Deployment
Before you launch the solution, review the cost, architecture, network security, and other considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy the solution into your account.
Time to deploy: Approximately 70 minutes.
Prerequisites
To deploy the solution, you must have the following:
-
The latest version of the AWS CLI
, installed and configured. -
The latest version of the AWS CDK
. -
A CDK bootstrapped AWS account. For details, refer to Bootstrapping in the CDK Developer Guide.
-
Node.js version 12 or newer.
AWS credentials
Verify your credentials to access the target AWS account are properly configured. These could be in environment variables or in the configuration files. If not, refer to Configuration and credential file settings in the AWS CLI User Guide to configure these first.
Customizable configuration
You can configure the Verifiable Controls Evidence Store solution to suit different customer requirements in terms of network environments, performance, or authentication methods.
You can also specify your own KMS encryption keys, data retention policy, Amazon OpenSearch Service nodes
instance type, and proxy server if required by your infrastructure setup. Use the solution’s
Default.json
configuration file found in the configuration
directory as a sample for your reference. This is the same file used during default stack
deployment. You can also create your own configuration files with different names and refer to
them when deploying the stack.
By default, the solution’s web front end uses Amazon Cognito to authenticate and authorize
users. A unique domain prefix is required to provision a new Amazon Cognito user pool. Specify the
domain prefix under the AGSSharedInfra.identityProvider.domainPrefix
section in
the Default.json
configuration file. For a code sample, refer to the solution’s
README.md
Launch the stack
To deploy this solution with an installation script, complete the following steps:
-
In your terminal, run the following command to clone the solution source code from the GitHub location:
git clone https://github.com/aws-solutions/verifiable-controls-evidence-store
-
Navigate to the source code folder created in step 1:
cd verifiable-controls-evidence-store/source
-
(Optional) To configure the S3 evidence collector:
-
Navigate to the configuration folder:
cd configuration
-
Under AGSEvidenceStore.sourceBuckets, specify the source S3 buckets in the Default.json file. These S3 buckets will be monitored by the S3 collector. For example:
"sourceBuckets": [ { "account": "123456789", "bucketArn": "arn:aws:s3:::bucket1" }, { "account": "123456789", "bucketArn": "arn:aws:s3:::bucket2" } ]
-
Navigate to the source directory, and set the deployment environment to Sydney (ap-southeast-2):
cd.. export AWS_REGION=ap-southeast-2
-
-
To deploy the solution with the default configuration, run:
node install.js
If you would like to deploy with a customized configuration file, run:
node install.js
<Configuration name>
Note
You are responsible for the cost of the AWS services used while running this solution. For more details, visit the Cost section in this guide, and refer to the pricing webpage for each AWS service used in this solution.
Post-deployment S3 evidence collector configuration
As the source S3 buckets are customer defined, you need to configure them to publish events to the S3 collector, and give it read permission. For more information on how to update bucket policies, refer to Bucket owner granting cross-account bucket permissions in the Amazon S3 User Guide.
The Lambda arn and Lambda role arn are presented as cdk output. For example,
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "s3-connector-lambda-role-arn" }, "Action": [ "s3:ListBucket", "s3:GetObject*", "s3:PutObject*" ], "Resource": [ "arn:aws:s3:::bucket1", "arn:aws:s3:::bucket1/*" ] } ] }
Once deployed, the S3 connector will continuously monitor the provided S3 buckets and will create evidences when a new object is uploaded.
To view the evidence records, log in to the Evidence Store UI using the CloudFront link (presented as cdk output), and use the credentials (the email and password provided and generated as part of the deployment process).
Troubleshooting common deployment issues
Error message | Solution |
---|---|
Failed to retrieve AGS Shared Infra version from target environment. Error: ConfigError: Missing region in config Failed to read Shared Infra version in the target account. Cannot proceed. |
Ensure the environment variable |
Current credentials could not be used to assume 'arn:aws:iam::[ACCOUNT_ID]:role/cdk-hnb659fds-file-publishing-role-[ACCOUNT_ID]-us-west-2', but are for the right account. Proceeding anyway. |
The deployment account might not have been properly bootstrapped with CDK new
style bootstrapping. Ensure the environment variable |