Install AWS integration using IAM

When an AWS account is created, you are signed-in as a root user (a single sign in entity) with unrestricted access to the subscribed AWS services, using an email and password unique to your organization. As a best practice, avoid using the root user account for basic tasks. Use Identity and Access Management (IAM) credentials to authorize OpsRamp to manage your resources.

Install the AWS integration on the OpsRamp console using Identity and Access Management (IAM) access key ID and secret access key. IAM is a web service that helps in securely controlling access to AWS services. For more information, see What is IAM?

Workflow

Process Flow - Installing AWS integration with IAM credentials

AWS configuration

To configure AWS integration:

  1. Sign in to your root account in the AWS management console.

  2. On the navigation bar, click your account name, and choose My Security Credentials.

  3. From the Identity and Access Management navigation pane, click Users > Add user and give a suitable name to the new user.

    Familiarize yourself with Creating users on AWS console.

  4. Select programmatic access as a type of access and click Next: Permissions.

    Programmatic access is for the users who require access to the API, AWS CLI, or Tools for Windows PowerShell. The programmatic access option creates an access key and security access key for each new user.

  5. On the Set permissions page, specify how you want to assign permissions to the user and click Next: Tags. Refer to Creating IAM Policies (console).

  6. (Optional) Add metadata to the user by attaching tags as key-value pairs and click Next: Review to see the details.

  7. Click Create user. The page displays the user access key ID and secret access keys.

  8. Save the access keys by clicking Download.csv at a safe location.

This is your only opportunity to view or download the secret access keys. Save the access key ID and secret access key generated in a secure place. You do not have access to the secret keys again after this step.

OpsRamp configuration

To configure AWS integration:

  1. Click All Clients and from the drop-down list, select a client.

  2. Go to Setup > Integrations and Apps. If apps are already installed, the INSTALLED APPS page is displayed, else the AVAILABLE APPS page is displayed.

  3. Search for AWS app using the search option. You can also use the All Categories dropdown and select the appropriate public cloud category.

  4. Click ADD. The Add AWS page is displayed.

  5. Provide the details in the fields:

    • Name: Give a suitable name for the integration.

    • Region(s): Select the AWS region from the drop-down list. The services that belong to the selected region are onboarded.
      You can select multiple regions to onboard the services.
      If you select two regions A and B, and if you are not authorized to access region B, onboarding fails for both regions A and B.

    • Integration type: Select IAM.

    • Account Number: Enter the account number.

    • Access Key: Provide Access Key generated in the AWS console.

    • Security Key: Provide Security Key generated in the AWS console.

  6. Click NEXT.

    In the Filter page:

  7. Choose Any or All to match any one or all of the defined conditions for filtering.

  8. Select the options for the filter criteria:

    • Resource Type: List all the supported resource types.
    • Attribute Name: List attributes for the selected resource type. Attributes are resource type-dependent.
    • Logic condition: Logical match criteria for search: Contains, Not Contains, Equals, Not Equals, Starts With, Ends With, and Regex.
    • Value: Value corresponding to the attribute name and logical condition.

    Select the required resource types.

  9. Click NEXT.

  10. Select the actions you want to run on the services:

    • Manage Device: Discover the AWS services in a managed state.
    • Stream CloudWatch Alarms: Enter SQS URL to get alarms. See configuring Amazon CloudWatch alarms.
    • Ingest unsupported AWS resource alarms: Process all Amazon CloudWatch alarms and AWS services not supported by OpsRamp.
    • Create a resource based on CloudTrail events stream: Enter SQS URL to get events. See Configuring Amazon CloudTrail.
    • Stream AWS Events: Enter SQS URL to get events. See configuring AWS Events.
    • Collect Cost Analytics: Collect project cost details of the services utilized. To collect Cost Analytics, create an Amazon S3 bucket and set up Amazon S3 for collecting AWS billing data. Amazon S3 bucket can be configured on the root account only.
    • Assign Credentials Matching with Fingerprint: Check if the credential set of EC2 instance matches the credential set of the key pair.
    • Assign Gateway Management Profile: Select the gateway management profile from the drop-down list.

  11. If the agent needs to be installed on the device click Install Agent (Linux only) and select the device credentials.

    Select Agent Type:

    • Direct: Outbound port 443 is used on EC2 and other types of AWS compute services, such as desktops and servers.
    • Proxy: Outbound port 3128 is used on EC2 and other types of AWS compute services, such as desktops and servers.

  12. Select the Discovery Schedule option to schedule a discovery and define the Recurrence pattern.

  13. To discover the Amazon Web Services in your environment, you can:

    • Set a discovery schedule and define a preferred recurrence pattern. The system scans regularly at the defined schedule to discover any new services added to your environment.

  14. Click FINISH. The AWS app is installed.

    All the discovered services are visible in the Infrastructure page under
    Resources > AWS

  15. Click AWS. The list of installed AWS integrations are displayed. You can perform actions like Edit, Uninstall, Rescan.

Install AWS integration using IAM AssumeRole

When an AWS account is created, you are signed-in as a root user (a single sign in entity) with unrestricted access to the subscribed AWS services, using an email and password unique to your organization. As a best practice, avoid using the root user account for basic tasks. Use Identity and Access Management (IAM) credentials to authorize OpsRamp to manage your resources.

Install the AWS integration on the OpsRamp console using Identity and Access Management (IAM) access key ID and secret access key with AssumeRole. IAM is a web service that helps in securely controlling access to AWS services. For more information, see What is IAM?

IAM role helps you establish a trust relationship between the trusting account and a trusted account. The trusting account owns the AWS services to be accessed and the trusted account includes the users who need access to the services. This operation provides temporary security credentials that enable access to AWS services in your account. To learn more, view Providing access to AWS accounts owned by third parties.

Prerequisites

  • You have an AWS root account (trusting account).
  • Create another AWS account (trusted account).

Workflow

Process Flow - Installing AWS integrations with IAM AssumeRole credentials

AWS configuration

To install AWS with IAM AssumeRole credentials:

Step 1: Configure the trusting account

  1. Sign into your AWS management console with your root account credentials and create a new role.

  2. Select the role type as Another AWS account.

  3. In the Account ID field, enter the AWS account ID to which you want to grant access, the trusted account.

  4. Click Next: Permissions.

  5. Click Create Policy.

  6. On the Create Policy page, click the JSON tab and paste the policy snippet given in the Appendix.

    To learn more about permission policy, refer to Creating IAM Policies (console).

  7. Click Review Policy and give a suitable name to the policy.

  8. Review the role and click Create role.
    The details of the role created are displayed.

  9. Copy the Role ARN at a safe location in a text editor such as Notepad.

Step 2: Configure the trusted account

  1. Sign in to your trusted account in AWS management console.

  2. From the navigation pane, click Users > Add user and give a suitable name to the new user.

    For details, see AWS documentation on Creating users on AWS console.

  3. Select programmatic access as a type of access and click Next: Permissions.

    Programmatic access is for the users who require access to the API, AWS CLI, or Tools for Windows PowerShell. The programmatic access option creates an access key and security access key for each new user.

    On the Set permissions page, specify how you want to assign permissions to the user and click Next: Tags. Refer to Creating IAM Policies (console).

  4. (Optional) Add metadata to the user by attaching tags as key-value pairs and click Next: Review to see the details.

  5. Click Create user.
    The page displays the user access key ID and secret access keys.

  6. Save the access keys by clicking Download.csv at a safe location.

This is your only opportunity to view or download the secret access keys. Save the access key ID and secret access key generated in a secure place. You do not have access to the secret keys again after this step.

OpsRamp configuration

  1. Click All Clients and from the drop-down list, select a client.

  2. Go to Setup > Integrations and Apps. If apps are already installed, the INSTALLED APPS page is displayed, else the AVAILABLE APPS page is displayed.

  3. Search for AWS app using the search option. You can also use the All Categories dropdown and select the appropriate public cloud category.

  4. Click ADD. The Add AWS page is displayed.

  5. Provide the details in the fields:

    • Name: Give a suitable name for the integration.

    • Region(s): Select the AWS region from the drop-down list. The services that belong to the selected region are onboarded.

      You can select multiple regions to onboard the services. If you select two regions A and B, and if you are not authorized to access region B, onboarding fails for both regions A and B.

    • Integration Type: Select IAM with AssumeRole.

    • Account Number: Enter the account number of the trusted account.

    • Access Key: Provide Access Key generated in the AWS console of the trusted account.

    • Security Key: Provide Security Key generated in the AWS console of the trusted account.

    • AssumeRole ARN: Enter the AssumeRole ARN of the trusting account saved from Step 1.

    • External ID: (Optional) Enter the External ID if you want to grant access through this option.

    • Install All Linked Accounts: Select the checkbox if you have landing zones configured for your AWS account and want to onboard the child accounts under the root (trusting) account.

    If you select Install All Linked Accounts, all the linked child accounts are displayed in the list of integrations.

    The configurations of discovery profile created for the parent/master/payer account apply to all the child accounts at the time of the first scan. For successive scans, you have to edit the discovery profiles individually for each child account.

  6. Click NEXT.

    In the Filter page:

  7. Choose Any or All to match any one or all of the defined conditions for filtering

  8. Select the options for the filter criteria:

    • Resource Type: List all the supported resource types.
    • Attribute Name: List attributes for the selected resource type. Attributes are resource type-dependent.
    • Logic condition: Logical match criteria for search: Contains, Not Contains, Equals, Not Equals, Starts With, Ends With, and Regex.
    • Value: Value corresponding to the attribute name and logical condition.

    Select the required resource types.

  9. Click NEXT.

  10. Select the actions you want to run on the services:

    • Manage Device: Discover the AWS services in a managed state.
    • Stream CloudWatch Alarms: Enter SQS URL to get alarms. See configuring Amazon CloudWatch alarms.
    • Ingest unsupported AWS resource alarms: Process all Amazon CloudWatch alarms and AWS services not supported by OpsRamp.
    • Create a resource based on CloudTrail events stream: Enter SQS URL to get events. See Configuring Amazon CloudTrail.
    • Stream AWS Events: Enter SQS URL to get events. See configuring AWS Events.
    • Collect Cost Analytics: Collect project cost details of the services utilized. To collect Cost Analytics, create an Amazon S3 bucket and set up Amazon S3 for collecting AWS billing data. Amazon S3 bucket can be configured on the root account only.
    • Assign Credentials Matching with Fingerprint: Check if the credential set of EC2 instance matches the credential set of the key pair.
    • Assign Gateway Management Profile: Select the gateway management profile from the drop-down list.

  11. If the agent needs to be installed on the device click Install Agent (Linux only) and select the device credentials.

    Select Agent Type:

    • Direct: Outbound port 443 is used on EC2 and other types of AWS compute services, such as desktops and servers.
    • Proxy: Outbound port 3128 is used on EC2 and other types of AWS compute services, such as desktops and servers.

  12. Select the Discovery Schedule option to schedule a discovery and define the Recurrence pattern.

  13. To discover the Amazon Web Services in your environment, you can:

    • Set a discovery schedule and define a preferred recurrence pattern. The system scans regularly at the defined schedule to discover any new services added to your environment.

  14. Click FINISH. The AWS app is installed.

    All the discovered services are visible in the Infrastructure page under
    Resources > AWS

  15. Click AWS. The list of installed AWS integrations are displayed. You can perform actions like Edit, Uninstall, Rescan.

Appendix: AWS permission policy for allowing access to OpsRamp

{
"Version": "2012-10-17",
	"Statement": [{
		"Effect": "Allow",
		"Resource": "*",
		"Action": [
			"autoscaling:Describe*",
			"autoscaling:Get*",
			"autoscaling:List*",
			"cloudtrail:Describe*",
			"cloudtrail:Get*",
			"cloudtrail:List*",
			"cloudformation:Describe*",
			"cloudformation:Get*",
			"cloudformation:List*",
			"cloudfront:Describe*",
			"cloudfront:Get*",
			"cloudfront:List*",
			"cloudwatch:Describe*",
			"cloudwatch:Get*",
			"cloudwatch:List*",
			"dynamodb:Describe*",
			"dynamodb:Get*",
			"dynamodb:List*",
			"ec2:Describe*",
			"ec2:Get*",
			"ec2:List*",
			"elasticache:Describe*",
			"elasticache:Get*",
			"elasticache:List*",
			"elasticloadbalancing:Describe*",
			"elasticloadbalancing:Get*",
			"elasticloadbalancing:List*",
			"elasticmapreduce:Describe*",
			"elasticmapreduce:Get*",
			"elasticmapreduce:List*",
			"iam:Describe*",
			"iam:Get*",
			"iam:List*",
			"kinesis:Describe*",
			"kinesis:Get*",
			"kinesis:List*",
			"route53:Describe*",
			"route53:List*",
			"route53:Get*",
			"redshift:Describe*",
			"redshift:List*",
			"redshift:Get*",
			"rds:Describe*",
			"rds:List*",
			"rds:Get*",
			"s3:Describe*",
			"s3:List*",
			"s3:Get*",
			"sdb:Describe*",
			"sdb:List*",
			"sdb:Get*",
			"sns:Describe*",
			"sns:List*",
			"sns:Get*",
			"sqs:Describe*",
			"sqs:Get*",
			"sqs:List*",
			"lambda:list*",
			"lambda:get*",
			"lambda:describe*",
			"MachineLearning:describe*",
			"MachineLearning:list*",
			"MachineLearning:get*",
			"StorageGateway:describe*",
			"StorageGateway:list*",
			"StorageGateway:get*",
			"ApiGateway:describe*",
			"ApiGateway:get*",
			"ApiGateway:list*",
			"ecs:describe*",
			"ecs:get*",
			"ecs:list*",
			"workspaces:list*",
			"workspaces:get*",
			"workspaces:describe*",
			"lightsail:list*",
			"lightsail:get*",
			"lightsail:describe*"
		]
	}]
}

Install AWS integration using IAM AssumeRole and External ID

When an AWS account is created, you are signed-in as a root user (a single sign in entity) with unrestricted access to the subscribed AWS services, using an email and password unique to your organization. As a best practice, avoid using the root user account for basic tasks. Use Identity and Access Management (IAM) credentials to authorize OpsRamp to manage your resources.

Install the AWS integration on the OpsRamp console using Identity and Access Management (IAM) by granting access through AssumeRole with External ID. IAM is a web service that helps in securely controlling access to AWS services. For more information, see What is IAM?

External ID is a set of temporary security credentials to access AWS resources using the OpsRamp account. The External ID option aligns with AWS best practices that recommend not to share the static AWS credentials (Access ID and Secret Key) and also addresses the confused deputy problem.

With External ID with Identity and Access Management (IAM) you can permit a role to be assumed (Role ARN) only under specific circumstances. With External ID and Role ARN, you are assured that only OpsRamp assumes a predefined role and manages your resources. The External ID option automatically adds a condition to the trust policy that allows OpsRamp to assume the role only if the request includes the correct External ID. For more information, view How to use an External ID when granting access to your AWS services to a third party.

Workflow

Process Flow - Installing AWS integrations with IAM AssumeRole and External ID credentials

OpsRamp configuration

To install AWS integration with IAM AssumeRole and External ID credentials:

Get External ID from OpsRamp console.

  1. Click All Clients and from the drop-down list, select a client.

  2. Go to Setup > Integrations and Apps. If apps are already installed, the INSTALLED APPS page is displayed, else the AVAILABLE APPS page is displayed.

  3. Search for AWS app using the search option. You can also use the All Categories dropdown and select the appropriate public cloud category.

  4. Click ADD. The Add AWS page is displayed.

  5. Provide the details in the fields:

    • Name: Give a suitable name for the integration.

    • Region(s): Select the AWS region from the drop-down list. The services that belong to the selected region are onboarded.

      You can select multiple regions to onboard the services. If you select two regions A and B, and if you are not authorized to access region B, onboarding fails for both regions A and B.

    • Integration type: Select External ID.

      Your AWS account number and External ID are automatically populated. Copy the account number and External ID in a text editor such as Notepad. You need these details to create a role in the AWS console.

    • AssumeRole ARN:

      The AssumeRole ARN is generated only after creating the role. To enter the ARN in this field, navigate to your AWS account and do the actions described in Step 2.

Do not close the console window.

AWS configuration

Create AssumeARN Role in AWS Console.

  1. Log into your AWS management console.
  2. Navigate to IAM > Roles > Create Role.
    The Create Role window opens.
  3. Click Another AWS account from the options and enter your AWS Account ID.
  4. Select the option Require External ID and enter the External ID (copied from the OpsRamp console in Step 1).
  5. Click Next: Permissions.
  6. Click Create Policy.
  7. On the Create Policy page, click the JSON tab and paste the policy snippet given in the Appendix.
    To learn more about permission policy, refer to Creating IAM Policies (console).
  8. Click Review Policy and give a suitable name to the policy.
  9. Review the role and click Create role.
    The details of the role created are displayed.
  10. Copy the Role ARN at a safe location in a text editor such as Notepad.

OpsRamp configuration

Complete installing the AWS integration in the OpsRamp console.

After you get the credentials from the AWS console, navigate back to the already open OpsRamp console.

  1. Enter the Role ARN (copied from the AWS console) in the AssumeRole ARN field.

  2. Click NEXT.

    In the Filter page:

  3. Choose Any or All to match any one or all of the defined conditions for filtering

  4. Select the options for the filter criteria:

    • Resource Type: List all the supported resource types.
    • Attribute Name: List attributes for the selected resource type. Attributes are resource type-dependent.
    • Logic condition: Logical match criteria for search: Contains, Not Contains, Equals, Not Equals, Starts With, Ends With, and Regex.
    • Value: Value corresponding to the attribute name and logical condition.

    Select the required resource types.

  5. Click NEXT.

  6. Select the actions you want to run on the services:

    • Manage Device: Discover the AWS services in a managed state.
    • Stream CloudWatch Alarms: Enter SQS URL to get alarms. See configuring Amazon CloudWatch alarms.
    • Ingest unsupported AWS resource alarms: Process all Amazon CloudWatch alarms and AWS services not supported by OpsRamp.
    • Create a resource based on CloudTrail events stream: Enter SQS URL to get events. See Configuring Amazon CloudTrail.
    • Stream AWS Events: Enter SQS URL to get events. See configuring AWS Events.
    • Collect Cost Analytics: Collect project cost details of the services utilized. To collect Cost Analytics, create an Amazon S3 bucket and set up Amazon S3 for collecting AWS billing data. Amazon S3 bucket can be configured on the root account only.
    • Assign Credentials Matching with Fingerprint: Check if the credential set of EC2 instance matches the credential set of the key pair.
    • Assign Gateway Management Profile: Select the gateway management profile from the drop-down list.

  7. If the agent needs to be installed on the device click Install Agent (Linux only) and select the device credentials.

    Select Agent Type:

    • Direct: Outbound port 443 is used on EC2 and other types of AWS compute services, such as desktops and servers.
    • Proxy: Outbound port 3128 is used on EC2 and other types of AWS compute services, such as desktops and servers.

  8. Select the Discovery Schedule option to schedule a discovery and define the Recurrence pattern.

  9. To discover the Amazon Web Services in your environment, you can:

    • Set a discovery schedule and define a preferred recurrence pattern. The system scans regularly at the defined schedule to discover any new services added to your environment.

  10. Click FINISH. The AWS app is installed.

    All the discovered services are visible in the Infrastructure page under
    Resources > AWS

  11. Click AWS. The list of installed AWS integrations are displayed. You can perform actions like Edit, Uninstall, Rescan.

Appendix: Example AWS access permission policy

{
"Version": "2012-10-17",
	"Statement": [{
		"Effect": "Allow",
		"Resource": "*",
		"Action": [
			"autoscaling:Describe*",
			"cloudtrail:Describe*",
			"cloudtrail:Get*",
			"cloudtrail:List*",
			"cloudformation:Describe*",
			"cloudformation:Get*",
			"cloudformation:List*",
			"cloudfront:Describe*",
			"cloudfront:Get*",
			"cloudfront:List*",
			"cloudwatch:Describe*",
			"cloudwatch:Get*",
			"cloudwatch:List*",
			"dynamodb:Describe*",
			"dynamodb:Get*",
			"dynamodb:List*",
			"ec2:Describe*",
			"ec2:Get*",
			"elasticache:Describe*",
			"elasticache:List*",
			"elasticloadbalancing:Describe*",
			"elasticmapreduce:Describe*",
			"elasticmapreduce:Get*",
			"elasticmapreduce:List*",
			"iam:Describe*",
			"iam:Get*",
			"iam:List*",
			"kinesis:Describe*",
			"kinesis:Get*",
			"kinesis:List*",
			"route53:List*",
			"route53:Get*",
			"redshift:Describe*",
			"redshift:List*",
			"redshift:Get*",
			"rds:Describe*",
			"rds:List*",
			"s3:Describe*",
			"s3:List*",
			"s3:Get*",
			"sdb:List*",
			"sdb:Get*",
			"sns:List*",
			"sns:Get*",
			"sqs:Get*",
			"sqs:List*",
			"lambda:list*",
			"lambda:get*",
			"MachineLearning:describe*",
			"MachineLearning:get*",
			"StorageGateway:describe*",
			"StorageGateway:list*",
			"ApiGateway:get*",
			"ecs:describe*",
			"ecs:list*",
			"workspaces:list*",
			"workspaces:describe*",
			"lightsail:get*",
			"dms:Describe*",
			"dms:List*",
			"states:Describe*",
			"states:Get*",
			"states:List*",
			"connect:Describe*",
			"connect:Get*",
			"connect:List*",
			"mq:Describe*",
			"mq:List*",
			"appmesh:Describe*",
			"appmesh:List*",
			"appstream:Describe*",
			"appstream:Get*",
			"appstream:List*",
			"appsync:Get*",
			"appsync:List*",
			"athena:Get*",
			"athena:List*",
			"gamelift:Describe*",
			"gamelift:Get*",
			"gamelift:List*",
			"guardduty:Describe*",
			"guardduty:Get*",
			"guardduty:List*",
			"glue:Get*",
			"glue:List*",
			"kms:Describe*",
			"kms:Get*",
			"kms:List*",
			"lex:Describe*",
			"lex:Get*",
			"lex:List*",
			"kafka:Describe*",
			"kafka:Get*",
			"kafka:List*",
			"translate:Describe*",
			"translate:Get*",
			"translate:List*",
			"cloudhsm:Describe*",
			"cloudhsm:Get*",
			"cloudhsm:List*",
			"cloudsearch:Describe*",
			"cloudsearch:List*",
			"cognito-idp:Describe*",
			"cognito-idp:Get*",
			"cognito-idp:List*",
			"codebuild:Describe*",
			"codebuild:Get*",
			"codebuild:List*",
			"codecommit:Describe*",
			"codecommit:Get*",
			"codecommit:List*",
			"codedeploy:Get*",
			"codedeploy:List*",
			"codepipeline:Get*",
			"codepipeline:List*",
			"directconnect:Describe*",
			"directconnect:List*",
			"elasticfilesystem:Describe*",
			"elasticfilesystem:List*",
			"elasticbeanstalk:Describe*",
			"elasticbeanstalk:List*",
			"es:Describe*",
			"es:Get*",
			"es:List*",
			"elastictranscoder:List*",
			"events:Describe*",
			"events:List*",
			"inspector:Describe*",
			"inspector:Get*",
			"inspector:List*",
			"iot:Describe*",
			"iot:Get*",
			"iot:List*",
			"mediaconnect:Describe*",
			"mediaconnect:List*",
			"mediaconvert:Describe*",
			"mediaconvert:Get*",
			"mediaconvert:List*",
			"mediapackage:Describe*",
			"mediapackage:List*",
			"mediatailor:Get*",
			"mediatailor:List*",
			"opsworks:Describe*",
			"opsworks:Get*",
			"opsworks:List*",
			"sagemaker:Describe*",
			"sagemaker:Get*",
			"sagemaker:List*",
			"waf:Get*",
			"waf:List*",
			"waf-regional:Get*",
			"waf-regional:List*",
			"wafv2:Describe*",
			"wafv2:Get*",
			"wafv2:List*",
			"swf:Describe*",
			"swf:Get*",
			"swf:List*"
		]
	}]
}