Amazon Web Services

Monitor Amazon Web Services (AWS) resources and applications

Network Requirements

Port: 443 (TCP) HTTPS to the Amazon Cloudwatch API

High Level AWS Source Configuration

Creating a Customer Managed Policy

You can create standalone policies that you administer in your own AWS account, which we refer to as customer managed policies. You can then attach the policies to an IAM user in your AWS account. When you attach a policy to an IAM user, you give the IAM User the permissions that are defined in the policy.

To create the policy for your test user

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/ with your user that has administrator permissions.
  2. In the navigation pane, choose Policies.
  3. In the content pane, choose Create Policy.
  4. Choose the JSON tab and copy the text from the following JSON policy document. Paste this text into the JSON text box.

Master AWS LPU

Use the following JSON to create a AWS User that can monitor all the listed Source technologies within BindPlane.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "apigateway:GET",
                "apigateway:HEAD",
                "apigateway:OPTIONS",
                "autoscaling:Describe*",
                "aws-portal:ViewBilling",
                "aws-portal:ViewUsage",
                "budgets:ViewBudget",
                "cloudformation:Describe*",
                "cloudformation:Get*",
                "cloudformation:List*",
                "cloudfront:ListDistributions",
                "cloudfront:ListStreamingDistributions",
                "cloudsearch:DescribeAnalysisSchemes",
                "cloudsearch:DescribeAvailabilityOptions",
                "cloudsearch:DescribeDomains",
                "cloudsearch:DescribeExpressions",
                "cloudsearch:DescribeIndexFields",
                "cloudsearch:DescribeScalingParameters",
                "cloudsearch:DescribeServiceAccessPolicies",
                "cloudsearch:DescribeSuggesters",
                "cloudsearch:ListDomainNames",
                "cloudsearch:ListTags",
                "cloudsearch:search",
                "cloudsearch:suggest",
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*",
                "cur:DescribeReportDefinitions",
                "dynamodb:DescribeTable",
                "dynamodb:ListTables",
                "ec2:Describe*",
                "ec2:Get*",
                "ec2:Search*",
                "eks:Get*",
                "eks:Describe*",
                "ecs:Describe*",
                "ecs:List*",
                "elasticache:Describe*",
                "elasticbeanstalk:DescribeApplications",
                "elasticbeanstalk:DescribeApplicationVersions",
                "elasticbeanstalk:DescribeConfigurationOptions",
                "elasticbeanstalk:DescribeConfigurationSettings",
                "elasticbeanstalk:DescribeEnvironmentHealth",
                "elasticbeanstalk:DescribeEnvironmentManagedActionHistory",
                "elasticbeanstalk:DescribeEnvironmentManagedActions",
                "elasticbeanstalk:DescribeEnvironmentResources",
                "elasticbeanstalk:DescribeEnvironments",
                "elasticbeanstalk:DescribeEvents",
                "elasticbeanstalk:DescribeInstancesHealth",
                "elasticbeanstalk:DescribePlatformVersion",
                "elasticbeanstalk:ListAvailableSolutionStacks",
                "elasticbeanstalk:ListPlatformVersions",
                "elasticbeanstalk:RequestEnvironmentInfo",
                "elasticbeanstalk:RetrieveEnvironmentInfo",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeMountTargets",
                "elasticloadbalancing:Describe*",
                "es:DescribeElasticsearchDomain",
                "es:DescribeElasticsearchDomainConfig",
                "es:DescribeElasticsearchDomains",
                "es:ESHttpGet",
                "es:ESHttpHead",
                "es:ListDomainNames",
                "es:ListTags",
                "firehose:DescribeDeliveryStream",
                "firehose:ListDeliveryStreams",
                "glacier:DescribeJob",
                "glacier:DescribeVault",
                "glacier:GetDataRetrievalPolicy",
                "glacier:GetJobOutput",
                "glacier:GetVaultAccessPolicy",
                "glacier:GetVaultLock",
                "glacier:GetVaultNotifications",
                "glacier:ListJobs",
                "glacier:ListMultipartUploads",
                "glacier:ListParts",
                "glacier:ListProvisionedCapacity",
                "glacier:ListTagsForVault",
                "glacier:ListVaults",
                "iam:GetUser",
                "kinesis:DescribeLimits",
                "kinesis:DescribeStream",
                "kinesis:GetRecords",
                "kinesis:GetShardIterator",
                "kinesis:ListStreams",
                "kinesis:ListTagsForStream",
                "kinesisanalytics:DescribeApplication",
                "kinesisanalytics:DiscoverInputSchema",
                "kinesisanalytics:ListApplications",
                "kinesisvideo:DescribeStream",
                "kinesisvideo:GetDataEndpoint",
                "kinesisvideo:GetMedia",
                "kinesisvideo:GetMediaForFragmentList",
                "kinesisvideo:ListFragments",
                "kinesisvideo:ListStreams",
                "kinesisvideo:ListTagsForStream",
                "kms:DescribeKey",
                "kms:GenerateRandom",
                "kms:GetKeyPolicy",
                "kms:GetKeyRotationStatus",
                "kms:GetParametersForImport",
                "kms:ListAliases",
                "kms:ListGrants",
                "kms:ListKeyPolicies",
                "kms:ListKeys",
                "kms:ListResourceTags",
                "kms:ListRetirableGrants",
                "kms:ReEncryptFrom",
                "kms:ReEncryptTo",
                "lambda:GetFunctionConfiguration",
                "lambda:ListFunctions",
                "lambda:ListTags",
                "logs:Describe*",
                "logs:FilterLogEvents",
                "logs:Get*",
                "logs:List*",
                "logs:TestMetricFilter",
                "opsworks-cm:DescribeAccountAttributes",
                "opsworks-cm:DescribeBackups",
                "opsworks-cm:DescribeEvents",
                "opsworks-cm:DescribeNodeAssociationStatus",
                "opsworks-cm:DescribeServers",
                "opsworks:DescribeAgentVersions",
                "opsworks:DescribeApps",
                "opsworks:DescribeCommands",
                "opsworks:DescribeDeployments",
                "opsworks:DescribeEcsClusters",
                "opsworks:DescribeElasticIps",
                "opsworks:DescribeElasticLoadBalancers",
                "opsworks:DescribeInstances",
                "opsworks:DescribeLayers",
                "opsworks:DescribeLoadBasedAutoScaling",
                "opsworks:DescribeMyUserProfile",
                "opsworks:DescribePermissions",
                "opsworks:DescribeRaidArrays",
                "opsworks:DescribeRdsDbInstances",
                "opsworks:DescribeServiceErrors",
                "opsworks:DescribeStackProvisioningParameters",
                "opsworks:DescribeStacks",
                "opsworks:DescribeStackSummary",
                "opsworks:DescribeTimeBasedAutoScaling",
                "opsworks:DescribeUserProfiles",
                "opsworks:DescribeVolumes",
                "opsworks:GetHostnameSuggestion",
                "opsworks:ListTags",
                "rds:Describe*",
                "rds:DescribeDBInstances",
                "rds:DescribeDBSnapshots",
                "rds:ListTagsForResource",
                "redshift:DescribeClusters",
                "route53:GetGeoLocation",
                "route53:GetHealthCheck",
                "route53:GetHealthCheckCount",
                "route53:GetHealthCheckLastFailureReason",
                "route53:GetHealthCheckStatus",
                "route53:GetHostedZone",
                "route53:GetHostedZoneCount",
                "route53:GetReusableDelegationSet",
                "route53:GetTrafficPolicy",
                "route53:GetTrafficPolicyInstance",
                "route53:GetTrafficPolicyInstanceCount",
                "route53:ListGeoLocations",
                "route53:ListHealthChecks",
                "route53:ListHostedZones",
                "route53:ListHostedZonesByName",
                "route53:ListResourceRecordSets",
                "route53:ListReusableDelegationSets",
                "route53:ListTrafficPolicies",
                "route53:ListTrafficPolicyInstances",
                "route53:ListTrafficPolicyInstancesByHostedZone",
                "route53:ListTrafficPolicyInstancesByPolicy",
                "route53:ListTrafficPolicyVersions",
                "s3:Get*",
                "s3:List*",
                "ses:DescribeActiveReceiptRuleSet",
                "ses:DescribeReceiptRule",
                "ses:DescribeReceiptRuleSet",
                "ses:GetIdentityDkimAttributes",
                "ses:GetIdentityMailFromDomainAttributes",
                "ses:GetIdentityNotificationAttributes",
                "ses:GetIdentityPolicies",
                "ses:GetIdentityVerificationAttributes",
                "ses:GetSendQuota",
                "ses:GetSendStatistics",
                "ses:ListIdentities",
                "ses:ListIdentityPolicies",
                "ses:ListReceiptFilters",
                "ses:ListReceiptRuleSets",
                "ses:ListVerifiedEmailAddresses",
                "ses:VerifyDomainDkim",
                "ses:VerifyDomainIdentity",
                "ses:VerifyEmailAddress",
                "ses:VerifyEmailIdentity",
                "sns:Get*",
                "sns:List*",
                "sqs:GetQueueAttributes",
                "sqs:GetQueueUrl",
                "sqs:ListDeadLetterSourceQueues",
                "sqs:ListQueues",
                "sqs:ListQueueTags",
                "workspaces:DescribeTags",
                "workspaces:DescribeWorkspaceBundles",
                "workspaces:DescribeWorkspaceDirectories",
                "workspaces:DescribeWorkspaces",
                "workspaces:DescribeWorkspacesConnectionStatus"
            ],
            "Resource": "*"
        }
    ]
}
  1. When you are finished, choose Review Policy. The Policy Validator reports any syntax errors.
  2. On the Review page, type lpu_ec2 for the policy name. Review the policy Summary to see the permissions granted by your policy, and then choose Create Policy to save your work. The new policy appears in the list of managed policies and is ready to attach.

Creating an IAM user, attaching the Managed policy and Exporting keys

You can user the AWS Management Console to create IAM users.
To create one or more IAM users (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
  2. In the navigation pane, choose Users and then choose Add user.
  3. Type the user name for the new user. This is the sign-in name for AWS.
    NOTE: User names can be a combination of up to 64 letters, digits, and these characters: plus (+), equal (=), comma (,), period (.), at sign (@), and hyphen (-). Names must be unique within an account. They are not distinguished by case. For example, you cannot create two users named TESTUSER and testuser. For more information about limitations on IAM entities, see Limitations on IAM Entities and Objects.
  4. Select the type of access this set of users will have. You can select programmatic access, access to the AWS Management Console, or both.
    NOTE: Select Programmatic access if the users require access to the API, AWS CLI, or Tools for Windows PowerShell. This creates an access key for each new user. You can view or download the access keys when you get to the Final page.
  5. Choose Next: Permissions.
  6. On the Set permissions page, specify how you want to assign permissions to this set of new users. Choose one of the following three options:
    Attach existing policies to user directly. Choose this option to see a list of the AWS managed and customer managed policies in your account. Select the customer managed policies that you want to attach to the new user. For use case, select lpu_ec2.
  7. Choose Next: Review to see all of the choices you made up to this point. When you are ready to proceed, choose Create user.
  8. To view the users' access keys (access key IDs and secret access keys), choose Show next to the access key that you want to see. To save the access keys, choose Download .csv and then save the file to a safe location. Important: This is your only opportunity to view or download the secret access keys, and you must provide this information to your users before they can use the AWS API. Save the user's new access key ID and secret access key in a safe and secure place. You will not have access to the secret keys again after this step.
  9. Use this access key and secret key for configuration of a BindPlane source