This articles outlines the steps needed to setup an integration to AWS that allows for nodes in the AWS cloud to be detected and subsequently added to UpGuard

Prerequisites

  • An AWS account
  • Any S3, EC2, RDS, Lambda services active on AWS for adding to UpGuard

Integration Outcomes

  • The integration saves the credentials that you supply to UpGuard securely in the database
  • A synchronization occurs every two hours (see the Scheduled Jobs page to alter this interval)
  • The Sync event calls out to AWS using the credentials supplied to return a list of nodes and their details
  • The information captured is then stored as a node either for processing in the Detected page
  • Alternatively, if ‘Automatically add’ is checked, the nodes will be added directly to the ‘All Nodes group’.

Setting Up

The AWS integration settings form is shown in the following screenshot.

aws integration

Field Description
Integration Name The name of the integration within UpGuard
Connection Manager Group The default group that will be used to scan AWS EC2 nodes
AWS Access Key The AWS account access key that is found in the AWS console
AWS Secret Key The secret key for your AWS user; emailed when account was first created
AWS IAM Role ARN (Optional) If filled, uses the access key’s user to assume the role of ARN provided
Instance Types If checked, indicates which types of nodes are of interest for adding
Automatically add nodes If checked, adds new nodes discovered automatically to ‘All Nodes’ group

Bulk Add Nodes via AWS

Another way to set up an AWS integration is by performing a bulk add of nodes through the Add Nodes flow, selecting AWS as an option to perform the bulk add.

The information captured on that page will match those in the integration setup flow, and is subsequently used to create an AWS integration which you can then view in the list of Integrations.

bulk add nodes via aws

Security Group Permissions

The following permissions are required to sync nodes from AWS.

Service Permissions
EBS ec2:DescribeVolumes
EC2 ec2:DescribeInstances
Lambda lambda:GetFunction
Load Balancer elb:DescribeLoadBalancers
RDS rds:DescribeDBInstances
S3 s3:ListBuckets
Security Groups ec2:DescribeSecurityGroups
VPCs ec2:DescribeVpcs
VPS Flow Logs ec2:DescribeFlowLogs
VPC Peering Connections ec2:DescribeVpcPeeringConnections

For a list of permissions required to scan nodes in each of these node types refer to this page.

Troubleshooting

  • Verify that the account credentials supplied for the AWS integration are correct
  • Ensure that the nodes synced are either on the Discover > Detected page or on the Monitored page
  • Check the Events page for AWS Sync events to confirm the status of the sync
Tags: ec2