AWS Deployment
DeepIntShield Enterprise images for AWS customers are distributed through AWS ECR, enabling native IAM integration for secure, credential-less authentication.
Architecture
Section titled “Architecture”flowchart LR subgraph AWS[AWS Account] subgraph EKS[EKS Cluster] Pod[DeepIntShield Pod] KSA[K8s ServiceAccount] end IAMRole[IAM Role] ECR[AWS ECR<br/>DeepIntShield Images] end
KSA -->|Annotated with| IAMRole Pod -->|Assumes| IAMRole IAMRole -->|Pull Permission| ECR ECR -->|Image| PodPrerequisites
Section titled “Prerequisites”- EKS cluster (v1.23+) or ECS cluster
- AWS CLI configured with appropriate permissions
kubectlconfigured for your EKS cluster- Your AWS Account ID allowlisted by DeepIntShield team
IRSA (Recommended)
Section titled “IRSA (Recommended)”IAM Roles for Service Accounts (IRSA) provides the most secure authentication method for EKS deployments.
Step 1: Create IAM Policy
Section titled “Step 1: Create IAM Policy”Create an IAM policy that grants ECR pull access to the DeepIntShield repository.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ECRAuth", "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Sid": "ECRPullFromDeepIntShield", "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecr:BatchCheckLayerAvailability" ], "Resource": "arn:aws:ecr:us-east-1:DEEPINTSHIELD_ACCOUNT_ID:repository/YOUR_HUB_SLUG" } ]}Save this policy as deepintshield-ecr-pull-policy.json and create it:
aws iam create-policy \ --policy-name DeepIntShieldECRPullPolicy \ --policy-document file://deepintshield-ecr-pull-policy.jsonStep 2: Create IAM Role with OIDC Trust
Section titled “Step 2: Create IAM Role with OIDC Trust”Create an IAM role that can be assumed by your Kubernetes ServiceAccount.
First, get your OIDC provider URL:
aws eks describe-cluster \ --name YOUR_CLUSTER_NAME \ --query "cluster.identity.oidc.issuer" \ --output textCreate the trust policy (trust-policy.json):
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::YOUR_ACCOUNT_ID:oidc-provider/oidc.eks.REGION.amazonaws.com/id/OIDC_ID" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "oidc.eks.REGION.amazonaws.com/id/OIDC_ID:aud": "sts.amazonaws.com", "oidc.eks.REGION.amazonaws.com/id/OIDC_ID:sub": "system:serviceaccount:NAMESPACE:deepintshield-sa" } } } ]}Create the role and attach the policy:
# Create the roleaws iam create-role \ --role-name DeepIntShieldECRPullRole \ --assume-role-policy-document file://trust-policy.json
# Attach the policyaws iam attach-role-policy \ --role-name DeepIntShieldECRPullRole \ --policy-arn arn:aws:iam::YOUR_ACCOUNT_ID:policy/DeepIntShieldECRPullPolicyStep 3: Provide Role ARN to DeepIntShield
Section titled “Step 3: Provide Role ARN to DeepIntShield”Send your IAM role ARN to the DeepIntShield team for allowlisting:
arn:aws:iam::YOUR_ACCOUNT_ID:role/DeepIntShieldECRPullRoleStep 4: Create Namespace and ServiceAccount
Section titled “Step 4: Create Namespace and ServiceAccount”kubectl create namespace deepintshieldapiVersion: v1kind: ServiceAccountmetadata: name: deepintshield-sa namespace: deepintshield annotations: eks.amazonaws.com/role-arn: arn:aws:iam::YOUR_ACCOUNT_ID:role/DeepIntShieldECRPullRoleStep 5: Deploy DeepIntShield
Section titled “Step 5: Deploy DeepIntShield”apiVersion: apps/v1kind: Deploymentmetadata: name: deepintshield namespace: deepintshieldspec: replicas: 2 selector: matchLabels: app: deepintshield template: metadata: labels: app: deepintshield spec: serviceAccountName: deepintshield-sa containers: - name: deepintshield image: DEEPINTSHIELD_ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/YOUR_HUB_SLUG:latest ports: - containerPort: 8080 name: http resources: requests: cpu: "250m" memory: "512Mi" limits: cpu: "1000m" memory: "2Gi" livenessProbe: httpGet: path: /health port: 8080 initialDelaySeconds: 30 periodSeconds: 10 readinessProbe: httpGet: path: /health port: 8080 initialDelaySeconds: 10 periodSeconds: 5 volumeMounts: - name: config mountPath: /app/data/config.json subPath: config.json volumes: - name: config secret: secretName: deepintshield-config---apiVersion: v1kind: Servicemetadata: name: deepintshield namespace: deepintshieldspec: selector: app: deepintshield ports: - port: 80 targetPort: 8080 protocol: TCP type: ClusterIPECS Task Roles
Section titled “ECS Task Roles”For ECS deployments, use IAM Task Roles for authentication.
Step 1: Create Task Execution Role
Section titled “Step 1: Create Task Execution Role”The task execution role allows ECS to pull images from ECR.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "arn:aws:ecr:us-east-1:DEEPINTSHIELD_ACCOUNT_ID:repository/YOUR_HUB_SLUG" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ]}Step 2: Create ECS Task Definition
Section titled “Step 2: Create ECS Task Definition”{ "family": "deepintshield", "networkMode": "awsvpc", "requiresCompatibilities": ["FARGATE"], "cpu": "512", "memory": "1024", "executionRoleArn": "arn:aws:iam::YOUR_ACCOUNT_ID:role/DeepIntShieldECSExecutionRole", "containerDefinitions": [ { "name": "deepintshield", "image": "DEEPINTSHIELD_ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/YOUR_HUB_SLUG:latest", "portMappings": [ { "containerPort": 8080, "protocol": "tcp" } ], "healthCheck": { "command": ["CMD-SHELL", "curl -f http://localhost:8080/health || exit 1"], "interval": 30, "timeout": 5, "retries": 3, "startPeriod": 60 }, "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "/ecs/deepintshield", "awslogs-region": "us-east-1", "awslogs-stream-prefix": "deepintshield" } } } ]}Step 3: Create ECS Service
Section titled “Step 3: Create ECS Service”aws ecs create-service \ --cluster your-cluster \ --service-name deepintshield \ --task-definition deepintshield \ --desired-count 2 \ --launch-type FARGATE \ --network-configuration "awsvpcConfiguration={subnets=[subnet-xxx],securityGroups=[sg-xxx],assignPublicIp=ENABLED}"Verifying Access
Section titled “Verifying Access”Test ECR Authentication
Section titled “Test ECR Authentication”# Get ECR login tokenaws ecr get-login-password --region us-east-1 | \ docker login --username AWS --password-stdin \ DEEPINTSHIELD_ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com
# Pull testdocker pull DEEPINTSHIELD_ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/YOUR_HUB_SLUG:latestVerify IRSA Configuration
Section titled “Verify IRSA Configuration”# Check ServiceAccount annotationkubectl get sa deepintshield-sa -n deepintshield -o yaml
# Verify pod can assume rolekubectl exec -it deployment/deepintshield -n deepintshield -- \ aws sts get-caller-identityTroubleshooting
Section titled “Troubleshooting”ImagePullBackOff Errors
Section titled “ImagePullBackOff Errors”- Check IAM Role trust policy: Ensure the OIDC provider and ServiceAccount match
- Verify ECR permissions: Confirm the role has
ecr:BatchGetImagepermission - Check allowlisting: Ensure your role ARN is allowlisted by DeepIntShield team
# Check pod eventskubectl describe pod -l app=deepintshield -n deepintshield
# Check IRSA tokenkubectl exec -it deployment/deepintshield -n deepintshield -- \ cat /var/run/secrets/eks.amazonaws.com/serviceaccount/tokenAuthentication Errors
Section titled “Authentication Errors”# Verify OIDC provider is configuredaws iam list-open-id-connect-providers
# Check role assumptionaws sts assume-role-with-web-identity \ --role-arn arn:aws:iam::YOUR_ACCOUNT_ID:role/DeepIntShieldECRPullRole \ --role-session-name test \ --web-identity-token file:///path/to/tokenNext Steps
Section titled “Next Steps”- Configure DeepIntShield settings for your use case
- Set up observability for monitoring
- Enable clustering for high availability