Installing a cluster on AWS into a Secret or Top Secret Region

In {product-title} version {product-version}, you can install a cluster on Amazon Web Services (AWS) into the following secret regions:

Secret Commercial Cloud Services (SC2S)
Commercial Cloud Services (C2S)

To configure a cluster in either region, you change parameters in the install config.yaml file before you install the cluster.

Prerequisites

You reviewed details about the {product-title} installation and update processes.
You read the documentation on selecting a cluster installation method and preparing it for users.

You configured an AWS account to host the cluster.

Important

If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multifactor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use long-lived credentials. To generate appropriate keys, see Managing Access Keys for IAM Users in the AWS documentation. You can supply the keys when you run the installation program.

If you use a firewall, you configured it to allow the sites that your cluster requires access to.
If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the kube-system namespace, you can manually create and maintain IAM credentials.