This articles outlines the steps needed to setup an integration to AWS that allows for nodes in the AWS cloud to be detected and subsequently added to UpGuard

Prerequisites

  • An AWS account
  • Any S3, EC2, RDS, Lambda services active on AWS for adding to UpGuard

Integration Outcomes

  • The integration saves the credentials that you supply to UpGuard securely in the database
  • A synchronization occurs every two hours (see the Scheduled Jobs page to alter this interval)
  • The Sync event calls out to AWS using the credentials supplied to return a list of nodes and their details
  • The information captured is then stored as a node either for processing in the Detected page
  • Alternatively, if ‘Automatically add’ is checked, the nodes will be added directly to the ‘All Nodes group’.

Setting Up

To add a new AWS integration, navigate to Control > Integrations then click Add Integration.

w400

Enter in the details of your AWS integration.

aws integration

Field Description
Integration Name The name of the integration within UpGuard.
Connection Manager Group The Connection Manager Group that will detect and sync nodes from AWS.
AWS Access Key The AWS account access key that is found in the AWS console
AWS Secret Key The secret key for your AWS user.
AWS IAM Role ARN (Optional) If filled, uses the access key’s user to assume the role of ARN provided.
Instance Types Indicates the types of nodes you want to sync from AWS.
Automatically add nodes By default, nodes are sync’d to the Detected Nodes page. If checked, this instructs the nodes do be added directly into the Monitored page under the All Nodes node group.

Bulk Add Nodes via AWS

Another option for setting up an AWS integration is to navigate to Discover > Add Nodes and then selecting to Add Nodes in Bulk with the AWS option. Here you can optionally add nodes using an existing AWS integration:

w400

or create a new integration:

w400

You can also sync nodes to the detected page without involving an AWS integration by selecting Manually enter credentials and then choosing not to select Create an Integration.

Security Group Permissions

The following permissions are required to sync nodes from AWS.

Service Permissions
Auto Scaling Group autoscaling:DescribeAutoScalingGroups
EBS ec2:DescribeVolumes
EC2 ec2:DescribeInstances
Lambda lambda:GetFunction
Load Balancer elb:DescribeLoadBalancers
RDS rds:DescribeDBInstances
S3 s3:ListBuckets and s3:GetBucketLocation
Security Groups ec2:DescribeSecurityGroups
VPCs ec2:DescribeVpcs
VPS Flow Logs ec2:DescribeFlowLogs
VPC Peering Connections ec2:DescribeVpcPeeringConnections

For a list of permissions required to scan nodes in each of these node types refer to this page.

What is an EC2 Instance node relative to a Windows or Linux node in AWS?

For nearly all of the AWS node types, the configuration associated with the component is usually defined and accessible outside the component itself. However, AWS EC2 instances provide a unique situation where you may want to track both the configuration of the instance from the outside (as in which security groups, load balancers, disks are attached to the instance) as well as from the inside (by performing a regular Windows or Linux style node scan or users, services and packages installed).

When you select to detect EC2 Instances via the integration or the Detected Nodes page, the connection manager will detect both the outer AWS EC2 Instance node as well as the inner Windows, Linux, etc node. To help differentiate between the two, the operating system column in the Detected Nodes page should either say AWS EC2 Instance verses Windows or Linux. The detected node’s will also be named slightly differently. The inner node will match the name of the instance in AWS, whereas the outer configuration node will have a “Config” suffix added to the node name.

Troubleshooting

  • Verify that the account credentials supplied for the AWS integration are correct.
  • Ensure that the nodes synced are either on the Discover > Detected page rather than on the Discover > Monitored page.
  • Check the Control > Events page for AWS Sync events to confirm the status of the sync.
Tags: ec2