM EC2 role ARN in the sample JSON code below.
Attach the policy to the role created in the previous step.
Please note that the policy must grant permissions to assume the role (
sts:AssumeRole
).{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:PutObject",
"s3:GetObject",
"s3:DescribeJob",
"s3:ListBucket"
],
"Resource": [
"<S3_BUCKET_ARN>",
"<S3_BUCKET_ARN>/*"
]
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "<ROLE_ARN>"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:PutObject",
"s3:GetObject",
"s3:DescribeJob",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::rapidfort-s3",
"arn:aws:s3:::rapidfort-s3/*"
]
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::012345678910:role/rapidfort-role"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:PutObject",
"s3:GetObject",
"s3:DescribeJob",
"s3:ListBucket"
],
"Resource": [
"arn:aws-gov:s3:::rapidfort-s3",
"arn:aws-gov:s3:::rapidfort-s3/*"
]
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws-gov:iam::012345678910:role/rapidfort-role"
}
]
}
You should now have the following:
- RapidFort S3 Bucket
- ARN (e.g.
arn:aws:s3:::rapidfort-s3
) - Name (e.g.
rapidfort-s3
)
- IAM User OR IAM EC2 Role
- IAM User
- AWS Access Key ID
- AWS Secret Access Key
- Read/List/Write/Delete permissions for the RapidFort S3 Bucket
- IAM EC2 Role and Policy that grants
- Read/List/Write/Delete permissions for the RapidFort S3 Bucket
- Permissions to assume the role