Private Computation: Get Started

Before starting your Private Computation setup, please review the recommendations and guidelines below. You can then follow the step-by-step Setup Guide.


You’ll need the below work to be done by someone (engineers) with permissions and familiarity with the following components:

  1. Domain name service (for setting DNS A record for Conversions API Gateway subdomain).
  2. Basic knowledge and permissions to access AWS services like IAM, S3 - Creating and Reading, VPC - creation, Peering, Route Tables (all these creations will happen through scripts).
  3. Making API calls (for using Private Computation Graph API).
  4. Debugging and log reading.
  5. If not using the UI: familiarity with running shell commands.
  6. Only for clients who need/want to prepare their own conversion data: SQL and hashing.
  7. Please make sure you have reviewed the following AWS Prerequisites and Permission requirements:

Business Pre-Check Questions

Business Information

Please be prepared to provide the following:

  • Business ID associated with ad accounts that you want to measure.
  • App ID for the app that you make API calls with. Check with your technical partners as this may not be the same app that is used to send events to Meta.
    • Please also share the business ID that owns the app.
  • Add the account ID to be measured.

Expected Timeline

  • What is the target date for completion of your first Private Lift run?
  • What is the target date for setting up the infrastructure?

Traffic Sources and Volume

  • Where is the traffic coming from? Web, app, offline, or some combination?
    • For web traffic, what is the Meta Pixel ID that sends the events you would like to measure with Private Measurement products?
    • For app traffic, what is the App ID that sends the events you would like to measure with Private Measurement products?
  • Provide an estimate for the amount of event data you expect to process. An approximate number of processed events (100K, 1M, 10M, 100M, and so on) is acceptable.
    • What’s the approximate number of conversion records per day?
    • How many days of conversion data do you expect to use for a given study?
    • What is the approximate spike/average traffic volume per second of the events with each pixel/app?

Questions About Your Amazon Web Services (AWS) Account

AWS Account Basics

  • In which AWS region will you be deploying your infrastructure?
  • Is this region required or can it be changed?

AWS Network Modes

  • Will you use an existing AWS account or create a new account?
  • If using an existing AWS account, in your region, do you have EC2-Classic in network modes or a default Virtual Private Cloud (VPC) defined?

VPC Requirements

In your region, do you still have a quota to create a new VPC?

AWS Account Policy Limitations

  • Do your service control policies (SCP) limit external access?
  • Can your AWS account access the Private Computation resources located in the Elastic Container Registry (ECR) and S3?

Security Credentials

Are you using AWS temporary security credentials (for example, AssumeRole)? If so, what is the minimum length of the required token?

A minimum 12-hour expiration length for the temporary credentials of the Assumed Roles is required.

Guide to Answering AWS Pre-Check Questions

AWS Network Mode

  • Open the Amazon EC2 console at
  • In the navigation bar, use the Region selector on the top right to select your Region.
  • On the Amazon EC2 console dashboard, look for Supported Platforms under Account Attributes.

If you have “EC2” in supported platforms, this means your account in the region is using EC2-Classic.

If the Default VPC is not “vpc-XXXXX”, such as “None”, this means you don’t have Default VPC defined.

Check VPC Numbers

The default limit VPCs per region is 5. This could be increased using the Amazon VPC limits form.

Check Access to Private Computation Resources - S3

  • Log in to your AWS.
  • Open IAM Policy: Simulator.

Check Private Computation S3 Access

  • Choose a Role that contains AmazonS3FullAccess.
  • Select the Service => S3.
  • Select an Action => ListBucket, GetObject.
    • Put arn:aws:s3:::one-docker-repository-prod to bucket.
    • Put arn:aws:s3:::one-docker-repository-prod/private_lift/lift/latest to object.
  • Click Run Simulation.
  • Check if the permission shows allowed or denied.

Check Access to Private Computation Resources - ECR

  • Log in to your AWS.
  • Open IAM Policy: Simulator.

Check Private Computation ECR Access

  • Choose a Role that contains AmazonECSTaskExecutionRolePolicy.
  • Select Service => Elastic Container Registry.
  • Select Action => BatchCheckLayerAvailability, BatchGetImage, GetDownloadUrlForLayer
    • Put arn:aws:ecr:us-west-2:539290649537:repository/one-docker-prod to Simulation Resource.
  • Click Run Simulation.
  • Check if the permission shows allowed or denied.

Begin Setup

If you are ready to begin your Private Computation setup, click on the button below to start on the AWS website.

Start Private Computation Setup

See Also

  • Multi-Party Computation
  • Private Computation Products Overview
  • Setup Guide
  • Reference