Securing LightBeam on EKS with AWS Certificate Manager on Elastic Load Balancer
Last updated
Last updated
This document provides a comprehensive guide to secure the LightBeam app on an EKS cluster utilizing AWS Certificate Manager (ACM) on an Elastic Load Balancer (ELB). The primary goal is to employ either a custom certificate or one issued by Amazon, managed by ACM, to terminate TLS on the LightBeam cluster. The ELB is the chosen point of integration as it natively works with ACM.
The LightBeam app is set up on an EKS cluster as per the .
If HTTPS is already enabled as per the , undo the steps followed.
To use a custom certificate or an Amazon-issued certificate hosted and managed by AWS Certificate Manager (ACM) to terminate TLS on the LightBeam cluster.
This will happen on the Elastic Load Balancer since it integrates with AWS Certificate Manager by default.
Create the ACM certificate either by requesting a new one or by importing an existing certificate.
Validation is done to prove that you actually own the domain that you are requesting a certificate for. ACM requires you modify the DNS so as to show that you have control over the domain.
Note down the ACM certificate ARN for the next step.
Run kubectl edit ingress lightbeam-ingress-auth-svc to access the editor.
Add the host domain name to the rules section in the Ingress spec:
Add the TLS section to the Ingress spec:
Run kubectl edit service kong-proxy to access the editor.
Add the following annotations:
Update the following annotation values:
This needs to be updated since a Network Load Balancer cannot act as a TLS/HTTPS termination point, only an Application or Classic load balancer can
Update the proxy-ssl port's targetPort in the spec section:
This is done to make sure we are redirecting back to the original listener as we are just terminating HTTPS and not directing traffic to a new port.
Run kubectl edit deployment ingress-kong to access the editor.
Add the following values to the env section within the spec section:
This is needed to ensure that when load balancer performs the TLS termination and sets the X-Forwarded-Proto header, kong honors it and understands that the original request was made on HTTPS. The value can be limited to IPs within a customer VPN or VPC.
Create a CNAME DNS record in AWS Route 53 to map the host domain name to the domain name of the Load Balancer. The domain name of the Load Balancer can be copied from the AWS console. You can also verify that the Load Balancer and the EKS cluster are on the same VPC.
These steps do not work if the LightBeam chart has been installed with the dev-values.yaml values as there is an issue with the health of the load balancer listeners. Also, the externalIP value causes traffic to bypass the load balancer.
LightBeam automates Privacy, Security and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.
In case the certificate is still pending DNS validation, check that the CNAME record specified by ACM is created and active. You can use nslookup to verify that the domain is being resolved correctly. Here are a few resources that may be useful: and .
An AWS Elastic Load Balancer does not always have to be associated with an EC2 instance even though most AWS documentation suggests so. A standalone ELB can (and is, in this case) be provisioned through the annotation.
For any questions or suggestions, please get in touch with us at: .