- An AWS account
- Any S3, EC2, RDS, Lambda services active on AWS for adding to UpGuard
- The integration saves the credentials that you supply to UpGuard securely in the database
- A synchronization occurs every two hours (see the Scheduled Jobs page to alter this interval)
- The Sync event calls out to AWS using the credentials supplied to return a list of nodes and their details
- The information captured is then stored as a node either for processing in the Detected page
- Alternatively, if ‘Automatically add’ is checked, the nodes will be added directly to the ‘All Nodes group’.
To add a new AWS integration, navigate to Control > Integrations then click Add Integration.
If the AWS integration is not available to you on the "Integrations" page, please contact your account manager to have your instance updated.
Enter in the details of your AWS integration.
|Integration Name||The name of the integration within UpGuard.|
|Connection Manager Group||The Connection Manager Group that will detect and sync nodes from AWS.|
|AWS Access Key||The AWS account access key that is found in the AWS console|
|AWS Secret Key||The secret key for your AWS user.|
|AWS IAM Role ARN (Optional)||If filled, uses the access key’s user to assume the role of ARN provided.|
|Instance Types||Indicates the types of nodes you want to sync from AWS.|
|Automatically add nodes||By default, nodes are sync’d to the Detected Nodes page. If checked, this instructs the nodes do be added directly into the Monitored page under the All Nodes node group.|
Bulk Add Nodes via AWS
Another option for setting up an AWS integration is to navigate to Discover > Add Nodes and then selecting to Add Nodes in Bulk with the AWS option. Here you can optionally add nodes using an existing AWS integration:
or create a new integration:
You can also sync nodes to the detected page without involving an AWS integration by selecting Manually enter credentials and then choosing not to select Create an Integration.
Security Group Permissions
The following permissions are required to sync nodes from AWS.
|Auto Scaling Group||
|VPS Flow Logs||
|VPC Peering Connections||
For a list of permissions required to scan nodes in each of these node types refer to this page.
What is an EC2 Instance node relative to a Windows or Linux node in AWS?
For nearly all of the AWS node types, the configuration associated with the component is usually defined and accessible outside the component itself. However, AWS EC2 instances provide a unique situation where you may want to track both the configuration of the instance from the outside (as in which security groups, load balancers, disks are attached to the instance) as well as from the inside (by performing a regular Windows or Linux style node scan or users, services and packages installed).
When you select to detect EC2 Instances via the integration or the Detected Nodes page,
the connection manager will detect both the outer AWS EC2 Instance node as well as the inner
Windows, Linux, etc node. To help differentiate between the two, the operating system column in the
Detected Nodes page should either say
AWS EC2 Instance verses
The detected node’s will also be named slightly differently. The inner node will match the
name of the instance in AWS, whereas the outer configuration node will have a “Config” suffix added
to the node name.
- Verify that the account credentials supplied for the AWS integration are correct.
- Ensure that the nodes synced are either on the Discover > Detected page rather than on the Discover > Monitored page.
- Check the Control > Events page for AWS Sync events to confirm the status of the sync.