AWS Parent Account Access Method

Introduction

This document provides step-by-step instructions on connecting your Observability product to Amazon Web Services (AWS) using the parent account with access to child (member) AWS accounts. This integration allows you to access and monitor your AWS resources from within OpsRamp securely.

With this integration, you can use your own AWS account as a trusted entity to obtain data from child accounts, instead of an OpsRamp account acting as a trusted entity, to obtain your AWS data.

Prerequisites

Ensure you have the necessary IAM permissions to create IAM roles and policies in AWS.

AWS configuration

Step 1: Configure IAM Policy in AWS

Log in to your AWS Management Console.
Navigate to the IAM (Identity and Access Management) service.
Click Policies in the left-hand navigation pane.
Click Create Policy.
From the Create Policy page under Specify permissions, select JSON editor, and paste the following code:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Resource":"*",
         "Action":[
            "autoscaling:Describe*",
            "autoscaling:Get*",
            "autoscaling:List*",
            "cloudtrail:Describe*",
            "cloudtrail:Get*",
            "cloudtrail:List*",
            "cloudformation:Describe*",
            "cloudformation:Get*",
            "cloudformation:List*",
            "cloudfront:Describe*",
            "cloudfront:Get*",
            "cloudfront:List*",
            "cloudwatch:Describe*",
            "cloudwatch:Get*",
            "cloudwatch:List*",
            "dynamodb:Describe*",
            "dynamodb:Get*",
            "dynamodb:List*",
            "ec2:Describe*",
            "ec2:Get*",
            "ec2:List*",
            "elasticache:Describe*",
            "elasticache:Get*",
            "elasticache:List*",
            "elasticloadbalancing:Describe*",
            "elasticloadbalancing:Get*",
            "elasticloadbalancing:List*",
            "elasticmapreduce:Describe*",
            "elasticmapreduce:Get*",
            "elasticmapreduce:List*",
            "iam:Describe*",
            "iam:Get*",
            "iam:List*",
            "kinesis:Describe*",
            "kinesis:Get*",
            "kinesis:List*",
            "organizations:ListAccounts",
            "route53:Describe*",
            "route53:List*",
            "route53:Get*",
            "redshift:Describe*",
            "redshift:List*",
            "redshift:Get*",
            "rds:Describe*",
            "rds:List*",
            "rds:Get*",
            "s3:Describe*",
            "s3:List*",
            "s3:Get*",
            "sdb:Describe*",
            "sdb:List*",
            "sdb:Get*",
            "sns:Describe*",
            "sns:List*",
            "sns:Get*",
            "sqs:Describe*",
            "sqs:Get*",
            "sqs:List*",
            "lambda:list*",
            "lambda:get*",
            "lambda:describe*",
            "MachineLearning:describe*",
            "MachineLearning:list*",
            "MachineLearning:get*",
            "StorageGateway:describe*",
            "StorageGateway:list*",
            "StorageGateway:get*",
            "ApiGateway:describe*",
            "ApiGateway:get*",
            "ApiGateway:list*",
            "ecs:describe*",
            "ecs:get*",
            "ecs:list*",
            "workspaces:list*",
            "workspaces:get*",
            "workspaces:describe*",
            "lightsail:list*",
            "lightsail:get*",
            "lightsail:describe*"
         ]
      }
	]
}

Click Next.
In the Review and create page, you need to provide a name for the policy.
Click Save.

Step 2: Configure IAM User in AWS

Navigate to the IAM (Identity and Access Management) service.
Click Users in the left-hand navigation pane.
Click Create User.
Provide a name and click Next.
The recommended method of setting permissions for a user is through a user group in AWS. Choose to Add user to group and create or select an existing group. The group should have the IAM policy created earlier attached to it.
Click Next.
Click Create User.
Find the user created and click the user from the Users page.
Click the Create access key.
Choose the Third-party service option.
Click Next.
Save the Access Key and Secret Access Key. As an alternative, you can download the CSV file to access the secret keys.
You can now set up the AWS integration within OpsRamp using the secret keys.

Step 3: Set up AWS Integration in OpsRamp

Log in to the OpsRamp portal.
Navigate to Setup > Account.
On the ACCOUNT DETAILS page, select Integrations and Apps.
The INSTALLED INTEGRATIONS page is displayed with all the installed applications.
Note: If there are no installed applications, it will navigate to the AVAILABLE INTEGRATIONS AND APPS page.
Click + ADD on the INSTALLED INTEGRATIONS page. The AVAILABLE INTEGRATIONS AND APPS page displays all the available applications along with the newly created application.
Note: You can even search for the application using the search option available. Also, you can use the All Categories option to search.
Click ADD in the AWS application.
In the ADD AWS page, enter the account information:

Functionality	Description
Name	(required) Enter the name for the integration.
Region	(required) Select the AWS region from the drop-down list. The services that belong to the selected regions are onboarded. You can select multiple regions to onboard the services. If you select two regions A and B, and if you are not authorized to access region B, onboarding fails for both regions A and B.
Access type	(required) Select Parent Account Access.
Account number	(required) Enter the AWS Account Number (which can be found in the top right of your AWS console).
Access Key	(required) Enter the access key you received during Step 2: Configure IAM User in AWS.
Security Key	(required) Enter the security key you received during Step 2: Configure IAM User in AWS.

As per the requirement, you can now do one of the following:
- One Child Account:
  - If you wish to link one child account, create a role (see Step 3: Configure IAM Role in AWS for more details) in that child account, from the AWS console, and enter the role ARN in OpsRamp.
  - You may enter an optional external ID. The external ID entered in OpsRamp must be the same as the external ID entered during role creation in the AWS console.
  - You will have to create multiple instances of the AWS integration for every child account you’d like to link. Enter an external ID (optional).
- Multiple Child Accounts:
  - If you wish to link multiple child accounts, create a role in the parent account, from the AWS console, and enter the parent role ARN in OpsRamp.
  - You may enter an optional external ID. The external ID entered in OpsRamp must be the same as the external ID entered during role creation in the AWS console.
  - Enable the AWS Landing Zone toggle.
Click Next.
Navigate to the Filter screen.
From the Filter Criteria type, select Smart Filters.

You can choose All resources or choose specific resources to discover from your AWS account. If you would like to select specific resources, check the checkboxes, and select the resources you need.
Click Next.
On the last screen, check Manage Device such that all the discovered resources are in a managed state and choose a discovery schedule (this runs periodically to discover new resources).
See the Appendix for more information about other AWS integration options.
Click Finish.
The integration is completed.

Once the integration is completed, you should see your devices being discovered. Navigate to Infrastructure > Search or Infrastructure > Resources to see the discovered resources.

Note: It might take up to 5 minutes to see your resources.

Collect Metrics

Now that you have discovered your AWS resources, you can now start collecting the metrics. See Collect Metrics for more details.

Appendix

If you want to collect logs from AWS, navigate to Infrastructure > Logs and if enabled, follow the steps mentioned in the Log Management.

AWS Integration Options:

Manage Device: Discover the AWS services in a managed state.
Enable Metric Streaming: Enable metric streaming from Kinesis Firehose. Note: this will stop metric collection from CloudWatch APIs.
Stream CloudWatch Alarms: Enter the SQS URL to get alarms. See configuring Amazon CloudWatch alarms.
Ingest unsupported AWS resource alarms: Process all Amazon CloudWatch alarms and AWS services not supported by OpsRamp.
Create a resource based on CloudTrail events stream: Enter the SQS URL to get events. See Configuring Amazon CloudTrail.
Stream AWS Events: Enter the SQS URL to get events. See configuring AWS Events.
Collect Cost Analytics: Collect project cost details of the services utilized. To collect Cost Analytics, create an Amazon S3 bucket and set up Amazon S3 for collecting AWS billing data. Amazon S3 bucket can be configured on the root account only.
Assign Credentials Matching with Fingerprint: Check if the credential set of the EC2 instance matches the credential set of the key pair.
Assign Gateway Management Profile: Select the gateway management profile from the drop-down list.