# Setup BYOC with AWS

**BYOC** is our recommended setup option, in which our platform's infrastructure is installed in a cloud environment owned by your organization, allowing you to delegate its entire setup, update, and maintenance to groundcover.

To install groundcover BYOC, sign up to [groundcover Console](https://console.groundcover.com) and start the installation process.

<figure><img src="https://2771001740-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUHgqKYgCiRKdOpWQdi52%2Fuploads%2FDJlRxIgKRSsrp6BlMAzk%2Fimage.png?alt=media&#x26;token=ebae8ea5-6002-42e7-9bb9-517a66be4782" alt=""><figcaption></figcaption></figure>

## Installation steps

BYOC requires to create an isolated account within your AWS organization, that will be managed by groundcover's control plane and will establish, configure, and maintain the infrastructure and workloads within the account. These include AWS VPC, S3, EKS, LB, etc.

groundcover BYOC can be deployed using one the following configurations:

{% hint style="info" %}
In line with AWS’s recommended unit of containerization, the default and preferable option is to deploy in a dedicated AWS account. This acts as an identity, resources, quota and access management isolation boundary.
{% endhint %}

* <mark style="background-color:purple;">**Option A:**</mark>**&#x20;Creating a new, dedicated sub-account**

We recommend naming the account \[`groundcover-byoc`] and placing the account in `OU=Infrastructure/OU=Managed`. For additional information please see [Establishing your best practice AWS environment](https://aws.amazon.com/organizations/getting-started/best-practices/) *(external link to a page on the AWS website)*.

* <mark style="background-color:purple;">**Option B:**</mark>**&#x20;Use an existing AWS account**

If you prefer using a single account approach, BYOC can also be deployed into an existing account, running alongside existing production workloads in your existing AWS account. To limit access and prevent resource collusion, we implement a “scoping territory” approach using ABAC tags for access control and VPC subnets for network control.

Once the account is ready, start the installation process through the Console. The entire process should run for about 20-30 minutes. Upon completion, you will see a Go to App button that will lead you to your dedicated workspace.

### Troubleshooting

There are 2 types of potential problems you may encounter in the installation process:

1. **Validation issues** - before kicking off the installation process, groundcover will verify that the provided role has the correct permissions. In case of validation issues, please expand the relevant section and address the validation issue. After the issue is fixed, click on Validate again to ensure all the permissions were granted properly.

&#x20;                                               ![](https://2771001740-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUHgqKYgCiRKdOpWQdi52%2Fuploads%2F4cW21zmlWDB5JaxFjYys%2Fimage.png?alt=media\&token=0f1f7094-c9ee-4095-85e4-9d45b619f103)

2. **Deployment issues** - once the installation process has started, we may encounter issues while attempting to install one or more components. These issues will appear in the backends main screen.   \
   \
   If the issues persist, [reach out to our team](https://www.groundcover.com/join-slack).<br>

### Add monitoring to your environment

Once groundcover backend is deployed, the final step is to add data sources to monitor your environment, such as deploying our sensors to monitor your clusters or add cloud providers. To do so, go to the [data sources page](https://app.groundcover.com/data-sources) and select the relevant data sources for your needs.&#x20;

***