AWS
Overview
Amazon Web Services (AWS) is an on-demand cloud computing platforms that provides various services related to networking, compute, storage, middleware, IOT and other processing capacity.
Available Integrations
The following AWS services can be integrated with the Sevco platform:
Service | Supported Asset Type(s) | Integration Type |
---|---|---|
EC2 | Devices | Source |
IAM | Users | Source |
Identity Center | Users | Source |
S3 | Devices, Users | Inventory Sync |
Please review the configuration instructions in the section below before setting up permissions for apps.
Configuration
-
Choose an Access Schema: A schema is a configuration template that defines a specific way to connect, authenticate, and interact with a source. The following are the available schemas
- API ID / API Secret Key: Will retrieve AWS objects using a generated access key ID and secret access key
- AssumeRole: Will retrieve AWS objects by allowing Sevco to assume the specified role
-
Configure the Access Schema:
API ID / API Secret Key Schema
Field | Description | Example |
---|---|---|
API ID * | AWS Access Key ID | ABCDEFGHIJKLMNOPQRST |
API Secret Key * | AWS Access Secret | ************************************** |
AssumeRole
Field | Description | Example |
---|---|---|
ARN * | The Amazon Resource Name (ARN) of the AWS Role to assume | arn:aws:iam::888218222122:role/SevcoAWSIAMSourceRole |
Organization Discovery | Enables AWS account discovery. See Creating Credentials – AWS Organization Discovery for more information. | n/a |
-
Add new integration Select which integration(s) you wish to add. See links for details on additional configuration required.
-
Configure General Information: OPTIONAL: You can set the following fields to give platform configuration
Field | Description | Example |
---|---|---|
Name (optional) | Uniquely identifiable attribute of the configuration to delineate other similar configurations with the existing organization | DMZ network |
Contact Person (optional) | A placeholder to input a name or email address of a contact associated with the integration. | Jane Doe |
Link to Console (optional) | A placeholder to input a link to the console of the product Sevco is integrating with for quick reference and access when configuring or editing the integration. | www.product.com/devices |
Email me about frequent errors | Select this toggle to receive an email whenever an Integration has a ≥30% error rate in a 24-hour period. | n/a |
- Activate Config: To enable this configuration "Activate."
External Documentation
Creating credentials
Access Key ID/Secret Access Key Schemas
You'll be asked to provide source credentials that Sevco will use to connect to AWS EC2. The following link will step you through creating your AWS keys.
https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys
Assume Role Schemas
You'll be required to configure a AWS role for Sevco to assume to connect to AWS. Please contact Sevco Support for the full details on creating and configuring your AWS roles.
Create a new role that will be assumed by Sevco to interact with your AWS account. Use the following JSON to create your trust policy. Sevco Support will provide your sts:ExternalId
to replace the 11111111-1111-1111-1111-111111111111
value and the Sevco account ID to replace 123456789010
.
Sample EC2 Assume Role trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789010:role/Sevco_USProd_Ec2AssetCollection"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "11111111-1111-1111-1111-111111111111"
}
}
}
]
}
Sample Users Assume Role trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789010:role/Sevco_USProd_IAMAssetCollection"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "11111111-1111-1111-1111-111111111111"
}
}
}
]
}
Note: We use the Sevco_USProd_IAMAssetCollection
principal for collection from both IAM and Identity Store
Sample S3 Sync Assume Role trust policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789010:role/Sevco_USProd_S3InventorySync"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "11111111-1111-1111-1111-111111111111"
}
}
}
]
}
AWS Organization Discovery
AWS Organization Discovery allows Sevco to discover all AWS accounts that are members of your AWS Organization. When enabled, Sevco will iterate through each member account and collect devices from EC2 or users from IAM as configured. At this time, user collection from Identity Center is not supported.
If organizational discovery is enabled the following additional configuration is required
- The integration needs to be configured to assume a role into the AWS account that owns your AWS Organization.
- A role of the same name with appropriate permissions for EC2 and/or IAM collection needs to be created in each member account in your Organization that you'd like to collect assets from.
- The role in the primary account will need an additional statement added to it's permissions document as show below
{
"Effect": "Allow",
"Action": [
"organizations:ListAccounts"
],
"Resource": "*"
}
Required permissions
See integration specific documentation for details
Integration | Effect | Action |
---|---|---|
Collect devices from EC2 | Allow | ec2:DescribeInstances ec2:DescribeRegions ec2:DescribeAddresses ec2:DescribeNetworkInterfaces |
Collect users from IAM | Allow | iam:GetUser iam:ListUsers |
Collect users from Identity Center | Allow | identitystore:ListGroupMemberships identitystore:ListGroups identitystore:ListUsers |
Sync Inventory to S3 | Allow | s3:PutObject s3:AbortMultipartUpload |
API Documentation
Contact Us
If you're having problems integrating a source, or if you've found something wrong in this document, please email us at [email protected] or suggest edits directly by selecting the Suggest Edits
located in the upper right hand corner of the documentation.
Updated about 1 year ago