sevco.io

AWS EC2

About

Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. Using Amazon EC2 eliminates your need to invest in hardware up front, so you can develop and deploy applications faster. You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage. Amazon EC2 enables you to scale up or down to handle changes in requirements or spikes in popularity, reducing your need to forecast traffic.

Why You Should Integrate

This integration will provide visibility into your AWS EC2 cloud instances within Sevco.

How Does the Integration Work

This integration pulls device objects from AWS EC2 that meet the following criteria.

  • Instances collected must be a scheduled instance and not a spot instance
  • If specified, instances contained within an autoscaling group

This data is only used internally; we do not share it with any parties outside of Sevco. Refer to our privacy policy for details.

⚠️

If you haven't already, please review our instructions for configuring the AWS integration before proceeding with the instructions below.

Configuration Options

FieldDescriptionExample
Include Auto Scaling GroupsDetermine whether to collect instances contained within an autoscaling groupn/a
Filter Young InstancesFilters out instances that have been running for less than 24 hoursn/a

External Documentation

Creating Credentials

Access Key ID/Secret Access Key Schemas

See platform documentation for details on AWS - Creating credentials

Assume Role Schemas

You'll be required to configure a AWS role for Sevco to assume to connect to AWS. Please contact Sevco Support for the full details on creating and configuring your AWS roles.

Create a new role that will be assumed by Sevco to interact with your AWS account. Use the following JSON to create your trust policy. Sevco Support will provide your sts:ExternalId to replace the 11111111-1111-1111-1111-111111111111 value and the Sevco account ID to replace 123456789010.

Sample EC2 Assume Role trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789010:role/Sevco_USProd_Ec2AssetCollection"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "11111111-1111-1111-1111-111111111111"
                }
            }
        }
    ]
}

AWS Organization Discovery

AWS Organization Discovery allows Sevco to discover all AWS accounts that are members of your AWS Organization. When enabled, Sevco will iterate through each member account and collect devices from EC2 as configured.

If organizational discovery is enabled the following additional configuration is required

  • The integration needs to be configured to assume a role into the AWS account that owns your AWS Organization.
  • A role of the same name with appropriate permissions for EC2 collection needs to be created in each member account in your Organization that you'd like to collect assets from.
  • The role in the primary account will need an additional statement added to it's permissions document as show below
{
  "Effect": "Allow",
  "Action": [
    "organizations:ListAccounts"
  ],
  "Resource": "*"
}

AWS CloudFormation Templates

If you would like to automate creating an assumable role for multiple accounts in your AWS organization, you can do so using a CloudFormation template.

See the CloudFormation template below:

AWSTemplateFormatVersion: '2010-09-09'
  Description: CloudFormation template to create an EC2 asset collection role that can be assumed by a specific role with an ExternalId condition.

  Parameters:
  RoleName:
    Type: String
    Description: Name of the IAM role to create.
    Default: SevcoAssumableRole
    MinLength: 1
    MaxLength: 64
  TrustedAccountNumber:
    Type: String
    Description: The AWS account hosting the role that will allowed to assume the collection role in your account.
  ExternalId:
    Type: String
    Description: The ExternalId required for assuming the role.

  Resources:
  AssumableEC2Role:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref RoleName
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${TrustedAccountNumber}:role/Sevco_USProd_Ec2AssetCollection'
            Action: 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref ExternalId
      Policies:
        - PolicyName: SevcoEC2AssetCollectionPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - 'ec2:DescribeInstances'
                  - 'ec2:DescribeRegions'
                  - 'ec2:DescribeAddresses'
                  - 'ec2:DescribeNetworkInterfaces'
                Resource: '*'
      MaxSessionDuration: 3600 # Session duration in seconds (1 hour)

  Outputs:
  RoleArn:
    Description: ARN of the created EC2 role
    Value: !GetAtt AssumableEC2Role.Arn
  RoleName:
    Description: Name of the created EC2 role
    Value: !Ref AssumableEC2Role

Required Permissions

Your IAM user (Access Key ID/Secret) or newly created role (AssumeRole) should use a permission policy with at least the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeRegions",
                "ec2:DescribeAddresses",
                "ec2:DescribeNetworkInterfaces"
            ],
            "Resource": "*"
        }
    ]
}

Contact Us

If you're having problems integrating a source, or if you've found something wrong in this document, please email us at [email protected] or suggest edits directly by selecting the Suggest Edits located in the upper right hand corner of the documentation.

Tags: <on-prem/cloud>, <categories>