Prerequisites

Specialized Knowledge

Before deploying and operating SMARTUNIFIER Instances using AWS Fargate, it is recommended that you become familiar with the following AWS services. (If you are new to AWS, see Getting Started with AWS)

• Amazon Elastic Container Service (ECS)

• Amazon Virtual Private Cloud (VPC)

• Amazon CloudWatch

You should also be familiar with the used Communication Channel and its capabilities of the deployed SMARTUNIFIER Instance.

AWS Resources

For the deployment of SMARTUNIFIER Instances on AWS Fargate the following resources are required:

Amazon S3 - Bucket

SMARTUNIFIER is using an Amazon S3 Bucket to upload Instances in an archive file format. We recommend to create a private Bucket dedicated for the SMARTUNIFIER.

AWS VPC and Subnets

In order for SMARTUNIFIER to deploy Instances your AWS account a VPC and Subnets are needed. Please note that the Default VPC should not be used.

Amazon ECS - Cluster

SMARTUNIFIER is using AWS Fargate for the deployment of Instances on the AWS Cloud. Therefor an ECS Cluster is required. We recommend to create one Cluster dedicated for SMARTUNIFIER deployed Instances.

AWS ECR - Repository

SMARTUNIFIER is using an AWS ECR repositroy in order to push an Docker Images, which is created by an AWS CodeBuild project. We recomment to create one reposiory dedicated for SMARTUNIFIER Instance images.

IAM - User

SMARTUNIFIER complies with the security best practices in IAM and does not need root privileges. We recommend to create one user dedicated for SMARTUNIFIER. The IAM user follows the general rule of least privileges and allows only policies needed for the deployment of SMARTUNIFIER Instances.

Create the IAM user by following the steps described in the AWS IAM documentation the IAM dashboard. The IAM user for SMARTUNIFIER must use the AWS access type programmatic access.

Attach the following permission:

Policy ARN	Description
arn:aws:iam::aws:policy/AmazonS3FullAccess	Provides full access to all buckets via the AWS Management Console.
arn:aws:iam::aws:policy/AWSCodeBuildAdminAccess	Provides full access to AWS CodeBuild via the AWS Management Console. Also attach AmazonS3ReadOnlyAccess to provide access to download build artifacts, and attach IAMFullAccess to create and manage the service role for CodeBuild.
arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess	Provides administrative access to Amazon ECR resources.
arn:aws:iam::aws:policy/AmazonECS_FullAccess	Provides administrative access to Amazon ECS resources and enables ECS features through access to other AWS service resources, including VPCs, Auto Scaling groups, and CloudFormation stacks.
arn:aws:iam::aws:policy/CloudWatchFullAccess	Provides full access to CloudWatch.

Programmatic system credentials

SMARTUNIFIER needs the set up of a credential profile in order to deploy Instances on AWS Fargate. We recommend to create a new access key after 90 days.

Credentials Profile

 [default]
 aws_access_key_id = your_access_key_id
 aws_secret_access_key = your_secret_access_key

IAM Role - AWS CodeBuild Serice Role

CodeBuild requires a service in order to interact with dependent AWS services:

• Access to Amazon S3 in order to retrieve SMARTUNIFIER Instance artifacts - such as libraries and configuration files.

• Access to AWS ECR in order to push the container image in the specified repository

Create the follwing IAM Role via the AWS console.

AWS CodeBuild Service Role

{
 "Version": "2012-10-17",
 "Statement": [
     {
         "Sid": "CloudWatchLogsPolicy",
         "Effect": "Allow",
         "Action": [
             "logs:CreateLogGroup",
             "logs:CreateLogStream",
             "logs:PutLogEvents"
         ],
         "Resource": [
             "*"
         ]
     },
     {
         "Sid": "CodeCommitPolicy",
         "Effect": "Allow",
         "Action": [
             "codecommit:GitPull"
         ],
         "Resource": [
             "*"
         ]
     },
     {
         "Sid": "S3GetObjectPolicy",
         "Effect": "Allow",
         "Action": [
             "s3:GetObject",
             "s3:GetObjectVersion"
         ],
         "Resource": [
             "*"
         ]
     },
     {
         "Sid": "S3PutObjectPolicy",
         "Effect": "Allow",
         "Action": [
             "s3:PutObject"
         ],
         "Resource": [
             "*"
         ]
     },
     {
         "Sid": "ECRPullPolicy",
         "Effect": "Allow",
         "Action": [
             "ecr:BatchCheckLayerAvailability",
             "ecr:GetDownloadUrlForLayer",
             "ecr:BatchGetImage"
         ],
         "Resource": [
             "*"
         ]
     },
     {
         "Sid": "ECRAuthPolicy",
         "Effect": "Allow",
         "Action": [
             "ecr:GetAuthorizationToken"
         ],
         "Resource": [
             "*"
         ]
     },
     {
         "Sid": "S3BucketIdentity",
         "Effect": "Allow",
         "Action": [
             "s3:GetBucketAcl",
             "s3:GetBucketLocation"
         ],
         "Resource": "*"
     }
 ]
}