UID2 Private Operator for AWS Integration Guide
The UID2 Operator is the API server in the UID2 ecosystem. For details, see The UID2 Operator.
For a Private Operator service running in AWS Marketplace, the UID2 Operator solution is enhanced with AWS Nitro Enclave technology. This is an additional security measure to help protect UID2 information from unauthorized access.
UID2 Private Operator for AWS
UID2 Private Operator for AWS is a free product. The cost displayed on the product page is an estimated cost for the necessary infrastructure.
By subscribing to UID2 Private Operator for AWS, you gain access to the following:
- Amazon Machine Image (AMI) with the UID2 Operator service installed and ready to bootstrap:
The AMI contains an Amazon Linux 2023 operating system with the UID2 Operator service already set up. When an EC2 instance based on the AMI boots up, it automatically fetches the configuration from your AWS account and starts the UID2 Operator server inside an enclave. - CloudFormation template:
The template deploys the UID2 Operator AMI.
Prerequisites
To subscribe and deploy one or more UID2 Operators on AWS, complete the following steps:
- Register your organization as a UID2 Operator.
- Create an AWS account with an IAM role that has the minimal privileges.
Minimal IAM Role Privileges
To succeed in a one-click deployment, your AWS account must have the privileges to run the following actions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:*",
"kms:*",
"autoscaling:*",
"cloudformation:*",
"iam:ListRoleTags",
"secretsmanager:*",
"iam:PutRolePolicy",
"iam:AddRoleToInstanceProfile",
"iam:ListRolePolicies",
"iam:ListPolicies",
"iam:GetRole",
"iam:GetPolicy",
"iam:DeleteRole",
"iam:UpdateRoleDescription",
"iam:TagPolicy",
"iam:GetRolePolicy",
"iam:CreateInstanceProfile",
"iam:UntagRole",
"iam:TagRole",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:DeleteRolePolicy",
"iam:ListPolicyTags",
"iam:DeleteInstanceProfile",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:UntagPolicy",
"iam:UpdateRole",
"iam:UntagInstanceProfile",
"iam:TagInstanceProfile",
"iam:SetDefaultPolicyVersion",
"iam:UpdateAssumeRolePolicy",
"iam:GetPolicyVersion",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:DeletePolicy",
"iam:ListInstanceProfileTags",
"iam:CreatePolicyVersion",
"iam:GetInstanceProfile",
"iam:ListInstanceProfiles",
"iam:ListPolicyVersions",
"iam:DeletePolicyVersion",
"iam:ListUserTags"
],
"Resource": "*"
}
]
}
Resources Created
The following table lists all resources that are created during the deployment.
Name | Type | Description |
---|---|---|
KMSKey | AWS::KMS::Key | Custom KMS key used for encrypting the secrets in AWS Secrets Manager. |
SSMKeyAlias | AWS::KMS::Alias | An alias that provides an easy way to access the KMS key. |
TokenSecret | AWS::SecretsManager::Secret | A Secrets Manager secret to store the operator key. |
WorkerRole | AWS::IAM::Role | The IAM role that your UID2 Operators run as. The role provides access to AWS Secrets Manager to retrieve operator keys. |
WorkerInstanceProfile | AWS::IAM::InstanceProfile | The instance profile with Worker Role to attach to Operator EC2 instances. |
SecurityGroup | AWS::EC2::SecurityGroup | A security group policy that provides rules for operator instances. See also Security Group Policy. |
LaunchTemplate | AWS::EC2::LaunchTemplate | A launch template with all configurations in place. You can spawn new UID2 Operator instances from it. |
AutoScalingGroup | AWS::AutoScaling::AutoScalingGroup | An auto-scaling group (ASG) to which the launch template is attached. You can use this to update the desired number of instances later, if needed. |
Customization Options
Here's what you can customize during or after the deployment:
- VPC: You must specify the existing VPC and related VPC Subnet IDs.
- Root volume size (8G Minimum)
- SSH key: This is the SSH key that you use to access the UID2 Operator EC2 instances.
- Instance type: m5.2xlarge, m5.4xlarge, and so on. If there is no customization, the default value, m5.2xlarge, is recommended.
Security Group Policy
To avoid passing certificates associated with your domain into the enclave, inbound HTTP is allowed instead of HTTPS. This also avoids the cost of a secure layer, if used in a private network that is internal to your organization.
Port Number | Direction | Protocol | Description |
---|---|---|---|
80 | Inbound | HTTP | Serves all UID2 APIs, including the healthcheck endpoint /ops/healthcheck .When everything is up and running, the endpoint returns HTTP 200 with a response body of OK . For details, see Checking UID2 Operator Status. |
9080 | Inbound | HTTP | Serves Prometheus metrics (/metrics ). |
443 | Outbound | HTTPS | Calls the UID2 Core Service, AWS S3, to download files for opt-out data and key store. |
VPC Chart
The following diagram illustrates the virtual private cloud that hosts private operators.
Deployment
To deploy UID2 Operator on AWS Marketplace, complete the following steps:
-
Subscribe to Unified ID 2.0 Operator on AWS Marketplace. It might take several minutes before AWS completes your subscription.
-
Click Configuration and then specify configuration values.
For software version, see Operator Version and choose the value in the AWS Version column.
-
On the Configuration page, click Launch and then select the Launch CloudFormation action.
-
In the Create Stack wizard, specify the template and then click Next. The S3 path for the template file is automatically filled in.
-
Fill in the stack details and then click Next.
-
Configure the stack options and then click Next.
-
Review the information you have entered, and make changes if needed.
-
If you are prompted for permission to create IAM roles, select the I acknowledge that AWS CloudFormation might create IAM resources checkbox.
-
Click Create stack.
It takes several minutes for the stack to be created. When you see an Auto Scaling Group (ASG) created, you can select it and check the EC2 instances. By default, there is only one instance to start with.