Installing PPC onhttps://docs.protegrity.com/aiteam-edition/1.0.0/docs/infrastructure/ppc/install/Recent content in Installing PPC onHugoenPrerequisiteshttps://docs.protegrity.com/aiteam-edition/1.0.0/docs/infrastructure/ppc/install/prerequisites/Mon, 01 Jan 0001 00:00:00 +0000https://docs.protegrity.com/aiteam-edition/1.0.0/docs/infrastructure/ppc/install/prerequisites/<h2 id="updating-the-roles-and-permissions-using-json">Updating the Roles and Permissions using JSON</h2> <p>The roles and permissions are updated using the JSONs.</p> <p>From the AWS Console, navigate to <strong>IAM &gt; Policies &gt; Create policy &gt; JSON</strong>, and create the following JSONs.</p> <blockquote> <p><strong>Note</strong>: Before using the provided JSON, replace the <code>AWS_ACCOUNT_ID</code> and <code>REGION</code> values with those of the account and region where the resources are being deployed.</p></blockquote> <ol> <li>Creating KMS key and S3 bucket</li> </ol> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> &#34;Version&#34;: &#34;2012-10-17&#34;, </span></span><span style="display:flex;"><span> &#34;Statement&#34;: [ </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;ReadOnlyAccess&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Allow&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: [ </span></span><span style="display:flex;"><span> &#34;eks:DescribeClusterVersions&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:DescribeInstances&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:DescribeVolumes&#34;, </span></span><span style="display:flex;"><span> &#34;s3:ListAllMyBuckets&#34;, </span></span><span style="display:flex;"><span> &#34;iam:ListUsers&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:RunInstances&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:DescribeInstances&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:DescribeVolumes&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:CreateKeyPair&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:DescribeImages&#34; </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> &#34;Resource&#34;: &#34;*&#34; </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;ScopedS3AndKMS&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Allow&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: [ </span></span><span style="display:flex;"><span> &#34;s3:ListBucket&#34;, </span></span><span style="display:flex;"><span> &#34;s3:PutEncryptionConfiguration&#34;, </span></span><span style="display:flex;"><span> &#34;s3:GetEncryptionConfiguration&#34;, </span></span><span style="display:flex;"><span> &#34;kms:CreateKey&#34;, </span></span><span style="display:flex;"><span> &#34;kms:PutKeyPolicy&#34;, </span></span><span style="display:flex;"><span> &#34;kms:GetKeyPolicy&#34; </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> &#34;Resource&#34;: [ </span></span><span style="display:flex;"><span> &#34;arn:aws:s3:::*&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:kms:*:&lt;AWS_ACCOUNT_ID&gt;:key/*&#34; </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;SelfServiceIAM&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Allow&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: [ </span></span><span style="display:flex;"><span> &#34;iam:ListSSHPublicKeys&#34;, </span></span><span style="display:flex;"><span> &#34;iam:ListServiceSpecificCredentials&#34;, </span></span><span style="display:flex;"><span> &#34;iam:GetLoginProfile&#34;, </span></span><span style="display:flex;"><span> &#34;iam:ListAccessKeys&#34;, </span></span><span style="display:flex;"><span> &#34;iam:CreateAccessKey&#34; </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> &#34;Resource&#34;: &#34;arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:user/${aws:username}&#34; </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;EC2KeyPairPermission&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Allow&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: [ </span></span><span style="display:flex;"><span> &#34;ec2:CreateKeyPair&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:DescribeKeyPairs&#34; </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> &#34;Resource&#34;: [ </span></span><span style="display:flex;"><span> &#34;*&#34; </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><ol start="2"> <li>EC2 Service Policy</li> </ol> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> &#34;Version&#34;: &#34;2012-10-17&#34;, </span></span><span style="display:flex;"><span> &#34;Statement&#34;: [ </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;DenyEC2Instances&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Deny&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: &#34;ec2:RunInstances&#34;, </span></span><span style="display:flex;"><span> &#34;Resource&#34;: &#34;arn:aws:ec2:*:*:instance/*&#34;, </span></span><span style="display:flex;"><span> &#34;Condition&#34;: { </span></span><span style="display:flex;"><span> &#34;StringLike&#34;: { </span></span><span style="display:flex;"><span> &#34;ec2:InstanceType&#34;: [ </span></span><span style="display:flex;"><span> &#34;p*&#34;, </span></span><span style="display:flex;"><span> &#34;g*&#34;, </span></span><span style="display:flex;"><span> &#34;inf*&#34;, </span></span><span style="display:flex;"><span> &#34;trn*&#34;, </span></span><span style="display:flex;"><span> &#34;x*&#34;, </span></span><span style="display:flex;"><span> &#34;u-*&#34;, </span></span><span style="display:flex;"><span> &#34;z*&#34;, </span></span><span style="display:flex;"><span> &#34;mac*&#34; </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;ReadOnlyDescribeListEC2RegionRestricted&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Allow&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: [ </span></span><span style="display:flex;"><span> &#34;ec2:DescribeVpcs&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:DescribeSubnets&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:DescribeVpcAttribute&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:DescribeTags&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:DescribeSecurityGroups&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:DescribeSecurityGroupRules&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:DescribeLaunchTemplates&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:DescribeLaunchTemplateVersions&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:DescribeNetworkInterfaces&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:DescribeAccountAttributes&#34; </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> &#34;Resource&#34;: &#34;*&#34;, </span></span><span style="display:flex;"><span> &#34;Condition&#34;: { </span></span><span style="display:flex;"><span> &#34;StringEquals&#34;: { </span></span><span style="display:flex;"><span> &#34;aws:RequestedRegion&#34;: [ </span></span><span style="display:flex;"><span> &#34;&lt;REGION&gt;&#34; </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;EC2LifecycleAndSecurity&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Allow&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: [ </span></span><span style="display:flex;"><span> &#34;ec2:CreateSecurityGroup&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:DeleteSecurityGroup&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:AuthorizeSecurityGroupIngress&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:AuthorizeSecurityGroupEgress&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:RevokeSecurityGroupIngress&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:RevokeSecurityGroupEgress&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:CreateLaunchTemplate&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:DeleteLaunchTemplate&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:CreateTags&#34;, </span></span><span style="display:flex;"><span> &#34;ec2:DeleteTags&#34; </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> &#34;Resource&#34;: [ </span></span><span style="display:flex;"><span> &#34;arn:aws:ec2:*:*:security-group/*&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:ec2:*:*:launch-template/*&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:ec2:*:*:instance/*&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:ec2:*:*:network-interface/*&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:ec2:*:*:subnet/*&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:ec2:*:*:vpc/*&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:ec2:*:*:image/*&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:ec2:*:*:volume/*&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:ec2:*:*:snapshot/*&#34; </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><ol start="3"> <li>EKS Service Policy</li> </ol> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> &#34;Version&#34;: &#34;2012-10-17&#34;, </span></span><span style="display:flex;"><span> &#34;Statement&#34;: [ </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;ReadOnlyDescribeListEKSVersionsRegionRestricted&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Allow&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: [ </span></span><span style="display:flex;"><span> &#34;eks:DescribeAddonVersions&#34; </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> &#34;Resource&#34;: &#34;*&#34;, </span></span><span style="display:flex;"><span> &#34;Condition&#34;: { </span></span><span style="display:flex;"><span> &#34;StringEquals&#34;: { </span></span><span style="display:flex;"><span> &#34;aws:RequestedRegion&#34;: [ </span></span><span style="display:flex;"><span> &#34;&lt;REGION&gt;&#34; </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;ReadOnlyDescribeListEKS&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Allow&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: [ </span></span><span style="display:flex;"><span> &#34;eks:DescribeCluster&#34;, </span></span><span style="display:flex;"><span> &#34;eks:DescribeAddon&#34;, </span></span><span style="display:flex;"><span> &#34;eks:DescribePodIdentityAssociation&#34;, </span></span><span style="display:flex;"><span> &#34;eks:DescribeNodegroup&#34;, </span></span><span style="display:flex;"><span> &#34;eks:ListAddons&#34;, </span></span><span style="display:flex;"><span> &#34;eks:ListPodIdentityAssociations&#34; </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> &#34;Resource&#34;: [ </span></span><span style="display:flex;"><span> &#34;arn:aws:eks:*:&lt;AWS_ACCOUNT_ID&gt;:cluster/*&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:eks:*:&lt;AWS_ACCOUNT_ID&gt;:nodegroup/*&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:eks:*:&lt;AWS_ACCOUNT_ID&gt;:addon/*&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:eks:*:&lt;AWS_ACCOUNT_ID&gt;:podidentityassociation/*&#34; </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;EKSLifecycleAndTag&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Allow&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: [ </span></span><span style="display:flex;"><span> &#34;eks:CreateCluster&#34;, </span></span><span style="display:flex;"><span> &#34;eks:UpdateClusterVersion&#34;, </span></span><span style="display:flex;"><span> &#34;eks:UpdateClusterConfig&#34;, </span></span><span style="display:flex;"><span> &#34;eks:CreateNodegroup&#34;, </span></span><span style="display:flex;"><span> &#34;eks:UpdateNodegroupConfig&#34;, </span></span><span style="display:flex;"><span> &#34;eks:UpdateNodegroupVersion&#34;, </span></span><span style="display:flex;"><span> &#34;eks:DeleteNodegroup&#34;, </span></span><span style="display:flex;"><span> &#34;eks:CreateAddon&#34;, </span></span><span style="display:flex;"><span> &#34;eks:UpdateAddon&#34;, </span></span><span style="display:flex;"><span> &#34;eks:DeleteAddon&#34;, </span></span><span style="display:flex;"><span> &#34;eks:CreatePodIdentityAssociation&#34;, </span></span><span style="display:flex;"><span> &#34;eks:DeletePodIdentityAssociation&#34;, </span></span><span style="display:flex;"><span> &#34;eks:TagResource&#34;, </span></span><span style="display:flex;"><span> &#34;eks:ListClusters&#34; </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> &#34;Resource&#34;: [ </span></span><span style="display:flex;"><span> &#34;arn:aws:eks:*:&lt;AWS_ACCOUNT_ID&gt;:cluster/*&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:eks:*:&lt;AWS_ACCOUNT_ID&gt;:nodegroup/*&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:eks:*:&lt;AWS_ACCOUNT_ID&gt;:addon/*&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:eks:*:&lt;AWS_ACCOUNT_ID&gt;:podidentityassociation/*&#34; </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;AllowEKSNodegroupSLR&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Allow&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: [ </span></span><span style="display:flex;"><span> &#34;iam:GetRole&#34;, </span></span><span style="display:flex;"><span> &#34;iam:CreateServiceLinkedRole&#34; </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> &#34;Resource&#34;: &#34;arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup&#34; </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;EKSDeleteClusterV6&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Allow&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: &#34;eks:DeleteCluster&#34;, </span></span><span style="display:flex;"><span> &#34;Resource&#34;: &#34;arn:aws:eks:*:&lt;AWS_ACCOUNT_ID&gt;:cluster/*&#34; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><ol start="4"> <li>IAM Service Policy</li> </ol> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> &#34;Version&#34;: &#34;2012-10-17&#34;, </span></span><span style="display:flex;"><span> &#34;Statement&#34;: [ </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;DenyAdminPolicyAttachment&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Deny&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: [ </span></span><span style="display:flex;"><span> &#34;iam:AttachRolePolicy&#34;, </span></span><span style="display:flex;"><span> &#34;iam:PutRolePolicy&#34; </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> &#34;Resource&#34;: &#34;arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/eks-*&#34;, </span></span><span style="display:flex;"><span> &#34;Condition&#34;: { </span></span><span style="display:flex;"><span> &#34;ArnLike&#34;: { </span></span><span style="display:flex;"><span> &#34;iam:PolicyARN&#34;: [ </span></span><span style="display:flex;"><span> &#34;arn:aws:iam::aws:policy/AdministratorAccess&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:iam::aws:policy/PowerUserAccess&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:iam::aws:policy/*FullAccess&#34; </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;DenyInlinePolicyEscalation&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Deny&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: [ </span></span><span style="display:flex;"><span> &#34;iam:PutRolePolicy&#34;, </span></span><span style="display:flex;"><span> &#34;iam:PutUserPolicy&#34;, </span></span><span style="display:flex;"><span> &#34;iam:PutGroupPolicy&#34; </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> &#34;Resource&#34;: &#34;*&#34; </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;ReadOnlyDescribeListIAMScoped&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Allow&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: [ </span></span><span style="display:flex;"><span> &#34;iam:GetRole&#34;, </span></span><span style="display:flex;"><span> &#34;iam:ListRolePolicies&#34;, </span></span><span style="display:flex;"><span> &#34;iam:ListAttachedRolePolicies&#34;, </span></span><span style="display:flex;"><span> &#34;iam:ListInstanceProfilesForRole&#34;, </span></span><span style="display:flex;"><span> &#34;iam:GetInstanceProfile&#34;, </span></span><span style="display:flex;"><span> &#34;iam:GetPolicy&#34;, </span></span><span style="display:flex;"><span> &#34;iam:GetPolicyVersion&#34;, </span></span><span style="display:flex;"><span> &#34;iam:ListPolicyVersions&#34;, </span></span><span style="display:flex;"><span> &#34;iam:ListAccessKeys&#34; </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> &#34;Resource&#34;: [ </span></span><span style="display:flex;"><span> &#34;arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/eks-*&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:instance-profile/eks-*&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:policy/eks-*&#34; </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;ReadOnlyDescribeListUnavoidableStar&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Allow&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: &#34;iam:ListRoles&#34;, </span></span><span style="display:flex;"><span> &#34;Resource&#34;: &#34;*&#34; </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;IAMLifecycleRolesPoliciesInstanceProfiles&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Allow&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: [ </span></span><span style="display:flex;"><span> &#34;iam:CreateRole&#34;, </span></span><span style="display:flex;"><span> &#34;iam:TagRole&#34;, </span></span><span style="display:flex;"><span> &#34;iam:CreatePolicy&#34;, </span></span><span style="display:flex;"><span> &#34;iam:DeletePolicy&#34;, </span></span><span style="display:flex;"><span> &#34;iam:DeletePolicyVersion&#34;, </span></span><span style="display:flex;"><span> &#34;iam:TagPolicy&#34;, </span></span><span style="display:flex;"><span> &#34;iam:AttachRolePolicy&#34;, </span></span><span style="display:flex;"><span> &#34;iam:DetachRolePolicy&#34;, </span></span><span style="display:flex;"><span> &#34;iam:CreateInstanceProfile&#34;, </span></span><span style="display:flex;"><span> &#34;iam:TagInstanceProfile&#34;, </span></span><span style="display:flex;"><span> &#34;iam:AddRoleToInstanceProfile&#34;, </span></span><span style="display:flex;"><span> &#34;iam:RemoveRoleFromInstanceProfile&#34;, </span></span><span style="display:flex;"><span> &#34;iam:DeleteInstanceProfile&#34; </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> &#34;Resource&#34;: [ </span></span><span style="display:flex;"><span> &#34;arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/eks-*&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:policy/eks-*&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:instance-profile/eks-*&#34; </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;EKSDeleteRoles&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Allow&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: &#34;iam:DeleteRole&#34;, </span></span><span style="display:flex;"><span> &#34;Resource&#34;: &#34;arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/eks*&#34; </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;PassRoleOnlyToEKS&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Allow&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: &#34;iam:PassRole&#34;, </span></span><span style="display:flex;"><span> &#34;Resource&#34;: &#34;arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/eks-*&#34;, </span></span><span style="display:flex;"><span> &#34;Condition&#34;: { </span></span><span style="display:flex;"><span> &#34;StringEquals&#34;: { </span></span><span style="display:flex;"><span> &#34;iam:PassedToService&#34;: [ </span></span><span style="display:flex;"><span> &#34;eks.amazonaws.com&#34;, </span></span><span style="display:flex;"><span> &#34;ec2.amazonaws.com&#34;, </span></span><span style="display:flex;"><span> &#34;eks-pods.amazonaws.com&#34;, </span></span><span style="display:flex;"><span> &#34;pods.eks.amazonaws.com&#34; </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;PassRoleForEKSPodIdentityRoles&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Allow&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: &#34;iam:PassRole&#34;, </span></span><span style="display:flex;"><span> &#34;Resource&#34;: [ </span></span><span style="display:flex;"><span> &#34;arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/eks-*-karpenter-role&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/eks-*-backup-recovery-utility-role&#34; </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><ol start="5"> <li>KMS Service Policy</li> </ol> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> &#34;Version&#34;: &#34;2012-10-17&#34;, </span></span><span style="display:flex;"><span> &#34;Statement&#34;: [ </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;KMSCreateAndList&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Allow&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: [ </span></span><span style="display:flex;"><span> &#34;kms:CreateKey&#34;, </span></span><span style="display:flex;"><span> &#34;kms:ListAliases&#34; </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> &#34;Resource&#34;: &#34;*&#34; </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;KMSKeyManagementScoped&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Allow&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: [ </span></span><span style="display:flex;"><span> &#34;kms:PutKeyPolicy&#34;, </span></span><span style="display:flex;"><span> &#34;kms:GetKeyPolicy&#34;, </span></span><span style="display:flex;"><span> &#34;kms:DescribeKey&#34;, </span></span><span style="display:flex;"><span> &#34;kms:GenerateDataKey&#34;, </span></span><span style="display:flex;"><span> &#34;kms:Decrypt&#34;, </span></span><span style="display:flex;"><span> &#34;kms:TagResource&#34;, </span></span><span style="display:flex;"><span> &#34;kms:UntagResource&#34;, </span></span><span style="display:flex;"><span> &#34;kms:EnableKeyRotation&#34;, </span></span><span style="display:flex;"><span> &#34;kms:GetKeyRotationStatus&#34;, </span></span><span style="display:flex;"><span> &#34;kms:ListResourceTags&#34;, </span></span><span style="display:flex;"><span> &#34;kms:ScheduleKeyDeletion&#34;, </span></span><span style="display:flex;"><span> &#34;kms:CreateAlias&#34;, </span></span><span style="display:flex;"><span> &#34;kms:DeleteAlias&#34; </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> &#34;Resource&#34;: [ </span></span><span style="display:flex;"><span> &#34;arn:aws:kms:*:&lt;AWS_ACCOUNT_ID&gt;:key/*&#34;, </span></span><span style="display:flex;"><span> &#34;arn:aws:kms:*:&lt;AWS_ACCOUNT_ID&gt;:alias/*&#34; </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><ol start="6"> <li>S3 Service Policy</li> </ol> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> &#34;Version&#34;: &#34;2012-10-17&#34;, </span></span><span style="display:flex;"><span> &#34;Statement&#34;: [ </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> &#34;Sid&#34;: &#34;S3EncryptionConfigAndStateScoped&#34;, </span></span><span style="display:flex;"><span> &#34;Effect&#34;: &#34;Allow&#34;, </span></span><span style="display:flex;"><span> &#34;Action&#34;: [ </span></span><span style="display:flex;"><span> &#34;s3:ListBucket&#34;, </span></span><span style="display:flex;"><span> &#34;s3:GetEncryptionConfiguration&#34;, </span></span><span style="display:flex;"><span> &#34;s3:PutEncryptionConfiguration&#34;, </span></span><span style="display:flex;"><span> &#34;s3:GetObject&#34;, </span></span><span style="display:flex;"><span> &#34;s3:PutObject&#34;, </span></span><span style="display:flex;"><span> &#34;s3:DeleteObject&#34;, </span></span><span style="display:flex;"><span> &#34;s3:CreateBucket&#34;, </span></span><span style="display:flex;"><span> &#34;s3:GetBucketTagging&#34;, </span></span><span style="display:flex;"><span> &#34;s3:GetBucketPolicy&#34;, </span></span><span style="display:flex;"><span> &#34;s3:GetBucketAcl&#34;, </span></span><span style="display:flex;"><span> &#34;s3:GetBucketCORS&#34;, </span></span><span style="display:flex;"><span> &#34;s3:PutBucketTagging&#34;, </span></span><span style="display:flex;"><span> &#34;s3:GetBucketWebsite&#34;, </span></span><span style="display:flex;"><span> &#34;s3:GetBucketVersioning&#34;, </span></span><span style="display:flex;"><span> &#34;s3:GetAccelerateConfiguration&#34;, </span></span><span style="display:flex;"><span> &#34;s3:GetBucketRequestPayment&#34;, </span></span><span style="display:flex;"><span> &#34;s3:GetBucketLogging&#34;, </span></span><span style="display:flex;"><span> &#34;s3:GetLifecycleConfiguration&#34;, </span></span><span style="display:flex;"><span> &#34;s3:GetReplicationConfiguration&#34;, </span></span><span style="display:flex;"><span> &#34;s3:GetBucketObjectLockConfiguration&#34;, </span></span><span style="display:flex;"><span> &#34;s3:DeleteBucket&#34; </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> &#34;Resource&#34;: &#34;arn:aws:s3:::*&#34;, </span></span><span style="display:flex;"><span> &#34;Condition&#34;: { </span></span><span style="display:flex;"><span> &#34;StringEquals&#34;: { </span></span><span style="display:flex;"><span> &#34;aws:RequestedRegion&#34;: [ </span></span><span style="display:flex;"><span> &#34;&lt;REGION&gt;&#34; </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> &#34;aws:PrincipalAccount&#34;: &#34;&lt;AWS_ACCOUNT_ID&gt;&#34; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h2 id="description-for-the-json-components">Description for the JSON components</h2> <p>This section provides information for the permissions mentioned in the JSON file.</p>Preparing for PPC deploymenthttps://docs.protegrity.com/aiteam-edition/1.0.0/docs/infrastructure/ppc/install/extracting/Mon, 01 Jan 0001 00:00:00 +0000https://docs.protegrity.com/aiteam-edition/1.0.0/docs/infrastructure/ppc/install/extracting/<p>This section describes the steps to download and extract the recipe for deploying the PPC.</p> <blockquote> <p><strong>Note:</strong> If you have set up the jump box previously, then from <code>/deployment/iac_setup/</code> directory, run the <code>make clean</code> command. This ensures that the local repository on the jump box and the clusters are cleaned up before proceeding with a new installation.</p></blockquote> <blockquote> <p><strong>Warning</strong>: Do not install or manage multiple clusters from the same working directory. Each cluster deployment maintains its own Terraform/OpenTofu state, and reusing a directory can overwrite state files, causing loss of cluster tracking and unintended cleanup behavior. <br> Use a dedicated directory, and jump box, where possible, per cluster, and always verify the active kubectl context before running cleanup commands such as <code>make clean</code>.</p>Deploying PPChttps://docs.protegrity.com/aiteam-edition/1.0.0/docs/infrastructure/ppc/install/installation/Mon, 01 Jan 0001 00:00:00 +0000https://docs.protegrity.com/aiteam-edition/1.0.0/docs/infrastructure/ppc/install/installation/<h2 id="before-you-begin">Before you begin</h2> <ul> <li> <p>Before running the bootstrap or resiliency scripts as the root user on RHEL, ensure that /usr/local/bin (and the AWS CLI binary path, if applicable) is included in the $PATH. Alternatively, run the script using a non-root user (such as ec2-user) where /usr/local/bin is already part of the default PATH.</p> </li> <li> <p>By default, the installation is configured to use the us-east-1 AWS region. If you plan to install the product in a different region, update the region value in the iac_setup/scripts/iac/variables.tf file before starting the installation.</p>