AWS
Enrich asset context with asset information from AWS
About the AWS Context Integration
This context integration adds asset information retrieved from AWS as context labels in Netography Fusion.
Cloud Context Enrichment: Add a Context Integration vs. Deploying Cloud Function
AWS, Azure, and GCP have 2 options for how to enrich asset context.
Option 1: Add a context integration in Fusion Portal
You give permission in your cloud account(s) for Netography to read asset meta-data from it, and then add a context integration for that cloud account in Fusion to retrieve that information. After configuring permissions in your cloud, the configuration and data gathering occurs from the Netography Fusion SaaS to your cloud accounts. You will need to add and configure 1 context integration in Fusion per AWS account, Azure subscription, or GCP project.
Option 2: Deploy a cloud function with Netography's Cloud onboarding automation via Terraform
You deploy the Netography cloud onboarding automation using Terraform, which configures all the permissions required and creates a cloud function that runs within your cloud on a scheduled basis. That function gathers all the asset meta-data locally within your cloud, and then uploads the data via the Netography Fusion API. Netography never has any permission to directly access and read the asset meta-data in your cloud in this option. You can deploy this automation one time for each AWS organization, Azure tenant, or GCP organization, making it a more easily scalable solution for larger environments. For more details on this option, access Netography's Terraform automation at our GitHub repo: https://github.com/netography/neto-onboarding. For access to the repo, email your GitHub ID to [email protected].
AWS Configuration
Choosing between IAM Role and IAM User authentication
Netography supports 2 methods for authentication with AWS:
- IAM Roles using a Custom Trust Policy created by Netography
- IAM user via an Access Key ID & Secret Access Key
Netography and AWS recommend using IAM Role authentication for a production deployment.
For more details, see: AWS > Documentation > AWS Identity and Access Management > User Guide > Security best practices in IAM > Require workloads to use temporary credentials with IAM roles to access AWS
If you have already created an AWS IAM role
You can use the same IAM role you previously configured for collecting VPC Flow Logs. If you already configured Flow Collection for your AWS environment and used a permission policy that includes AmazonEC2ReadOnlyAccess, no additional AWS configuration is needed. Use the sameARN, and skip to the Netography Fusion Configuration section.
If you have an existing AWS IAM Role but it does not have the permissions set or you want to verify the proper permissions, see the Permission Policy section below.
Creating AWS IAM Role (recommended authentication option)
To use IAM role authentication for Netography Fusion, first you will go to the Netography Fusion Portal and gather the required fields, and then you will go to AWS and create the IAM role.
Retrieve AWS Custom Trust Policy fields from the Netography Fusion Portal
In the Netography Fusion Portal, go to Account Settings by clicking the gear icon in top-right corner, scroll down to the AWS Custom Trust Policy section, and retrieve the Account ID, sts:ExternalID, and Trust Policy values.
| Field from Netography Fusion Account Settings | Description |
|---|---|
| AWS Custom Trust Policy > Account ID | Netography AWS Account ID used for integration |
| AWS Custom Trust Policy > External ID | Netography issued field used for AWS role creation |
| AWS Custom Trust Policy > Trust Policy | Netography Trust Policy used for AWS role creation |
Create a new AWS IAM Role
In AWS, you will create a new IAM role that will delegate access to Netography using the fields you gathered in the previous step. In addition to those fields, you will need to assign the IAM Role a permission policy.
Permission Policy
| AWS Permissions Policy Required |
|---|
AmazonEC2ReadOnlyAccess |
The AmazonEC2ReadOnlyAccess permission policy required for only the AWS context integration is listed below. If you have an existing IAM role permission policy, add these statements to it to make it compatible with the AWS context integration (instructions for editing this policy are available at AWS > Documentation > AWS Identity and Access Management > User Guide > Editing customer managed policies (console).
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "elasticloadbalancing:Describe*",
"Resource": "*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": "autoscaling:Describe*",
"Resource": "*"
}
]
}
How to create a new AWS IAM Role
For instructions on creating an IAM role in AWS using a custom trust policy, refer to AWS > Documentation > AWS Identity and Access Management > User Guide > Creating a role using custom trust policies
For more information on configuring the permissions to the Account ID, refer to AWS > Documentation > AWS Identity and Access Management > User Guide > How to use an external ID when granting access to your AWS resources to a third party.
Copy the ARN for the newly created IAM Role
The ARN for the new IAM role you created will be needed in the next step when adding the AWS context integration to Netography Fusion.
| IAM Role Field Required | Description |
|---|---|
| ARN | The identifier for the IAM role you retrieve from AWS when creating the role. |
AWS IAM user authentication (alternative authentication option)
Skip this section if you are using AWS IAM role authentication
AWS IAM user authentication with an Access Key ID and Access Secret is an alternative approach to using a AWS IAM role. If you are using the AWS IAM role, skip this entirely and go to the Netography Fusion Configuration next.
The instructions below assume that you have not already created an IAM user as part of Flow Collection setup. If you have already created that role and it includes the AmazonEC2ReadOnlyAccess permission, skip to the Netography Fusion Configuration section.
You must have an IAM user with an already configured programmatic access key or create one to use IAM user authentication.
-
To create a new user, follow the AWS official guidance for new IAM user creation.
-
To configure a programmatic access key for the IAM user, refer to the management access keys documentation.
| Minimum Required Permissions |
|---|
AmazonEC2ReadOnlyAccess |
To configure the integration with this authentication method, the following AWS IAM user fields are required:
| AWS Parameters | Description |
|---|---|
Access Key ID | Authentication field, available in AWS IAM console for IAM user |
Access Secret | Authentication secret, available in AWS IAM console for IAM user |
Netography Fusion Configuration
1. Navigate to Settings -> Context Integrations -> Add Integration
2. Select Amazon Web Services
3. Configure the context integration
a. Fill out the standard fields required for each context integration:
| Field | Description |
|---|---|
Name | A unique name to identify this instance of the integration (e.g. aws1) |
Update Interval | How frequently to retrieve updated information from AWS in seconds |
Auto Update | Enable to retrieve updated information automatically at the frequency set by the Update IntervalIf disabled, the integration can be run manually from the list of configured integrations menu by selecting the ... next to the name of the integration and then selecting Run |
b. Enter the configuration parameters specific to AWS.
| Field | Required | Description | Example |
|---|---|---|---|
Region | If you want to retrieve asset meta-data from only a specific region, you can specify it in this field. Leave this field blank to retrieve data from all regions. | ||
Tag/Label Matches | Tag/Label matches represent the names of tags you use within the cloud provide, i.e, a user might choose to tag all of their web servers with a tag subsystem that has a value of web. |
c. Enter the authentication information based on the authentication method you configured in AWS.
If you are using AWS IAM role authentication, configure AWS ARN for role
d. Select Role for the Authentication Type field, and then enter the AWS ARN for the IAM Role you created in the previous step (or during Flow Collection setup for AWS).
If you are using AWS user authentication, configure Access Key ID and Access Secret
Skip this section if you are using AWS IAM role authentication
e. Select Key/Secret for the Authentication Type field, and then enter the Access Key ID and Access Key Secret fields from the AWS Configuration step (or from the Flow Collection setup for AWS).
f. Select Create and Run to save the integration.
Updated 2 months ago