Prerequisites Customizable configuration Launch the stack Post-deployment S3 evidence collector configuration Troubleshooting common deployment issues

Deployment

Before you launch the solution, review the cost, architecture, network security, and other considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy the solution into your account.

Time to deploy: Approximately 70 minutes.

Prerequisites

To deploy the solution, you must have the following:

The latest version of the AWS CLI, installed and configured.
The latest version of the AWS CDK.
A CDK bootstrapped AWS account. For details, refer to Bootstrapping in the CDK Developer Guide.
Node.js version 12 or newer.

AWS credentials

Verify your credentials to access the target AWS account are properly configured. These could be in environment variables or in the configuration files. If not, refer to Configuration and credential file settings in the AWS CLI User Guide to configure these first.

Customizable configuration

You can configure the Verifiable Controls Evidence Store solution to suit different customer requirements in terms of network environments, performance, or authentication methods.

You can also specify your own KMS encryption keys, data retention policy, Amazon OpenSearch Service nodes instance type, and proxy server if required by your infrastructure setup. Use the solution’s Default.json configuration file found in the configuration directory as a sample for your reference. This is the same file used during default stack deployment. You can also create your own configuration files with different names and refer to them when deploying the stack.

By default, the solution’s web front end uses Amazon Cognito to authenticate and authorize users. A unique domain prefix is required to provision a new Amazon Cognito user pool. Specify the domain prefix under the AGSSharedInfra.identityProvider.domainPrefix section in the Default.json configuration file. For a code sample, refer to the solution’s README.md file.

Launch the stack

To deploy this solution with an installation script, complete the following steps:

In your terminal, run the following command to clone the solution source code from the GitHub location:
```
git clone https://github.com/aws-solutions/verifiable-controls-evidence-store 
```
Navigate to the source code folder created in step 1:
```
cd verifiable-controls-evidence-store/source 
```
(Optional) To configure the S3 evidence collector:
- Navigate to the configuration folder:
```
cd configuration
```
- Under AGSEvidenceStore.sourceBuckets, specify the source S3 buckets in the Default.json file. These S3 buckets will be monitored by the S3 collector. For example:
```
"sourceBuckets": [
     {
       "account": "123456789",
       "bucketArn": "arn:aws:s3:::bucket1"
     },
     {
       "account": "123456789",
       "bucketArn": "arn:aws:s3:::bucket2"
     }
]    
```
- Navigate to the source directory, and set the deployment environment to Sydney (ap-southeast-2):
```
cd.. 
export AWS_REGION=ap-southeast-2
```
To deploy the solution with the default configuration, run:
```
node install.js 
```
If you would like to deploy with a customized configuration file, run:
```
node install.js <Configuration name> 
```

Note

You are responsible for the cost of the AWS services used while running this solution. For more details, visit the Cost section in this guide, and refer to the pricing webpage for each AWS service used in this solution.

Post-deployment S3 evidence collector configuration

As the source S3 buckets are customer defined, you need to configure them to publish events to the S3 collector, and give it read permission. For more information on how to update bucket policies, refer to Bucket owner granting cross-account bucket permissions in the Amazon S3 User Guide.

The Lambda arn and Lambda role arn are presented as cdk output. For example,


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "s3-connector-lambda-role-arn"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject*",
                "s3:PutObject*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket1",
                "arn:aws:s3:::bucket1/*"
            ]
        }
    ]
}

Once deployed, the S3 connector will continuously monitor the provided S3 buckets and will create evidences when a new object is uploaded.

To view the evidence records, log in to the Evidence Store UI using the CloudFront link (presented as cdk output), and use the credentials (the email and password provided and generated as part of the deployment process).

Troubleshooting common deployment issues

Error message	Solution
Failed to retrieve AGS Shared Infra version from target environment. Error: ConfigError: Missing region in config Failed to read Shared Infra version in the target account. Cannot proceed.	Ensure the environment variable `AWS_REGION` is set with your preferred deployment Region, for example, `ap-southeast-2`.
Current credentials could not be used to assume 'arn:aws:iam::[ACCOUNT_ID]:role/cdk-hnb659fds-file-publishing-role-[ACCOUNT_ID]-us-west-2', but are for the right account. Proceeding anyway.	The deployment account might not have been properly bootstrapped with CDK new style bootstrapping. Ensure the environment variable `CDK_NEW_BOOTSTRAP` is set to `1` prior to bootstrapping your account.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Domain model

Using the solution’s web application