Skip to content

(AWS) Create Privacera Manager Host#

These are instructions for the creation of the Privacera Platform host in an AWS cloud environment.

The first step is to create a new virtual machine that will be dedicated to the Privacera Platform. This virtual machine, along with your service account, must, initially, have sufficient privileges to allow it to download additional Privacera Platform required and optional components.

Once running, this VM and associated service accounts, must also have sufficient privileges to the target data repositories and all other referenced resources.

The second step is to install Docker and Docker Compose to the Privacera Manager host.

Note

Single-node/Docker deployment, Privacera Manager deploys, and configures Privacera Platform core components as Docker containers that run on this same virtual machine. In this 'single-node' configurations, the Privacera Manager host is also the Privacera Platform host.

Virtual Machine Creation

Create an AWS EC2 Instance

Configured as follows:

  • AMI: Amazon Linux AMI 64-bit x86 SSD
  • Instance Type: m5.2xlarge or larger
  • Storage: Primary (Root) volume (/dev/xvda) minimum size 128 GiB, General Purpose SSD (gp2)
  • Tags: As useful for your organization.
  • Role: Create a new IAM Role. Name it "Privacera_PM_Role" (This can be done in the Instance creation wizard sequence)
  • Network & VPC with attached Security Group with ports ingress/egress. To learn which ports are used by different Privacera services, click here.

IAM Policies for Privacera Discovery#

To use the Privacera Discovery service, ensure the following IAM policies are attached to the Privacera_PM_Role role to access the AWS services.

Policy to create AWS resources#

This policy gives permissions to Privacera Manager to create AWS resources like DynamoDB, Kinesis, SQS, and S3 using terraform.

  • ${AWS_REGION}: AWS region where the resources will get created.
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"CreateDynamodb",
         "Effect":"Allow",
         "Action":[
            "dynamodb:CreateTable",
            "dynamodb:DeleteTable",
            "dynamodb:DescribeTable",
            "dynamodb:ListTables",
            "dynamodb:TagResource",
            "dynamodb:UntagResource",
            "dynamodb:UpdateTable",
            "dynamodb:UpdateTableReplicaAutoScaling",
            "dynamodb:UpdateTimeToLive",
            "dynamodb:DescribeTimeToLive",
            "dynamodb:ListTagsOfResource",
            "dynamodb:DescribeContinuousBackups"
         ],
         "Resource":"arn:aws:dynamodb:${AWS_REGION}:*:table/privacera*"
      },
      {
         "Sid":"Kinesis",
         "Effect":"Allow",
         "Action":[
            "kinesis:CreateStream",
            "kinesis:DeleteStream",
            "kinesis:ListStreams",
            "kinesis:UpdateShardCount"
         ],
         "Resource":"arn:aws:kinesis:${AWS_REGION}:*:stream/privacera*"
      },
      {
         "Sid":"S3BucketCreate",
         "Effect":"Allow",
         "Action":[
            "s3:CreateBucket",
            "s3:ListAllMyBuckets",
            "s3:GetBucketLocation",
            "s3:DeleteBucket"
         ],
         "Resource":[
            "arn:aws:s3:::*"
         ]
      },
      {
         "Sid":"ManageSQSMessages",
         "Effect":"Allow",
         "Action":[
            "sqs:*"
         ],
         "Resource":[
            "*"
         ]
      }
   ]
}

Policy to access AWS services#

This policy gives permissions to store Privacera's configuration and meta-data in DynamoDB, Kinesis, SQS, and S3.

  • ${PRIVACERA_BUCKET}: AWS Bucket used by Privacera to store its configuration files.

  • ${ACCOUNT_ID}: AWS account where the installation is being done.

  • ${AWS_REGION}: AWS region where resource will get created.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"Dynamodb",
         "Effect":"Allow",
         "Action":[
            "dynamodb:BatchGet*",
            "dynamodb:DescribeStream",
            "dynamodb:DescribeTable",
            "dynamodb:Get*",
            "dynamodb:Query",
            "dynamodb:Scan",
            "dynamodb:BatchWrite*",
            "dynamodb:Delete*",
            "dynamodb:Update*",
            "dynamodb:PutItem"
         ],
         "Resource":"arn:aws:dynamodb:${AWS_REGION}:*:table/privacera*"
      },
      {
         "Sid":"Kinesis",
         "Effect":"Allow",
         "Action":[
            "kinesis:Get*",
            "kinesis:DescribeStreamSummary",
            "kinesis:ListStreams",
            "kinesis:PutRecord",
            "kinesis:AddTagsToStream",
            "kinesis:DecreaseStreamRetentionPeriod",
            "kinesis:DescribeLimits",
            "kinesis:DescribeStream",
            "kinesis:DescribeStreamConsumer",
            "kinesis:DescribeStreamSummary",
            "kinesis:GetShardIterator",
            "kinesis:IncreaseStreamRetentionPeriod",
            "kinesis:ListShards",
            "kinesis:ListStreamConsumers",
            "kinesis:ListStreams",
            "kinesis:ListTagsForStream",
            "kinesis:MergeShards",
            "kinesis:PutRecord",
            "kinesis:PutRecords",
            "kinesis:GetRecords",
            "kinesis:RegisterStreamConsumer"
         ],
         "Resource":"arn:aws:kinesis:${AWS_REGION}:*:stream/privacera*"
      },
      {
         "Sid":"S3BucketRead",
         "Effect":"Allow",
         "Action":[
            "s3:Head*",
            "s3:List*",
            "s3:Get*"
         ],
         "Resource":[
            "arn:aws:s3:::${PRIVACERA_BUCKET}"
         ]
      },
      {
         "Sid":"S3ObjectAll",
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:GetObject",
            "s3:GetObjectAcl",
            "s3:DeleteObject",
            "s3:GetObjectVersion",
            "s3:DeleteObject",
            "s3:DeleteObjectVersion"
         ],
         "Resource":[
            "arn:aws:s3:::${PRIVACERA_BUCKET}/*"
         ]
      },
      {
         "Sid":"S3GlobalRead",
         "Effect":"Allow",
         "Action":[
            "s3:HeadBucket",
            "s3:ListAllMyBuckets"
         ],
         "Resource":[
            "arn:aws:s3:::${PRIVACERA_BUCKET}"
         ]
      },
      {
         "Sid":"ManageSQSMessages",
         "Effect":"Allow",
         "Action":[
            "sqs:DeleteMessage",
            "sqs:ReceiveMessage"
         ],
         "Resource":[
            "arn:aws:sqs:${AWS_REGION}:${ACCOUNT_ID}:privacera*"
         ]
      },
      {
         "Sid":"ListSQSQueues",
         "Effect":"Allow",
         "Action":"sqs:ListQueues",
         "Resource":[
            "arn:aws:sqs:${AWS_REGION}:${ACCOUNT_ID}:privacera*"
         ]
      }
   ]
} 

Policy to scan S3 buckets#

This policy allows to access the S3 buckets that contains data to be scanned.

  • ${CUSTOMER_REALTIMESCAN_BUCKET}: Bucket that will be monitored for files to be scanned in real-time.

  • ${CUSTOMER_LANDING_BUCKET}: Bucket that will be monitored for files to be scanned.

  • ${CUSTOMER_QUARANTINE_BUCKET}: Bucket to which files will be quarantined.

  • ${CUSTOMER_TRANSFER_BUCKET}: Bucket to which files will be transferred if they do not have any sensitive tags.

  • ${CUSTOMER_ARCHIVE_BUCKET}: Bucket to which a copy of the original files will be transferred if they contain any sensitive tags.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"S3ObjectAll",
         "Effect":"Allow",
         "Action":"s3:*",
         "Resource":[
            "arn:aws:s3:::${CUSTOMER_LANDING_BUCKET}",
            "arn:aws:s3:::${CUSTOMER_LANDING_BUCKET}/*",
            "arn:aws:s3:::${CUSTOMER_REALTIMESCAN_BUCKET}",
            "arn:aws:s3:::${CUSTOMER_REALTIMESCAN_BUCKET}/*",
            "arn:aws:s3:::${CUSTOMER_QUARANTINE_BUCKET}",
            "arn:aws:s3:::${CUSTOMER_QUARANTINE_BUCKET}/*",
            "arn:aws:s3:::${CUSTOMER_TRANSFER_BUCKET}",
            "arn:aws:s3:::${CUSTOMER_TRANSFER_BUCKET}/*",
            "arn:aws:s3:::${CUSTOMER_ARCHIVE_BUCKET}",
            "arn:aws:s3:::${CUSTOMER_ARCHIVE_BUCKET}/*"
         ]
      }
   ]
}

Install Docker and Docker Compose#

Docker is used by Privacera Manager.

  1. Log on to your Privacera host as ec2-user or a user with 'sudo' privileges.
  2. Install Docker, by executing the following:

     sudo yum install -y docker
     sudo sed -i 's/1024:4096/1024000:1024000/g' /etc/sysconfig/docker
     sudo cat /etc/sysconfig/docker
     sudo service docker start
     sudo systemctl enable docker
     sudo usermod -a -G docker ec2-user
     exit
    
  3. Log back into the same user account as in step 1. (This forces the usermod action).

  4. Install Docker-Compose:
     DOCKER_COMPOSE_VERSION="1.23.2"
     sudo curl -L https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
     sudo chmod +x /usr/local/bin/docker-compose
    

What's Next#

Configure and Install Core Services


Last update: August 24, 2021