AWS

Overview

AWS is a comprehensive and widely adopted cloud platform, offering an extensive range of services and solutions to power your applications and infrastructure. With Rely.io's integration, you can maximize the benefits of AWS's offerings by tapping into a broad array of information around various AWS services.

Installation Guide

To successfully set up the integration with AWS, follow the steps detailed below:

1. Start Creating an AWS User

Log into your AWS Management Console and navigate to IAM > Users.

  1. Click Add users.

  2. Enter a name for your user (e.g. "Rely")

  3. Click Next

Note: You can leave the "Provide user access to the AWS Managment Console" option un-checked as Rely only requires programmatic access.

Step 2 of this form is meant for you to specify the new user's policies.

2. Create an access Policy with the appropriate permissions

  1. In the Permission options section click the Attach Policies Directly tab

  2. Click the Create Policy button

This will open up a new tab on your browse in policy creation wizard.

  1. Click the JSON button that will open up a configuration input box and paste the following payload.

AWS Policy Config
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "elasticloadbalancing:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "autoscaling:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "rds:Describe*",
                "rds:ListTagsForResource",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricData",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents",
                "devops-guru:GetResourceCollection"
            ],
            "Resource": "*"
        },
        {
            "Action": [
                "devops-guru:SearchInsights",
                "devops-guru:ListAnomaliesForInsight"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "ForAllValues:StringEquals": {
                    "devops-guru:ServiceNames": [
                        "RDS"
                    ]
                },
                "Null": {
                    "devops-guru:ServiceNames": "false"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*",
                "s3:Describe*",
                "s3-object-lambda:Get*",
                "s3-object-lambda:List*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:Describe*",
                "cloudformation:EstimateTemplateCost",
                "cloudformation:Get*",
                "cloudformation:List*",
                "cloudformation:ValidateTemplate",
                "cloudformation:Detect*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:DescribeStacks",
                "cloudformation:ListStacks",
                "cloudformation:ListStackResources",
                "cloudwatch:GetMetricData",
                "cloudwatch:ListMetrics",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "kms:ListAliases",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListRolePolicies",
                "iam:ListRoles",
                "logs:DescribeLogGroups",
                "lambda:Get*",
                "lambda:List*",
                "states:DescribeStateMachine",
                "states:ListStateMachines",
                "tag:GetResources",
                "xray:GetTraceSummaries",
                "xray:BatchGetTraces"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogStreams",
                "logs:GetLogEvents",
                "logs:FilterLogEvents",
                "logs:StartQuery",
                "logs:StopQuery",
                "logs:DescribeQueries",
                "logs:GetLogGroupFields",
                "logs:GetLogRecord",
                "logs:GetQueryResults"
            ],
            "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/*"
        },
        {
            "Sid": "AWSOrganizationsReadOnly",
            "Effect": "Allow",
            "Action": [
                "organizations:Describe*",
                "organizations:List*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AWSOrganizationsReadOnlyAccount",
            "Effect": "Allow",
            "Action": [
                "account:GetAlternateContact",
                "account:GetContactInformation",
                "account:ListRegions"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CloudWatchReadOnlyAccessPermissions",
            "Effect": "Allow",
            "Action": [
                "application-autoscaling:DescribeScalingPolicies",
                "autoscaling:Describe*",
                "cloudwatch:BatchGet*",
                "cloudwatch:Describe*",
                "cloudwatch:GenerateQuery",
                "cloudwatch:Get*",
                "cloudwatch:List*",
                "logs:Get*",
                "logs:List*",
                "logs:StartQuery",
                "logs:StopQuery",
                "logs:Describe*",
                "logs:TestMetricFilter",
                "logs:FilterLogEvents",
                "logs:StartLiveTail",
                "logs:StopLiveTail",
                "oam:ListSinks",
                "sns:Get*",
                "sns:List*",
                "rum:BatchGet*",
                "rum:Get*",
                "rum:List*",
                "synthetics:Describe*",
                "synthetics:Get*",
                "synthetics:List*",
                "xray:BatchGet*",
                "xray:Get*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "OAMReadPermissions",
            "Effect": "Allow",
            "Action": [
                "oam:ListAttachedLinks"
            ],
            "Resource": "arn:aws:oam:*:*:sink/*"
        },
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "eks:ListEksAnywhereSubscriptions",
                "eks:DescribeFargateProfile",
                "eks:ListTagsForResource",
                "eks:DescribeInsight",
                "eks:ListAccessEntries",
                "eks:ListAddons",
                "eks:DescribeEksAnywhereSubscription",
                "eks:DescribeAddon",
                "eks:ListAssociatedAccessPolicies",
                "eks:DescribeNodegroup",
                "eks:ListUpdates",
                "eks:DescribeAddonVersions",
                "eks:ListIdentityProviderConfigs",
                "eks:ListNodegroups",
                "eks:DescribeAddonConfiguration",
                "eks:DescribeAccessEntry",
                "eks:DescribePodIdentityAssociation",
                "eks:ListInsights",
                "eks:ListPodIdentityAssociations",
                "eks:ListFargateProfiles",
                "eks:DescribeIdentityProviderConfig",
                "eks:DescribeUpdate",
                "eks:AccessKubernetesApi",
                "eks:DescribeCluster",
                "eks:ListClusters",
                "eks:ListAccessPolicies"
            ],
            "Resource": "*"
        }
    ]
}
  1. Click Next

  2. Assign a descriptive name to your Policy (e.g. "RelyPermissionsPolicy")

  3. You should see a pop-up indicating you that your policy has just been created

3. Create a User associated with the Access Policy that was just created

  1. Go back to your the tab you were on before clicking Create Policy .

  2. Hit the refresh button besides the Create Policy this will refresh the list of available policies to select from.

  3. Search for the policy name you picked earlier.

  4. Select the policy that you have just created and click Next

  5. Review the user's configuration and click Create User

  6. You should see a pop-up indicating you that your user has just been created, in it there's a button labeled View User, click it!

4. Collect the Required AWS information

  1. Inside the User's page, hit Create access key

  2. Select Third-party provider

  3. At this point AWS will tell you about the possibility of creating temporary security credentials instead of long term ones. This would require you to re-make the Rely plugin configuration cyclically. At this point you can just confirm your choice and click Next

  4. You can just ignore the long tag value and hit Create access Key

  5. Keep this tab open for the following step, as you'll need to copy past the Access Key and Secret Access Key soon enough

  6. You will also need to know your organization's Account ID which can be seen by opening up the user menu situated in the top-right corner of your AWS console.

5. Connect to the Rely Platform

You can now return to the Rely.io platform and start the integration process with AWS CloudWatch. Open the Rely platform and start by navigating to the data-sources page. Click the "Add Data Source" button and select "AWS".

This will prompt a modal to appear asking you for the information necessary to successfully integrate the AWS CloudWatch your account.

Start by giving an expressive name to your data source instance by filling in the β€œCollector Name” field. This is an unique name that will allow you to distinguish between multiple data source instances.

Fill in all of the values according to the information you obtained in step 4 of this guide. Click Create to finish the integration process.

After you submit your form, an entity discovery run will be kickstarted that can take a few minutes. By the end of this discovery run:

  • New blueprints will be added to your data model

  • Entities will be queries from the data-source and added to your software catalog

  • These entities will be periodically updated to ensure they remain in sync with their external counter-parts