Data Fabric Security on AWS

Partner Solution Deployment Guide

QS

May 2023
Jenifer Wang, Solution Acceleration team (DoD)
Troy Ameigh, AWS Partner Intergration and Engineering team

Refer to the GitHub repository to view source files, report bugs, submit feature ideas, and post feedback about this Partner Solution. To comment on the documentation, refer to Feedback.

This Partner Solution was created by Immuta and Radiant Logic in collaboration with Amazon Web Services (AWS). Partner Solutions are automated reference deployments that help people deploy popular technologies on AWS according to AWS best practices. If you’re unfamiliar with AWS Partner Solutions, refer to the AWS Partner Solution General Information Guide.

Overview

This guide covers the information you need to deploy the Data Fabric Security Partner Solution in the AWS Cloud.

Costs and licenses

This deployment requires licenses for Immuta and RadiantOne. For more information, refer to the Immuta and Radiant Logic websites, respectively. There is no cost to use this Partner Solution, but you will be billed for any AWS services or resources that this Partner Solution deploys. For more information, refer to the AWS Partner Solution General Information Guide.

Architecture

Deploying this Partner Solution with default parameters builds the following Data Fabric Security environment in the AWS Cloud.

Architecture
Figure 1. Partner Solution architecture for Data Fabric Security on AWS

As shown in Figure 1, this Partner Solution sets up the following:

  • An architecture that spans two Availability Zones.*

  • A virtual private cloud (VPC) configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*

  • In the public subnets, NAT gateways to allow outbound internet access for resources in the private subnets.*

  • Two Classic Load Balancers, one each for the Immuta and RadiantOne services in the private subnets.

  • In the private subnets:

    • Three-node Amazon EKS clusters containing highly-available deployments of Immuta and RadiantOne.

    • Amazon EKS to provide the Kubernetes control plane for the clusters.

    • Endpoints for other AWS services to access the Amazon EKS Kubernetes API server.

  • Amazon CloudWatch to collect, store, access, and monitor logs.

  • Amazon Route 53 for a private hosted zone and resolvers.

  • AWS Lambda to install Immuta and RadiantOne.

* You can choose to use an existing VPC during deployment. The existing VPC must include two private subnets in separate Availability Zones.

Predeployment steps

  1. Install Node.js 18.0.0 or later. For more information, refer to Tutorial: Setting Up Node.js on an Amazon EC2 Instance.

  2. Install AWS Cloud Development Kit (AWS CDK) using Node Package Manager (npm).

    npm install -g aws-cdk

    For more information, refer to Getting started with the AWS CDK.

  3. Load your AWS credentials into your development environment. You can do this with the AWS Command Line Interface (AWS CLI). For more information, refer to Authentication with AWS.

  4. Obtain licenses for Immuta and RadiantOne. For more information, refer to the Immuta and Radiant Logic websites, respectively.

    After purchasing an Immuta license, you will receive a user name and password from Immuta. Enter the Immuta user name and password for the Instance.Username and Instance.Password parameters in dev.yaml when configuring for deployment.

Deployment steps

  1. Navigate to the Data Fabric Security root folder.

       cd <path>/quickstart-aws-data-fabric-security

  2. Install all packages.

       npm ci

  3. Open the file <path>/quickstart-aws-data-fabric-security/config/dev.yaml.

  4. Edit the variables to customize the deployment for your environment. For variable details, refer to Deployment configuration, later in this guide.

  5. Run the following command to bootstrap your AWS environment.

    cdk bootstrap aws://<ACCOUNT_ID>/<REGION>

  6. Deploy the solution.

       bash dfs-solution-install.sh
    The solution takes about 20 minutes to deploy.

  7. Once deployment is complete, Copy the output from the deployment and save it for later use. The following is an example of output for DataFabricStack.

    DataFabricStack.ExportsOutputFnGetAttdatafabricsecuritycorestackNestedStackdatafabricsecuritycorestackNestedStackResource0E29B9E3OutputsDataFabricStackdatafabricsecuritycorestackdatafabricsecurityhostedzone8A7A666ERef412EFD8E = Z08846025FQL5G34G3RSN
DataFabricStack.ExportsOutputFnGetAttdatafabricsecuritycorestackNestedStackdatafabricsecuritycorestackNestedStackResource0E29B9E3OutputsDataFabricStackdatafabricsecuritycorestackdatafabricsecurityvpc3D851B3DRef8F8BED20 = vpc-0k86a8r6550x470sd
DataFabricStack.ExportsOutputFnGetAttdatafabricsecuritycorestackNestedStackdatafabricsecuritycorestackNestedStackResource0E29B9E3OutputsDataFabricStackdatafabricsecuritycorestackdatafabricsecurityvpcPrivateSubnet1SubnetD144D644RefCA2E36A0 = subnet-05c58c03655b07e96
DataFabricStack.ExportsOutputFnGetAttdatafabricsecuritycorestackNestedStackdatafabricsecuritycorestackNestedStackResource0E29B9E3OutputsDataFabricStackdatafabricsecuritycorestackdatafabricsecurityvpcPrivateSubnet2SubnetC59876D4RefB9149745 = subnet-0355b2b6384b7a984
DataFabricStack.ExportsOutputFnGetAttdatafabricsecuritycorestackNestedStackdatafabricsecuritycorestackNestedStackResource0E29B9E3OutputsDataFabricStackdatafabricsecuritycorestackdatafabricsecurityvpcPublicSubnet1Subnet364D7A24RefCE325DB3 = subnet-0b384f6b1a3cdee0d
DataFabricStack.ExportsOutputFnGetAttdatafabricsecuritycorestackNestedStackdatafabricsecuritycorestackNestedStackResource0E29B9E3OutputsDataFabricStackdatafabricsecuritycorestackdatafabricsecurityvpcPublicSubnet2SubnetE8E85537RefFE30536F = subnet-09eaf0abdec1vf6e2
DataFabricStack.ExportsOutputFnGetAttdatafabricsecuritykeyEF30DCE5Arn6660AD21 = arn:aws-us-gov:kms:us-gov-west-1:123456789012:key/a5n6bs39-8yfr-7tww-m544-57bk737tay0f
DataFabricStack.ExportsOutputRefdatafabricsecuritykubectl66B18AE6595A4A51 = arn:aws-us-gov:lambda:us-gov-west-1:123456789012:layer:datafabricsecuritykubectl44B16AB6:5

    The following is an example of output for DataFabricStack/data-fabric-security-eks-cluster.

    DataFabricStackdatafabricsecurityeksclusterCA551CED.ClusterArn = arn:aws-us-gov:eks:us-gov-west-1:123456789012:cluster/data-fabric-security-eks-cluster
DataFabricStackdatafabricsecurityeksclusterCA551CED.EKSAdminRole = arn:aws-us-gov:iam::123456789012:role/DataFabricStackdatafabric-datafabricsecurityeksclu-16OBLBQDF1383
DataFabricStackdatafabricsecurityeksclusterCA551CED.datafabricsecurityadminplatformteamteamadmin = arn:aws-us-gov:iam::123456789012:role/Admin
DataFabricStackdatafabricsecurityeksclusterCA551CED.datafabricsecurityeksclusterClusterName6BCF1F10 = data-fabric-security-eks-cluster
DataFabricStackdatafabricsecurityeksclusterCA551CED.datafabricsecurityeksclusterConfigCommand978D3532 = aws eks update-kubeconfig --name data-fabric-security-eks-cluster --region us-gov-west-1 --role-arn arn:aws-us-gov:iam::123456789012:role/DataFabricStackdatafabric-datafabricsecurityeksclu-14T5IMKRMS7JT
DataFabricStackdatafabricsecurityeksclusterCA551CED.datafabricsecurityeksclusterGetTokenCommand1D6ABA05 = aws eks get-token --cluster-name data-fabric-security-eks-cluster --region us-gov-west-1 --role-arn arn:aws-us-gov:iam::123456789012:role/DataFabricStackdatafabric-datafabricsecurityeksclu-14T5IMKRMS7JT

Deployment configuration

Edit the variables in config/dev.yaml to customize the deployment for your environment.

Global parameters

Parameter Description Default

AWSAccountID

AWS account ID.

123456789012

AWSRegion

AWS Region.

us-east-1

Domain

Domain name.

company.com

Networking parameters

Parameter Description Default

VpcId

Enter an existing VPC ID or leave blank ("") to create a new VPC.

"vpc-123456789abcdefgh"

SubnetA

Private subnet in Availability Zone 1. To create a new subnet, delete default entry and leave blank ("").

"subnet-123456789abcdefg"

SubnetB

Private subnet in Availability Zone 2. To create a new subnet, delete default entry and leave blank ("").

"subnet-abcdefgh123456789"

MaxAZs

Maximum number of Availability Zones.

"2"

Amazon EKS parameters

Parameter Description Default

Clustername

Custom name for the EKS cluster.

"data-fabric-security-eks-cluster"

EKSAdminRole

Amazon Resource Name (ARN) of an existing IAM role in the AWS account with AmazonEKSClusterPolicy attached. Used to create the EKS cluster, this role is automatically granted system:masters permissions in the cluster’s role-based access control (RBAC) configuration in the Amazon EKS control plane.

"arn:aws-us-gov:iam::123456789012:role/aws-service-role/eks.amazonaws.com/EKSAdminRole"

EKSEndpointAccess

Amazon EKS endpoint access type ("PUBLIC", "PRIVATE", or "" for both).

"PRIVATE"

InstanceType

EKS cluster instance type.

"m5.large"

ClusterSize

EKS cluster size.

"3"

Immuta parameters

Parameter Description Default

Deploy

Enter false to not deploy Immuta.

true

ChartVersion

Immuta Helm Chart version.

"4.95"

ImmutaVersion

Version of Immuta to install.

"2022.4.3"

ImageTag

Docker image tag.

"2022.4.3"

Instance.Username

Immuta instance user name.

"USERNAME"

Instance.Password

Immuta instance password.

"PASSWORD"

Database.ImmutaDBPassword

Immuta database password.

"SECRET"

Database.ImmutaDBSuperUserPassword

Immuta database super user password.

"SECRET"

Database.ImmutaDBReplicationPassword

Immuta database replication password.

"SECRET"

Database.ImmutaDBPatroniApiPassword

Immuta database Patroni API password .

"SECRET"

Query.ImmutaQEPassword

Query engine password.

"SECRET"

Query.ImmutaQESuperUserPassword

Query engine super user password.

"SECRET"

Query.ImmutaQEReplicationPassword

Query engine replication password.

"SECRET"

Query.ImmutaQEPatroniApiPassword

Query engine Patroni API password.

"SECRET"

RadiantOne parameters

Parameter Description Default

Deploy

Enter false to not deploy RadiantOne.

true

ZkImageTag

Zookeeper image tag.

"3.5.8"

FidImageTag

FID image tag.

"7.4.4"

License

RadiantOne license.

"\\{rlib\\}xXXXXXXXXXXXX"

RootPassword

Root administrator user password.

"Password1!"

Postdeployment steps

Sign in to RadiantOne

You must connect to RadiantOne from inside the environment (bastion host) or by configuring your local DNS to point the RadiantOne hostname to the RadiantOne load balancer.

  1. Navigate to one of the following URLs.

    • http://radiantlogic.example.com:7070

    • https://radiantlogic.example.com:7171

  2. On the RadiantOne main control panel, enter username cn=directory manager.

  3. For the password, enter the value of the RootPassword parameter in dev.yaml. Refer to Deployment configuration, earlier in this guide.

  4. Choose Login.

Sign in to Immuta

  1. Connect to https://immuta.<example.com>. Replace <example.com> with the domain name entered for the Domain parameter in dev.yaml. Refer to Deployment configuration, earlier in this guide.

  2. Enter an email address and password to create a new administrator account.

  3. On the License page, choose Add license key.

  4. Enter the Immuta license provided by Immuta.

  5. Choose Save.

Immuta AWS GovCloud region support

Immuta comes with support for standard AWS Regions. Complete the following steps to configure AWS GovCloud support in Immuta.

  1. In Immuta, choose App Settings.

  2. Choose Advanced Settings.

  3. Choose Advanced Configuration.

  4. Enter the following in the Advanced Configuration text box.

    client:
  awsRegions:
    - us-gov-east-1
    - us-gov-west-1

  5. Choose Save

Uninstall the Partner Solution

To uninstall the Partner Solution, complete the following steps.

Step 1: Run the Lambda uninstall functions for Immuta and RadiantOne

  1. Sign in to the AWS Management Console and open the AWS Lambda console.

  2. On the Functions page, choose the data-fabric-security-immuta-uninstall function.

  3. On the Code tab, choose Test.

  4. On the Configure test event window, enter an event name.

  5. Choose Save.

  6. Choose the Test button to run the test.

  7. Navigate to the Functions page.

  8. Choose the data-fabric-security-radiantlogic-uninstall function.

  9. Repeat steps 3–6.

Step 2: Uninstall the deployment stacks

To uninstall the deployment stacks, run the following command.

./dfs-solution-uninstall.sh

Additional resources

RadiantOne

Immuta

Troubleshooting

Radiant Logic license not working

When configuring the deployment, enter your RadiantOne license from Radiant Logic in the License parameter in dev.yaml. Ensure that you escape the curly braces when entering configuring the parameter; for example:

"\\{rlib\\}<RADIANT_LOGIC_LICENSE>"

For more information, refer to Deployment steps, earlier in this guide.

For troubleshooting common Partner Solution issues, refer to the AWS Partner Solution General Information Guide.

Customer responsibility

After you deploy a Partner Solution, confirm that your resources and services are updated and configured—including any required patches—to meet your security and other needs. For more information, refer to the Shared Responsibility Model.

Feedback

To submit feature ideas and report bugs, use the Issues section of the GitHub repository for this Partner Solution. To submit code, refer to the Partner Solution Contributor’s Guide. To submit feedback on this deployment guide, use the following GitHub links:

Notices

This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided "as is" without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at https://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "as is" basis, without warranties or conditions of any kind, either expressed or implied. Refer to the License for specific language governing permissions and limitations.