AWS Integrations

Introduction

This document shows information related to AWS Integration.

The AWS integration is used to fetch logs and metrics from Amazon Web Services.

The usage of the AWS integration is to collect metrics and logs across many AWS services managed by your AWS account.

Assumptions

The procedures described in Section 3 assumes that a Log Collector has already been setup.

Requirements

Before using the AWS integration you will need:

AWS Credentials to connect with your AWS account.
AWS Permissions to make sure the user you're using to connect has permission to share the relevant data.

AWS Credentials

Use access keys directly (Option 1 Recommended)

Access keys are long-term credentials for an IAM user or the AWS account root user. To use access keys as credentials, you need to provide:

access_key_id: The first part of the access key.
secret_access_key: The second part of the access key.

Use an IAM role Amazon Resource Name (ARN)

To use an IAM role ARN, you need to provide either a credential profile or access keys along with the role_arn advanced option. role_arn is used to specify which AWS IAM role to assume for generating temporary credentials.

Use a shared credentials file (Option 2)

Instead of providing the access_key_id and secret_access_key directly to the integration, you will provide two advanced options to look up the access keys in the shared credentials file:

credential_profile_name: The profile name in shared credentials file.

shared_credential_file: The directory of the shared credentials file.

Access keys are long-term credentials for an IAM user or the AWS account root user. To use access keys as credentials, you need to provide:

access_key_id: The first part of the access key.
secret_access_key: The second part of the access key.

AWS Permissions

Specific AWS permissions are required for the IAM user to make specific AWS API calls. To enable the AWS integration to collect metrics and logs from all supported services, make sure to give necessary permissions which CyTech to monitor.

Reference permissions:

ec2:DescribeInstances
ec2:DescribeRegions
cloudwatch:GetMetricData
cloudwatch:ListMetrics
iam:ListAccountAliases
rds:DescribeDBInstances
rds:ListTagsForResource
s3:GetObject
sns:ListTopics
sqs:ChangeMessageVisibility
sqs:DeleteMessage
sqs:ListQueues
sqs:ReceiveMessage
sts:AssumeRole
sts:GetCallerIdentity
tag:GetResources

AWS Integrations Procedures

Access Key ID and Secret Access Key:

These are associated with AWS Identity and Access Management (IAM) users and are used for programmatic access to AWS services. To find them:

Access the AWS Management Console.
Go to the "IAM" (Identity and Access Management) service.
Select the IAM user for which you want to retrieve the access keys.
Under the "Security credentials" tab, you can find the Access Key ID and you can create a new Secret Access Key if needed.

S3 Bucket ARN:

You can find the Amazon Resource Name (ARN) for an S3 bucket in the S3 Management Console or by using the AWS CLI. It typically looks like this:

Access the AWS Management Console.
Go to S3 Bucket Service
Navigate properties.
Find the ARN under Bucket overview
Sample: arn:aws:s3:::your-bucket-name

Log Group ARN:

Log Groups are associated with AWS CloudWatch Logs. You can find the ARN for a log group as follows:

Access the AWS Management Console.
Go to the "CloudWatch" service.
In the CloudWatch Logs section, select the log group you're interested in.
Select the log group that you want to open.
In the details of the log group, you will find the ARN.

SQS Queue URL: (Ignore if you're not using SQS Queue URL)

To find the URL of an Amazon Simple Queue Service (SQS) queue:

Access the AWS Management Console.
Go to the "SQS" service.
Select the specific queue you're interested in.
In the queue details, you can find the Queue URL

Please provide the following information to CyTech:

Access Key ID
Secret Access Key

S3 Bucket ARN
Log Group ARN
SQS Queue URL : (Ignore if you're not using SQS Queue URL)