AWS
Installer Guide for AWS
Last updated
Installer Guide for AWS
Last updated
There are 2 scenarios involved when deploying the LightBeam application:
EKS cluster is already present on the customer account.
EKS cluster is to be deployed by Lightbeam.
In this case, the user needs to first create 2 IAM/SSO users with a required set of permissions.
The first user/role will have a larger set of permissions for deploying the EKS cluster, while the other user/role will be having EKS related permissions only to access the cluster post-deployment.
Create a t2.micro instance (Ubuntu OS) to use that as a jump box to configure and access the EKS cluster.
Install unzip package:
Install kubectl cli:
Install helm cli:
Run the following commands:
mv linux-amd64/helm /usr/local/bin/helm
helm version
Install terraform cli:
Install aws cli:
Setup python:
Install docker:
Select the JSON tab, and paste the following JSON:
Give an appropriate name to the policy and click on Save.
Give it an appropriate username, select only Programmatic Access, and click on Next.
Click on the Existing Policies tab and attach the policy created in Step 3. Also, attach the VPCFullAccess managed policy to the user and save it.
On the Create page, ensure that you copy the Access Key Id and the Secret Access Key.
Alternatively, instead of creating a user with programmatic access, you have the option to create a role:
On the left tab, click on Roles -> Create role.
Select "AWS account" as the trusted entity and ensure the "This account" radio button is selected.
Optionally enable Multi-Factor Authentication (MFA) if required by your organization's security policy.
While adding permissions to this role, select the policy you created in the previous step (Step 3) and the "VPCFullAccess" managed policy.
To assume this role, use the AWS CLI command aws sts assume-role:
This command will allow you to obtain temporary credentials for the role, including Access Key ID, Secret Access Key, and Token. Ensure you export these AWS credentials before proceeding with the installation step.
This means that the jump box, a separate EC2 instance, can directly use the IAM role to access the EKS cluster without assuming the role separately.
To do this, instead of selecting "AWS account" in Step 3, select "AWS service", and select "EC2" under "Common use cases".
Next, find the jump box instance in the EC2 console, select it, and click "Actions" -> "Security" -> "Modify IAM role".
Find the IAM role in the drop-down menu, and click "Update IAM role".
Select the JSON tab, and paste the following JSON:
Give an appropriate name to the policy and click Save.
On the left panel of the IAM Management Console (amazon.com), click on Users -> Add Users.
Give it an appropriate username, select only Programmatic Access, and click on Next.
Click on the Existing Policies tab and attach the policy created in Step 3.
On the Create page, ensure that you copy the Access Key Id and the Secret Access Key.
On the left tab, click on Roles -> Create role.
Select "AWS account" as the trusted entity and ensure the "This account" radio button is selected.
Optionally enable Multi-Factor Authentication (MFA) if required by your organization's security policy.
While adding permissions to this role, select the policy you created in the previous step (Step 3) which includes the necessary permissions for accessing the EKS cluster.
To assume this role, use the AWS CLI command aws sts assume-role:
This command will allow you to obtain temporary credentials for the role, including Access Key ID, Secret Access Key, and Token. Ensure you export these AWS credentials before proceeding with the installation step.
Another option instead of assuming the role is to attach the role to the jump box:
This means that the jump box, which is a separate EC2 instance, can directly use the IAM role to access the EKS cluster without assuming the role separately.
To do this, instead of selecting "AWS account" in Step 3, select "AWS service", and select "EC2" under "Common use cases".
Next, find the jump box instance in the EC2 console, select it, and click "Actions" -> "Security" -> "Modify IAM role".
Find the IAM role in the drop down menu, and click "Update IAM role".
Option 1: Using EKS Admin User
Connect to the jump box VM created above.
This can be done using `aws configure` with EKS admin user credentials or setting Env Variables as below with EKS admin user credentials:
Option 2: Using EKS Admin Role
Connect to the jump box VM created above.
Assume the EKS admin role by running the following AWS CLI command:
Export the temporary AWS credentials as environment variables in your terminal session by running the following commands:
Configuration:
We need to provision 3 node EKS clusters and each node instance type is m6i.2xlarge which has 8 CPU and 32 GB memory on each node.
Copy eks-cluster.zip shared by LightBeam to the Jump Host and unzip the file.
Run following commands:
terraform init
terraform apply
Once the EKS cluster configuration is complete we can set up EKS Access Users and continue with LightBeam application deployment.
We need to update the EKS auth-config, so that the EKS Access User can then seamlessly access the cluster.
To update the auth config:
The auth-config file opens up, where you need to add the following YAML content.
(Ensure that you use the Lightbeam EKS access user ARN)
If you created a role instead of the user with the Lightbeam EKS Access policy, add the following to the mapRole section:
As we plan to deactivate the Deployment user credentials, it is important we verify accessing the cluster using the Lightbeam EKS user, so, export the second user credentials using the following commands executed on the Jump Box VM:
To access the cluster (control plane) :
Verify EKS access:
If you see the cluster node details, it ensures that the cluster is accessible.
Once the application is accessible, the auth-config is updated and the cluster access is verified, the EKS Deployment user can either be deleted or the credentials for the same can be deactivated.
To deactivate the credentials, navigate to the EKS Deployment User, and under Security Credentials Tab, under Access Keys, use the Make Inactive option to inactivate the key.
Use the --eks flag in the installer command to specify the platform used is AWS EKS.
The LightBeam team shares the latest release LightBeam chart which needs to be copied on the Jump Box.
Upgrade the LightBeam chart:
The --spectra flag specifies the spectra deployment. Use the --privacy_ops flag to specify the privacy ops deployment.
One can verify the upgrade by running kubectl to get pods -n lightbeam and checking the status of all pods.
As part of the upgrade, the following actions are taken:
Pausing datasource scanning and processing.
Updating the latest database schema.
Updating all LightBeam services to the respective release versions. As part of this step, all the latest release version Docker images from the Dockerhub registry are downloaded on respective worker nodes.
A post-upgrade job is executed which resumes scans for all data sources and starts processing, also verifies all services health.
LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.
Download the release from here:
tar -xvf
Log in to the AWS Console, and using the Service search, navigate to. On the left tab, click on Policies->Create policy.
Now, on the left panel of the, click Users->Add Users.
Go to the .
Log in to the AWS Console, and using the Service search, navigate to. On the left tab, click Policies->Create policy.
Go to the .
Follow the installation instructions in the .
For any questions or suggestions, please get in touch with us at: .
