Using Trusted Nodes for AWS Monitoring

By default, eG Enterprise is capable of monitoring the target AWS Cloud using the AWS Secret key approach or Role based approach or Managed Identity approach. In a Managed Identity approach, you configure an EC2 instance in the target AWS Cloud with a service role (IAM role) assigned with permissions to access other AWS resources in the cloud. An eG agent installed on that EC2 instance pulls the required metrics from the target AWS Cloud. This approach is more secure and convenient for the administrators as it eliminates the need for long term credentials and allows granular control over access to resources. In order to use the Managed Identity based approach to monitor the target AWS Cloud, you need to do the following:

  • Create a special role for monitoring purpose on the AWS Cloud. The AWS role can be created either manually or automatically.

  • Create a new EC2 instance or use an existing EC2 instance and assign the newly created role to that instance.

  • Install an eG agent on the EC2 instance and use that eG agent as a remote agent to monitor the target AWS Cloud.

    Note:

    Since the eG agent is installed in customer premises i.e., the target environment, the process is extremely safe and secure. All metrics are collected and processed by the eG agent and then transmitted to the eG manager.

Let us discuss each of the above-mentioned steps in detail in the following sections:

Automatic Creation of AWS Role

eG Enterprise recommends automatic creation of AWS Role. To achieve this, eG Enterprise offers a specialized URL that is built out of a standard CloudFormation template. By accessing this URL, administrators can execute the CloudFormation template and create an AWS Role without having to navigate across multiple screens in the AWS IAM console.

To create an AWS Role automatically, do the following:

  1. Copy and paste the URL specified below in any browser in your target environment:

    https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/quickcreate?templateURL=https%3A%2F%2Feg-innovations.s3.us-east-1.amazonaws.com%2FeG_EC2ManagedIdentityRole.yml&stackName=eG-EC2ManagedIdentity&param_RoleName=eG-EC2ManagedIdentity

  2. The login page of AWS will then appear. Login to the AWS console as a user with administrator privileges.

  3. Figure 1 will then appear. The Stack name text box and the Enter the Role Name text box will be auto populated with the name of the AWS Role that is to be created.

    Figure 1 : Creating a Stack

  4. Ensure that you select the check box preceding the I acknowledge that AWS CloudFormation might create IAM resources with custom names field (see Figure 1) and click the Create stack button.

  5. The stack will then be created and Figure 2 will then appear with the Stack name. Here, ensure that the Status of the stack is displayed as CREATE_COMPLETE.

    Figure 2 : Verifying the status of the created stack

  6. Then, navigate to the Outputs tab. Figure 3 will then appear.

    Figure 3 : Navigating to the Outputs tab

    Here, the RoleName will be displayed. Note down this parameter. Ensure that you specify the RoleName against the AWS ROLE NAME parameter while you configure the tests pertaining to AWS Cloud component.

Manual Creation of AWS Role

To create an AWS Role manually, you first need to do the following:

  • Create a Policy on AWS Cloud

  • Create a new role for monitoring purposes and assign the created policy to the role.

Creating a New Policy

To create a new Policy on AWS cloud, do the following:

  1. Login to AWS console as a root user or with an account that has privileges to create a new role.

  2. Upon successful login, the Services page will appear. Keep scrolling down this page until you view the IAM option.

  3. The first step to creating a role is to create a policy that defines the rights and privileges of that role. To create a policy, click on the Policies link in the left panel as shown in Figure 4.

    Figure 4 : The Policies page using which new policy can be created

  4. The context-sensitive right panel of Figure 4 lists all the pre-existing policies. Click on Create Policy button to create a new policy.

  5. In the Create Policy page that appears, click on the JSON tab. Figure 5 will then appear.

    Figure 5 : The JSON tab page

  6. Replace the contents of the JSON tab page (see Figure 5) with the following:

    {

    "Version":"2012-10-17",

    "Statement":[

    {

     

    "Action":[

    "acm:DescribeCertificate",

    "acm:List*",

    "acm:GetCertificate",

    "appstream:ListAssociated*",

    "appstream:Describe*",

    "autoscaling:Describe*",

    "backup:ListBackupVaults",

    "backup:ListBackupJobs",

    "backup:DescribeBackupJob",

    "backup:ListCopyJobs",

    "backup:DescribeCopyJob",

    "backup:ListRestoreJobs",

    "backup:DescribeRestoreJob",

    "backup:ListRecoveryPointsByBackupVault",

    "budgets:Describe*",

    "ce:GetCostAndUsage",

    "ce:GetCostAndUsageWithResources",

    "ce:GetDimensionValues",

    "ce:GetRightsizingRecommendation",

    "ce:GetSavingsPlansUtilization",

    "ce:GetSavingsPlansUtilizationDetails",

    "ce:GetTags",

    "cloudfront:ListDistributions*",

    "cloudtrail:DescribeTrails",

    "cloudtrail:GetTrailStatus",

    "cloudwatch:GetMetric*",

    "cloudwatch:ListMetric*",

    "dynamodb:List*",

    "dynamodb:Describe*",

    "ec2:Describe*",

    "ecs:List*",

    "ecs:Describe*",

    "elasticache:Describe*",

    "elasticache:List*",

    "elasticbeanstalk:Describe*",

    "elasticbeanstalk:List*",

    "elasticloadbalancing:Describe*",

    "elasticmapreduce:Describe*",

    "elasticmapreduce:List*",

    "health:Describe*",

    "inspector2:ListFindings",

    "lambda:List*",

    "logs:GetLogEvents",

    "logs:Describe*",

    "Organizations:List*",

    "Organizations:Describe*",

    "rds:Describe*",

    "s3:ListBucket",

    "s3:GetBucketLocation",

    "s3:GetBucketPolicyStatus",

    "s3:ListAllMyBuckets",

    "s3:GetObject",

    "s3:PutObject",

    "ses:GetSend*",

    "support:DescribeTrustedAdvisorChecks*",

    "workspaces:Describe*",

    "config:DescribeComplianceByResource",

    "config:GetComplianceDetailsByResource"

    ],

    "Effect":"Allow",

    "Resource":"*"

    }

    ]

    }

     

    Note:

    If you copy the above code block directly from this document and paste it in the JSON tab page, you will find that the page numbers in the document also get copied on to the tab page inadvertently. Therefore, after copying the code block to the JSON tab page, make sure you remove the page numbers from the code block and then proceed.

  7. Then, click the Next: Tags button in Figure 5 to review the policy that you have defined. In Figure 6 that appears, provide a Name for the new policy and a brief Description of the policy.

    Figure 6 : Reviewing the Policy that is to be created

  8. The Summary section in Figure 6 lists all the services that this policy allows access to, the level of access (whether Full or Limited), and the resources that can be accessed.

  9. Then, click the Create Policy button in Figure 6 to create the new policy.

Creating the New Role by Assigning the Newly Created Policy

To create a new Role on AWS cloud, do the following: ​

  1. Navigate to the AWS IAM Console and click the Roles option in the left panel. Figure 7 then appears.

    Figure 7 : The Roles page using which new role can be created

  2. The context sensitive right panel of Figure 7 displays all the pre-existing roles.

  3. In Figure 7, click the Create Role button to create a new role.

  4. Figure 8 will then appear. Here, choose the AWS service tile as the Trusted entity Type.

    Figure 8 : The Select trusted entity page

  5. Now, choose EC2 from the Service or use case list as shown in Figure 9.

    Figure 9 : Choosing EC2 as the AWS service trusted entity

  6. Clicking the Next button in Figure 9 will reveal Figure 10. In this page, all the policies that pre-exist in your environment will be listed. Select the policy that you have created exclusively for monitoring purpose and click the Next button.

    Figure 10 : Associating the newly created Policy with the role

  7. In Figure 11 that then appears, specify the name of the role that you wish to create in the Role name text box. Also, specify a description of your choice in the Description text box. Remember that the Role name that you specify here should be specified against the AWS ROLE NAME parameter while configuring the tests pertaining to AWS Cloud component.

    Figure 11 : Providing the name for the role that is to be created

  8. Clicking the Create Role button at the right bottom of Name, review and create page (Figure 11) will create the new role.

Assigning the Role to an EC2 Instance in the Target Environment

To assign the newly created role to an EC2 instance, do the following:

  1. From the AWS console, navigate to the Services page (see Figure 12). Keep scrolling down this page until you view the EC2 tile or search for EC2 from the search bar of Figure 12.

    Figure 12 : The Services Page of the AWS console

  2. Clicking the EC2 tile in Figure 12 will lead you to Figure 13.

    Figure 13 : Clicking the Instances option from the EC2 page

  3. In Figure 13, expand the Instances list available in the left panel and click the Instances option. Figure 14 then appears.

    Figure 14 : Listing the instances in the target environment

  4. You can either create a new EC2 instance for monitoring purpose or use an existing EC2 instance. In our example, we are using an existing EC2 instance. In Figure 14, select an EC2 instance that you wish to assign the newly created role.

  5. Now, expand the Actions list and navigate through the menu sequence: Security -> Modify IAM role as shown in Figure 15.

    Figure 15 : Expanding the Actions list for the chosen EC2 instance

  6. Figure 16 then appears.

    Figure 16 : Modifying IAM role for the chosen EC2 instance

  7. Pick the newly created role to associate with the EC2 instance from the IAM role list (see Figure 17).

    Figure 17 : Choosing the newly created IAM role to assign to the chosen EC2 instance

  8. Clicking the Update IAM role button in Figure 17 will assign the newly create role to the EC2 instance that you wish to use for monitoring purpose.

Installing the eG Agent on EC2 Instance

Download the eG Agent installable according to the operating system of the EC2 instance and install the agent on the EC2 instance. You can even use the one-liner command available in the eG manager to install the eG agent.

Figure 18 : Installing the eG agent on AWS Cloud

Once the eG agent is installed, note down the host name of the EC2 instance. Ensure that the same host name is used to add the installed eG agent as a remote agent in the eG manager that is about to discover the target AWS Cloud.

Figure 19 : Adding the eG agent as a remote agent in the eG manager

Figure 20 displays the newly configured remote agent.

Figure 20 : Viewing the newly configured remote agent