AWS EC2
About
Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. Using Amazon EC2 eliminates your need to invest in hardware up front, so you can develop and deploy applications faster. You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage. Amazon EC2 enables you to scale up or down to handle changes in requirements or spikes in popularity, reducing your need to forecast traffic.
Why You Should Integrate
This integration will provide visibility into your AWS EC2 cloud instances within Sevco.
How Does the Integration Work
This integration pulls device objects from AWS EC2 that meet the following criteria.
- Instances collected must be a scheduled instance and not a spot instance
- If specified, instances contained within an autoscaling group
This data is only used internally; we do not share it with any parties outside of Sevco. Refer to our privacy policy for details.
If you haven't already, please review our instructions for configuring the AWS integration before proceeding with the instructions below.
Configuration Options
| Field | Description | Example |
|---|---|---|
Include Auto Scaling Groups | Determine whether to collect instances contained within an autoscaling group | n/a |
Filter Young Instances | Filters out instances that have been running for less than 24 hours | n/a |
External Documentation
Creating Credentials
Access Key ID/Secret Access Key Schemas
See platform documentation for details on AWS - Creating credentials
Assume Role Schemas
You'll be required to configure a AWS role for Sevco to assume to connect to AWS. Please contact Sevco Support for the full details on creating and configuring your AWS roles.
Create a new role that will be assumed by Sevco to interact with your AWS account. Use the following JSON to create your trust policy. Sevco Support will provide your sts:ExternalId to replace the 11111111-1111-1111-1111-111111111111 value and the Sevco account ID to replace 123456789010.
Sample EC2 Assume Role trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789010:role/Sevco_USProd_Ec2AssetCollection"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "11111111-1111-1111-1111-111111111111"
}
}
}
]
}AWS Organization Discovery
AWS Organization Discovery allows Sevco to discover all AWS accounts that are members of your AWS Organization. When enabled, Sevco will iterate through each member account and collect devices from EC2 as configured.
If organizational discovery is enabled the following additional configuration is required
- The integration needs to be configured to assume a role into the AWS account that owns your AWS Organization.
- A role of the same name with appropriate permissions for EC2 collection needs to be created in each member account in your Organization that you'd like to collect assets from.
- The role in the primary account will need an additional statement added to it's permissions document as show below
{
"Effect": "Allow",
"Action": [
"organizations:ListAccounts"
],
"Resource": "*"
}AWS CloudFormation Templates
If you would like to automate creating an assumable role for multiple accounts in your AWS organization, you can do so using a CloudFormation template.
See the CloudFormation template below:
AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation template to create an EC2 asset collection role that can be assumed by a specific role with an ExternalId condition.
Parameters:
RoleName:
Type: String
Description: Name of the IAM role to create.
Default: SevcoAssumableRole
MinLength: 1
MaxLength: 64
TrustedAccountNumber:
Type: String
Description: The AWS account hosting the role that will allowed to assume the collection role in your account.
ExternalId:
Type: String
Description: The ExternalId required for assuming the role.
Resources:
AssumableEC2Role:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref RoleName
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${TrustedAccountNumber}:role/Sevco_USProd_Ec2AssetCollection'
Action: 'sts:AssumeRole'
Condition:
StringEquals:
'sts:ExternalId': !Ref ExternalId
Policies:
- PolicyName: SevcoEC2AssetCollectionPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'ec2:DescribeInstances'
- 'ec2:DescribeRegions'
- 'ec2:DescribeAddresses'
- 'ec2:DescribeNetworkInterfaces'
Resource: '*'
MaxSessionDuration: 3600 # Session duration in seconds (1 hour)
Outputs:
RoleArn:
Description: ARN of the created EC2 role
Value: !GetAtt AssumableEC2Role.Arn
RoleName:
Description: Name of the created EC2 role
Value: !Ref AssumableEC2RoleRequired Permissions
Your IAM user (Access Key ID/Secret) or newly created role (AssumeRole) should use a permission policy with at least the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:DescribeAddresses",
"ec2:DescribeNetworkInterfaces"
],
"Resource": "*"
}
]
}Contact Us
If you're having problems integrating a source, or if you've found something wrong in this document, please email us at [email protected] or suggest edits directly by selecting the Suggest Edits located in the upper right hand corner of the documentation.
Tags: <on-prem/cloud>, <categories>
Updated 23 days ago