AWS CloudFormation
Deploy the OnePAM Zero Trust Access Gateway on AWS using CloudFormation.
CloudFormation Stack
Deploy a production-ready OnePAM gateway on AWS with a single CloudFormation template. Includes EC2 Auto Scaling, IAM roles, security groups, and optional S3 session recording.
aws cloudformation deploy \
--template-file cloudformation-gateway.yaml \
--stack-name onepam-gateway \
--capabilities CAPABILITY_IAMArchitecture
The CloudFormation template provisions the following resources:
Compute
- EC2 Launch Template
- Auto Scaling Group (1–3 instances)
- cloud-init user data
Security
- Security Group (SSH, HTTPS, VPN)
- IAM Role + Instance Profile
- SSM Parameter Store integration
Storage
- S3 bucket for session recordings
- IAM policy for S3 access
- EBS-backed root volumes
Stack Parameters
Required Parameters
| Parameter | Description |
|---|---|
GatewayId | Gateway ID from your OnePAM instance |
ApiUrl | OnePAM server URL (e.g. https://your-instance.onepam.com) |
ApiToken | API token for gateway authentication |
VpcId | VPC ID for security group placement |
SubnetId | Subnet ID for the EC2 instances |
Optional Parameters
| Parameter | Default | Description |
|---|---|---|
InstanceType | t3.small | EC2 instance type |
DesiredCapacity | 1 | ASG desired instance count |
MaxSize | 3 | ASG maximum instance count |
S3RecordingBucket | - | S3 bucket for session recordings |
AcmeDomain | - | Domain for Let's Encrypt TLS |
AcmeEmail | - | ACME registration email |
EnableVPN | false | Enable WireGuard VPN |
KeyPairName | - | EC2 key pair for SSH access |
Quick Start
Deploy via AWS CLI
# Download the template
curl -fsSL -o cloudformation-gateway.yaml \
https://raw.githubusercontent.com/onepamcom/onepam-terraform/main/cloudformation-gateway.yaml
# Deploy the stack
aws cloudformation deploy \
--template-file cloudformation-gateway.yaml \
--stack-name onepam-gateway \
--capabilities CAPABILITY_IAM \
--parameter-overrides \
GatewayId="YOUR-GATEWAY-ID" \
ApiUrl="https://your-instance.onepam.com" \
ApiToken="YOUR-API-TOKEN" \
VpcId="vpc-0123456789abcdef0" \
SubnetId="subnet-0123456789abcdef0"
# Check stack status
aws cloudformation describe-stacks \
--stack-name onepam-gateway \
--query 'Stacks[0].StackStatus'Deploy via AWS Console
- Navigate to CloudFormation in the AWS Console
- Click Create stack > With new resources
- Upload
cloudformation-gateway.yaml - Fill in the required parameters (Gateway ID, API URL, API Token, VPC, Subnet)
- Acknowledge IAM capability and create the stack
Production Deployment
For production, enable S3 session recording and TLS:
aws cloudformation deploy \
--template-file cloudformation-gateway.yaml \
--stack-name onepam-gateway-prod \
--capabilities CAPABILITY_IAM \
--parameter-overrides \
GatewayId="YOUR-GATEWAY-ID" \
ApiUrl="https://your-instance.onepam.com" \
ApiToken="YOUR-API-TOKEN" \
VpcId="vpc-0123456789abcdef0" \
SubnetId="subnet-0123456789abcdef0" \
InstanceType="t3.medium" \
DesiredCapacity="2" \
MaxSize="5" \
S3RecordingBucket="my-onepam-recordings" \
AcmeDomain="gateway.example.com" \
AcmeEmail="[email protected]" \
EnableVPN="true"
Security Note: Store the
ApiToken in AWS Secrets Manager or SSM Parameter Store
rather than passing it directly. The template supports SSM parameter references.
Stack Management
# Update the stack
aws cloudformation deploy \
--template-file cloudformation-gateway.yaml \
--stack-name onepam-gateway \
--capabilities CAPABILITY_IAM \
--parameter-overrides DesiredCapacity="3"
# View stack events
aws cloudformation describe-stack-events \
--stack-name onepam-gateway
# Delete the stack
aws cloudformation delete-stack \
--stack-name onepam-gateway