AWS Docs (#446)

* document AWS support
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
Co-authored-by: Leonard Cohnen <lc@edgeless.systems>

docs/docs/getting-started/first-steps.md

@@ -25,6 +25,13 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step
     constellation config generate gcp
     ```
 
+    </tabItem>
+    <tabItem value="aws" label="AWS">
+
+    ```bash
+    constellation config generate aws
+    ```
+
     </tabItem>
     </tabs>
 
@@ -164,6 +171,46 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step
 
         Supported are all machines from the N2D family. It defaults to `n2d-standard-4` (4 vCPUs, 16 GB RAM), but you can use any other VMs from the same family. Refer to [N2D machine series](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines) or run `constellation config instance-types` to get the list of all supported options.
 
+    </tabItem>
+    <tabItem value="aws" label="AWS">
+
+    * **region**: The name of your chosen AWS data center region, e.g., `us-east-2`.
+
+        Constellation OS images are currently replicated to the following regions:
+        * `eu-central-1`
+        * `us-east-2`
+        * `ap-south-1`
+
+        If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x).
+
+        You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions).
+
+    * **zone**: The name of your chosen AWS data center availability zone, e.g., `us-east-2a`.
+
+        Learn more about [availability zones in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-availability-zones).
+
+    * **image**: The ID of the amazon machine image (AMI) the Constellation nodes will use:
+
+        Constellation OS images are available with the following IDs:
+
+        | AMI | Region |
+        | - | - |
+        | `ami-0e27ebcefc38f648b` | `eu-central-1` |
+        | `ami-098cd37f66523b7c3` | `us-east-2` |
+        | `ami-04a87d302e2509aad` | `ap-south-1` |
+
+    * **iamProfileControlPlane**: The name of an IAM instance profile attached to all control-plane nodes.
+
+        Use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `control_plane_instance_profile`.
+
+        Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.control_plane_policy`.
+
+    * **iamProfileWorkerNodes**: The name of an IAM instance profile attached to all worker nodes.
+
+        Use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `worker_nodes_instance_profile`.
+
+        Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.worker_node_policy`.
+
     </tabItem>
     </tabs>
 

docs/docs/getting-started/install.md

@@ -11,7 +11,7 @@ Make sure the following requirements are met:
 - Your machine is running Linux or macOS
 - You have admin rights on your machine
 - [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
-- Your CSP is Microsoft Azure or Google Cloud Platform (GCP)
+- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS)
 
 ## Install the Constellation CLI
 
@@ -132,6 +132,137 @@ You need the following permissions on this project:
 
 Follow Google's guide on [understanding](https://cloud.google.com/iam/docs/understanding-roles) and [assigning roles](https://cloud.google.com/iam/docs/granting-changing-revoking-access).
 
+</tabItem>
+<tabItem value="aws" label="AWS">
+
+To set up a Constellation cluster, you need to perform two tasks that require permissions: create the infrastructure and create roles for cluster nodes. Both of these actions can be performed by different users, e.g., an administrator to create roles and a DevOps engineer to create the infrastructure.
+
+To create the AWS IAM policies, your user requires the following minimal set of permissions:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "sts:GetCallerIdentity",
+                "ec2:DescribeAccountAttributes",
+                "iam:CreateRole",
+                "iam:CreatePolicy",
+                "iam:GetPolicy",
+                "iam:GetRole",
+                "iam:GetPolicyVersion",
+                "iam:ListRolePolicies",
+                "iam:ListAttachedRolePolicies",
+                "iam:CreateInstanceProfile",
+                "iam:AttachRolePolicy",
+                "iam:GetInstanceProfile",
+                "iam:AddRoleToInstanceProfile",
+                "iam:PassRole",
+                "iam:RemoveRoleFromInstanceProfile",
+                "iam:DetachRolePolicy",
+                "iam:DeleteInstanceProfile",
+                "iam:ListPolicyVersions",
+                "iam:ListInstanceProfilesForRole",
+                "iam:DeletePolicy",
+                "iam:DeleteRole"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+```
+
+To create the infrastructure, you can either use a predefined role from Amazon,
+such as `PowerUserAccess`, or use the following minimal set of permissions:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "sts:GetCallerIdentity",
+                "ec2:DescribeAccountAttributes",
+                "ec2:AllocateAddress",
+                "ec2:CreateVpc",
+                "ec2:CreateTags",
+                "logs:CreateLogGroup",
+                "ec2:CreateLaunchTemplate",
+                "ec2:DescribeAddresses",
+                "ec2:DescribeLaunchTemplates",
+                "logs:PutRetentionPolicy",
+                "logs:DescribeLogGroups",
+                "ec2:DescribeVpcs",
+                "ec2:DescribeLaunchTemplateVersions",
+                "logs:ListTagsLogGroup",
+                "ec2:DescribeVpcClassicLink",
+                "ec2:DescribeVpcClassicLinkDnsSupport",
+                "ec2:DescribeVpcAttribute",
+                "ec2:DescribeNetworkAcls",
+                "ec2:DescribeRouteTables",
+                "ec2:DescribeSecurityGroups",
+                "ec2:CreateSubnet",
+                "ec2:CreateSecurityGroup",
+                "elasticloadbalancing:CreateTargetGroup",
+                "ec2:CreateInternetGateway",
+                "ec2:DescribeSubnets",
+                "elasticloadbalancing:DescribeTargetGroups",
+                "ec2:AttachInternetGateway",
+                "elasticloadbalancing:ModifyTargetGroupAttributes",
+                "ec2:DescribeInternetGateways",
+                "autoscaling:CreateAutoScalingGroup",
+                "iam:PassRole",
+                "ec2:CreateNatGateway",
+                "ec2:RevokeSecurityGroupEgress",
+                "elasticloadbalancing:DescribeTargetGroupAttributes",
+                "elasticloadbalancing:CreateLoadBalancer",
+                "ec2:DescribeNatGateways",
+                "elasticloadbalancing:DescribeTags",
+                "autoscaling:DescribeScalingActivities",
+                "ec2:CreateRouteTable",
+                "autoscaling:DescribeAutoScalingGroups",
+                "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:AuthorizeSecurityGroupEgress",
+                "ec2:CreateRoute",
+                "ec2:AssociateRouteTable",
+                "elasticloadbalancing:DescribeTargetHealth",
+                "elasticloadbalancing:DescribeLoadBalancers",
+                "elasticloadbalancing:ModifyLoadBalancerAttributes",
+                "elasticloadbalancing:AddTags",
+                "elasticloadbalancing:DescribeLoadBalancerAttributes",
+                "elasticloadbalancing:CreateListener",
+                "elasticloadbalancing:DescribeListeners",
+                "logs:DeleteLogGroup",
+                "elasticloadbalancing:DeleteListener",
+                "ec2:DisassociateRouteTable",
+                "autoscaling:UpdateAutoScalingGroup",
+                "elasticloadbalancing:DeleteLoadBalancer",
+                "autoscaling:SetInstanceProtection",
+                "ec2:DescribeNetworkInterfaces",
+                "ec2:DeleteRouteTable",
+                "ec2:DeleteNatGateway",
+                "ec2:DetachInternetGateway",
+                "ec2:DisassociateAddress",
+                "ec2:ReleaseAddress",
+                "ec2:DeleteInternetGateway",
+                "ec2:DeleteSubnet",
+                "autoscaling:DeleteAutoScalingGroup",
+                "ec2:DeleteLaunchTemplate",
+                "elasticloadbalancing:DeleteTargetGroup",
+                "ec2:DeleteSecurityGroup",
+                "ec2:DeleteVpc"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+```
+
+Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).
+
 </tabItem>
 </tabs>
 
@@ -185,6 +316,25 @@ Use one of the following options on a trusted machine:
     Follow [Google's guide](https://cloud.google.com/docs/authentication/production#manually) for setting up your credentials.
 
 </tabItem>
+<tabItem value="aws" label="AWS">
+
+**Testing**
+
+You can use the [AWS CloudShell](https://console.aws.amazon.com/cloudshell/home). Make sure you are [authorized to use it](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html).
+
+**Production**
+
+Use the latest version of the [AWS CLI](https://aws.amazon.com/cli/) on a trusted machine:
+
+```bash
+aws configure
+```
+
+Options and first steps are described in the [AWS CLI documentation](https://docs.aws.amazon.com/cli/index.html).
+
+</tabItem>
+
+
 </tabs>
 
 ## Next steps

docs/docs/overview/clouds.md

@@ -32,7 +32,7 @@ The [CVMs available in GCP](https://cloud.google.com/compute/confidential-vm/doc
 
 ## Amazon Web Services (AWS)
 
-AWS currently doesn't offer CVMs. AWS proprietary Nitro Enclaves offer some related features, but [are explicitly not designed to keep AWS itself out](https://aws.amazon.com/blogs/security/confidential-computing-an-aws-perspective/). An experimental version of Constellation exists that runs on Nitro Enclaves.
+AWS currently doesn't offer CVMs. AWS proprietary Nitro Enclaves offer some related features but [are explicitly not designed to keep AWS itself out](https://aws.amazon.com/blogs/security/confidential-computing-an-aws-perspective/). Besides, they aren't suitable for running entire Kubernetes nodes inside them. Therefore, Constellation uses regular EC2 instances on AWS [Nitro](https://aws.amazon.com/ec2/nitro/) without runtime encryption. Attestation is based on the [NitroTPM], which is a vTPM managed by the Nitro hypervisor. Hence, the hypervisor is currently part of Constellation's TCB.
 
 ## OpenStack
 

docs/docs/workflows/create.md

@@ -33,6 +33,13 @@ constellation config generate azure
 constellation config generate gcp
 ```
 
+</tabItem>
+<tabItem value="aws" label="AWS">
+
+```bash
+constellation config generate aws
+```
+
 </tabItem>
 </tabs>
 

docs/docs/workflows/recovery.md

@@ -87,6 +87,37 @@ If this fails due to an unhealthy control plane, you will see log messages simil
 
 This means that you have to recover the node manually.
 
+</tabItem>
+<tabItem value="aws" label="AWS">
+
+First, open the AWS console to view all Auto Scaling Groups (ASGs) in the region of your Constellation. Select the ASG of the control-plane `<cluster-name>-<UID>-control-plane` and check that enough members are in a *Running* state.
+
+Second, check the boot logs of these *Instances*. In the ASG's *Instance management* view, select each desired instance. In the upper right corner, select **Action > Monitor and troubleshoot > Get system log**.
+
+In the serial console output, search for `Waiting for decryption key`.
+Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk):
+
+```json
+{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"}
+{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"}
+{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"}
+{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"}
+```
+
+The node will then try to connect to the [*JoinService*](../architecture/components.md#joinservice) and obtain the decryption key.
+If this fails due to an unhealthy control plane, you will see log messages similar to the following:
+
+```json
+{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]}
+{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"}
+{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"}
+{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"}
+{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"}
+{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"}
+```
+
+This means that you have to recover the node manually.
+
 </tabItem>
 </tabs>
 

docs/docs/workflows/scale.md

@@ -63,6 +63,15 @@ Alternatively, you can manually scale your cluster up or down:
 2. **Edit** the **worker** instance group.
 3. Set the new **number of instances** and **save**.
 
+</tabItem>
+<tabItem value="aws" label="AWS">
+
+:::caution
+
+Scaling isn't yet implemented for AWS. If you require this feature, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md)!
+
+:::
+
 </tabItem>
 </tabs>
 
@@ -88,6 +97,15 @@ To increase the number of control-plane nodes, follow these steps:
 2. **Edit** the **control-plane** instance group.
 3. Set the new (increased) **number of instances** and **save**.
 
+</tabItem>
+<tabItem value="aws" label="AWS">
+
+:::caution
+
+Scaling isn't yet implemented for AWS. If you require this feature, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md)!
+
+:::
+
 </tabItem>
 </tabs>
 

docs/docs/workflows/storage.md

@@ -36,6 +36,17 @@ This includes support for [volume snapshots](https://cloud.google.com/kubernetes
 You can use them to bring a volume back to a prior state or provision new volumes.
 Follow the instructions on how to [install the Constellation CSI driver](#installation) or check out the [repository](https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver) for information about the configuration.
 
+</tabItem>
+<tabItem value="aws" label="AWS">
+
+:::caution
+
+Confidential storage isn't yet implemented for AWS. If you require this feature, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md)!
+
+You may use other (non-confidential) CSI drivers that are compatible with Kubernetes on AWS.
+
+:::
+
 </tabItem>
 </tabs>
 
@@ -110,6 +121,17 @@ The following installation guide gives an overview of how to securely use CSI-ba
     EOF
     ```
 
+</tabItem>
+<tabItem value="aws" label="AWS">
+
+:::caution
+
+Confidential storage isn't yet implemented for AWS. If you require this feature, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md)!
+
+You may use other (non-confidential) CSI drivers that are compatible with Kubernetes on AWS.
+
+:::
+
 </tabItem>
 </tabs>
 
@@ -267,5 +289,16 @@ The examples above are defined to be automatically set as the default storage cl
       encrypted-storage (default) gcp.csi.confidential.cloud  1d
       ```
 
+</tabItem>
+<tabItem value="aws" label="AWS">
+
+:::caution
+
+Confidential storage isn't yet implemented for AWS. If you require this feature, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md)!
+
+You may use other (non-confidential) CSI drivers that are compatible with Kubernetes on AWS.
+
+:::
+
 </tabItem>
 </tabs>

docs/docs/workflows/troubleshooting.md

@@ -35,5 +35,13 @@ Constellation uses the default bucket to store logs. Its [default retention peri
 
 :::
 
+</tabItem>
+<tabItem value="aws" label="AWS">
+
+1. Open [AWS CloudWatch](https://console.aws.amazon.com/cloudwatch/home)
+2. Select [Log Groups](https://console.aws.amazon.com/cloudwatch/home#logsV2:log-groups)
+3. Select the log group that matches the name of your cluster.
+4. Select the log stream for control or worker type nodes.
+
 </tabItem>
 </tabs>