Skip to content

Latest commit

 

History

History
61 lines (39 loc) · 3.69 KB

aws-resources.md

File metadata and controls

61 lines (39 loc) · 3.69 KB

AWS Resources

For creating AEM environments using AEM AWS Stack Builder, a number of AWS resources must be available as prerequisites.

User-managed provisioning

Due to the fact that majority of user's organisation policies requiring private key, SSL/TLS certificate, and bastion host to be managed by the users and not by any external automation process, the following resources must be provisioned by the users:

  • Create EC2 key pair, this key pair name needs to be set in compute.key_pair_name configuration property.
  • Provision an SSL/TLS certificate either on AWS Certificate Manager or IAM
  • If your bastion host doesn't have any security group yet then you need to create one for it, and configure that security group in compute.inbound_from_bastion_host_security_group property

Ensure that you have the AEM OpenCloud AMIs and configure them on AEM AWS Stack Builder's user configuration:

  • Create the AMIs using Packer AEM and configure the IDs in ami_ids.<component> properties

CloudFormation stack

If you have the permission to provision the AWS resources using a CloudFormation stack, run the this command to create or update the resources:

make create-aws-resources stack_prefix=<stack_prefix> config_path=stage/user-config/

The aws-resources stack will contain:

  • An S3 Data Bucket for storing AEM environment states, which needs to be set in s3.data_bucket_name property
  • A Route53 private hosted zone, the hosted zone name needs to be set in dns_records.route53_hosted_zone_name property, and don't forget to include the trailing dot as part of the name

And to delete the resources within the CloudFormation stack:

make delete-aws-resources stack_prefix=<stack_prefix> config_path=stage/user-config/

Manual provisioning

Alternatively, if you don't have the permission, or you have to integrate them into your pre-existing provisioning mechanism, you can follow the steps below as reference:

  • Create an S3 Data Bucket for storing AEM environment states, this bucket path needs to be set in s3.data_bucket_name property
  • Create a Route53 private hosted zone, the hosted zone name needs to be set in dns_records.route53_hosted_zone_name property, and don't forget to include the trailing dot as part of the name

Encryption

AEM OpenCloud supports the encryption of all it's AWS resources.

AWS encrypts most of it's resources per default with an AWS owned CMK. While AEM OpenCloud enforces for some of it's ressources to use an AWS managed CMK where AWS KMS charges applies.

AWS managed CMK in AEM OpenCloud:

  • AEM Stack Manager DynamoDB
  • EBS Volume if aws.encryption.ebs_volume.enable or deprecated configuration parameter [aem_component].enable_vol_encryption is set to true

User managed CMK in AEM OpenCloud

  • S3 Bucket
  • AEM Stack Manager Lambda functions environment variables
  • AEM Stack Manager DynamoDB
  • AEM Stack Manager SNS Topics
  • AEM Stack Manager SQS Queues
  • AEM-Full-Set SNS Topics
  • AEM-Full-Set SQS Queues
  • AEM-Full-Set EBS Volumes
  • AEM-Consolidated EBS Volumes

An overview of what permissions needs to be applied to the CMK can be found in the documentation (link).