On-Premises Content Inspection AWS Deployment Procedure

This document outlines the AWS-specific setup procedure for Content Inspection on-premises deployment.

Customer Requirements

Infrastructure Prerequisites

Amazon EKS cluster with minimum node specs (4 vCPUs, 16GB RAM per node)
Working Ingress controller (AWS Load Balancer Controller recommended)
Permissions to create IAM roles, policies, S3 buckets, and configure EKS

Required Tools

aws CLI, eksctl, kubectl, helm

Part 1: Customer Prerequisites

Complete these steps before contacting Cyberhaven for SaaS configuration.

1. Setup OIDC Provider

eksctl utils associate-iam-oidc-provider \
  --region ${AWS_REGION} \
  --cluster ${CLUSTER_NAME} \
  --approve

OIDC_PROVIDER=$(aws eks describe-cluster \
  --region ${AWS_REGION} \
  --name ${CLUSTER_NAME} \
  --query "cluster.identity.oidc.issuer" \
  --output text | sed 's/https:\/\/')

2. Enable Pod Identity Add-on

Enable the EKS Pod Identity add-on via AWS Console or CLI:

aws eks create-addon --cluster-name ${CLUSTER_NAME} --addon-name eks-pod-identity-agent

Reference: AWS EKS Pod Identity Documentation

3. Create CI Stack IAM Role

AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)

cat <<EOF > trust-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
      },
      "Action": "sts:AssumeRoleWithWebIdentity"
    }
  ]
}
EOF

ROLE_NAME="CyberhavenCIStackRole"
aws iam create-role \
  --role-name ${ROLE_NAME} \
  --assume-role-policy-document file://trust-policy.json

ROLE_ARN=$(aws iam get-role --role-name $ROLE_NAME --query 'Role.Arn' --output text)

echo "AWS Account ID: $AWS_ACCOUNT_ID"
echo "Role ARN: $ROLE_ARN"

4. Setup Cache Storage

Create S3 bucket for file caching:

REGION="us-east-1"  # Adjust as needed
CACHE_BUCKET="onprem-files-cache"

aws s3 mb s3://$CACHE_BUCKET --region $REGION

Create S3 access policy:

cat > s3-access-policy.json << EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowS3BucketAccess",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject", 
        "s3:DeleteObject",
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::$CACHE_BUCKET",
        "arn:aws:s3:::$CACHE_BUCKET/*"
      ]
    }
  ]
}
EOF

aws iam create-policy \
  --policy-name CyberhavenS3AccessPolicy \
  --policy-document file://s3-access-policy.json

aws iam attach-role-policy \
  --role-name $ROLE_NAME \
  --policy-arn arn:aws:iam::$AWS_ACCOUNT_ID:policy/CyberhavenS3AccessPolicy

5. Install Metrics Server

Install the metrics server required for Horizontal Pod Autoscaler (HPA) functionality:

kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml

Verify the installation:

kubectl get deployment metrics-server -n kube-system

6. Verify Ingress Controller

Ensure your ingress controller is working. For AWS Load Balancer Controller:

Installation Guide
Test with a simple ingress resource

Provide these values to Cyberhaven for SaaS configuration:

AWS Account ID: $AWS_ACCOUNT_ID
Role ARN: $ROLE_ARN

Part 2: Post-SaaS Configuration

Complete these steps after Cyberhaven configures the SaaS environment and provides you with the workload identity federation configuration.

1. Configure Helm Values

Update values/customer-values.yaml with your AWS-specific settings:

global:
  customer:
    provider:
      type: "aws"
      roleArn: "arn:aws:iam::123456789012:role/CyberhavenCIStackRole"
    cache:
      type: "s3"
      name: "onprem-files-cache"
    ingress:
      enabled: true
      className: ""  # Uses default
      annotations:
        alb.ingress.kubernetes.io/target-type: ip
        alb.ingress.kubernetes.io/scheme: internet-facing
        alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=200
        kubernetes.io/ingress.class: alb
    saas:
      googleCredentials: |
        {
          # Workload identity federation JSON provided by Cyberhaven
        }

2. Deploy

Follow the standard installation procedure from INSTALL.

Validation

After deployment, verify:

Pod Status: All pods reach Running state
S3 Access: CI components can read/write to cache bucket
SaaS Connectivity: Monitor for successful request processing

Troubleshooting

Pod Identity Issues: Verify OIDC provider and IAM role trust policy S3 Access Denied: Check IAM policy and bucket permissions Ingress Issues: Verify AWS Load Balancer Controller installation and security groups

For issues, collect pod logs and run make status before contacting support.

Customer Requirements​

Infrastructure Prerequisites​

Required Tools​

Part 1: Customer Prerequisites​

1. Setup OIDC Provider​

2. Enable Pod Identity Add-on​

3. Create CI Stack IAM Role​

4. Setup Cache Storage​

5. Install Metrics Server​

6. Verify Ingress Controller​

Information to Share with Cyberhaven​

Part 2: Post-SaaS Configuration​

1. Configure Helm Values​

2. Deploy​

Validation​

Troubleshooting​