Overview

Amazon Web Services (AWS) is an on-demand cloud computing platforms that provides various services related to networking, compute, storage, middleware, IOT and other processing capacity.

Available Integrations

The following AWS services can be integrated with the Sevco platform:

Service	Supported Asset Type(s)	Integration Type
EC2	Devices	Source
IAM	Users	Source
Identity Center	Users	Source
S3	Devices, Users	Inventory Sync

⚠️
Please review the configuration instructions in the section below before setting up permissions for apps.

Configuration

Choose an Access Schema: A schema is a configuration template that defines a specific way to connect, authenticate, and interact with a source. The following are the available schemas
- API ID / API Secret Key: Will retrieve AWS objects using a generated access key ID and secret access key
- AssumeRole: Will retrieve AWS objects by allowing Sevco to assume the specified role
Configure the Access Schema:

API ID / API Secret Key Schema

Field	Description	Example
`API ID`*	AWS Access Key ID	`ABCDEFGHIJKLMNOPQRST`
`API Secret Key`*	AWS Access Secret	`**************************************`

AssumeRole

Field	Description	Example
`ARN`*	The Amazon Resource Name (ARN) of the AWS Role to assume	`arn:aws:iam::888218222122:role/SevcoAWSIAMSourceRole`
`Organization Discovery`	Enables AWS account discovery. See Creating Credentials – AWS Organization Discovery for more information.	n/a

Add new integration Select which integration(s) you wish to add. See links for details on additional configuration required.
Configure General Information: OPTIONAL: You can set the following fields to give platform configuration

Field	Description	Example
`Name (optional)`	Uniquely identifiable attribute of the configuration to delineate other similar configurations with the existing organization	`DMZ network`
`Contact Person (optional)`	A placeholder to input a name or email address of a contact associated with the integration.	`Jane Doe`
`Link to Console (optional)`	A placeholder to input a link to the console of the product Sevco is integrating with for quick reference and access when configuring or editing the integration.	`www.product.com/devices`
`Email me about frequent errors`	Select this toggle to receive an email whenever an Integration has a ≥30% error rate in a 24-hour period.	n/a

Activate Config: To enable this configuration "Activate."

External Documentation

Creating credentials

Access Key ID/Secret Access Key Schemas

You'll be asked to provide source credentials that Sevco will use to connect to AWS EC2. The following link will step you through creating your AWS keys.
https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys

Assume Role Schemas

You'll be required to configure a AWS role for Sevco to assume to connect to AWS. Please contact Sevco Support for the full details on creating and configuring your AWS roles.

Create a new role that will be assumed by Sevco to interact with your AWS account. Use the following JSON to create your trust policy. Sevco Support will provide your sts:ExternalId to replace the 11111111-1111-1111-1111-111111111111 value and the Sevco account ID to replace 123456789010.

Sample EC2 Assume Role trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789010:role/Sevco_USProd_Ec2AssetCollection"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "11111111-1111-1111-1111-111111111111"
                }
            }
        }
    ]
}

Sample Users Assume Role trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789010:role/Sevco_USProd_IAMAssetCollection"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "11111111-1111-1111-1111-111111111111"
                }
            }
        }
    ]
}

Note: We use the Sevco_USProd_IAMAssetCollection principal for collection from both IAM and Identity Store

Sample S3 Sync Assume Role trust policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789010:role/Sevco_USProd_S3InventorySync"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "11111111-1111-1111-1111-111111111111"
                }
            }
        }
    ]
}

AWS Organization Discovery

AWS Organization Discovery allows Sevco to discover all AWS accounts that are members of your AWS Organization. When enabled, Sevco will iterate through each member account and collect devices from EC2 or users from IAM as configured. At this time, user collection from Identity Center is not supported.

If organizational discovery is enabled the following additional configuration is required

The integration needs to be configured to assume a role into the AWS account that owns your AWS Organization.
A role of the same name with appropriate permissions for EC2 and/or IAM collection needs to be created in each member account in your Organization that you'd like to collect assets from.
The role in the primary account will need an additional statement added to it's permissions document as show below

{
  "Effect": "Allow",
  "Action": [
    "organizations:ListAccounts"
  ],
  "Resource": "*"
}

Required permissions

See integration specific documentation for details

Integration	Effect	Action
Collect devices from EC2	Allow	ec2:DescribeInstances ec2:DescribeRegions ec2:DescribeAddresses ec2:DescribeNetworkInterfaces
Collect users from IAM	Allow	iam:GetUser iam:ListUsers
Collect users from Identity Center	Allow	identitystore:ListGroupMemberships identitystore:ListGroups identitystore:ListUsers
Sync Inventory to S3	Allow	s3:PutObject s3:AbortMultipartUpload

API Documentation

Contact Us

If you're having problems integrating a source, or if you've found something wrong in this document, please email us at [email protected] or suggest edits directly by selecting the Suggest Edits located in the upper right hand corner of the documentation.