reference deployment

IBM Security Guardium Insights on AWS

Cloud data security hub with threat analytics and reporting

View deployment guide

This Quick Start deploys IBM Security Guardium Insights on the Amazon Web Services (AWS) Cloud. It is for organizations that want to monitor user data activity from a central console with analytics, threat visualization, and customizable reports. Guardium Insights is a micoservices-based and containerized data security application. It runs on the Red Hat OpenShift Container Platform (OCP), a Kubernetes system for container-based workloads. Use the customizable Guardium Insights console for daily data security and compliance tasks, and the OpenShift console to manage the cluster.

IBM logo

This Quick Start was developed by IBM in collaboration with AWS. IBM is an AWS Partner.

  •  What you'll build

  • This Quick Start sets up the following:

    • A reference architecture in a single Availability Zone.
    • A virtual private cloud configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
    • In the public subnet:
      • An Amazon Elastic Compute Cloud (Amazon EC2) instance for a boot node and bastion host to allow inbound internet access to resources in the private subnet.
      • A managed network address translation (NAT) gateway to allow outbound internet access for resources in the private subnet.*
    • In the private subnet, a Red Hat OpenShift Container Platform (OCP) cluster deployed to Amazon EC2 instances. The cluster contains the following nodes:
      • Control plane nodes to manage the cluster and run the OpenShift web console.
      • Compute nodes in an OpenShift autoscaling group. Guardium Insights runs as a containerized application on the compute nodes.
    • Network Load Balancers for routing internal and external OpenShift API traffic to control plane nodes.
    • A Classic Load Balancer for accessing Guardium Insights on compute nodes from a web browser.
    • Amazon Elastic Block Storage (Amazon EBS) for volumes attached to compute nodes to persist container data.
    • Amazon Route 53 for the public Domain Name System (DNS) for resolving domain names of the Guardium Insights console and deployed applications.
    • Amazon Simple Storage Service (Amazon S3) to store the OpenShift pull secret, TLS certificate and key, and OpenShift image registry.
    • AWS Secrets Manager to encrypt, store, and retrieve credentials and secrets for the Guardium Insights deployment.

    *  The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy

  • To deploy this Quick Start, follow the instructions in the deployment guide, which includes these steps. The stack takes about 2.5 hours to launch.

    1. Sign in to your AWS account. If you don't have an account, sign up at https://aws.amazon.com.
    2. Create an Amazon S3 bucket.
    3. Obtain an IBM entitlement license for Guardium Insights from the IBM Container Library. The Guardium Insights entitlement includes a required subscription to RedHat OpenShift.
    4. Upload your Red Hat OpenShift pull secret to the S3 bucket.
    5. Launch the Quick Start. Before you create the stack, choose the AWS Region from the top toolbar. Choose one of the following options:
    6. Log in to the IBM Guardium Insights and Red Hat OpenShift consoles.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

    View deployment guide for details
  •  Cost and licenses

  • This Quick Start requires an IBM entitlement license for Guardium Insights from the IBM Container Library, which includes a subscription to RedHat OpenShift.

    You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start.

    The AWS CloudFormation templates for this Quick Start include configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, refer to the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Quick Start, create AWS Cost and Usage Reports to track costs associated with the Quick Start. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information about the report, refer to What are AWS Cost and Usage Reports?