When an AWS account is created, you are signed-in as a root user (a single sign in entity) with unrestricted access to the subscribed AWS services, using an email and password unique to your organization. As a best practice, avoid using the root user account for basic tasks. Use Identity and Access Management (IAM) credentials to authorize OpsRamp to manage your resources.

Install the AWS integration on the OpsRamp console using Identity and Access Management (IAM) access key ID and secret access key with AssumeRole. IAM is a web service that helps in securely controlling access to AWS services. For more information, see What is IAM?

IAM role helps you establish a trust relationship between the trusting account and a trusted account. The trusting account owns the AWS services to be accessed and the trusted account includes the users who need access to the services. This operation provides temporary security credentials that enable access to AWS services in your account. To learn more, view Providing access to AWS accounts owned by third parties.

Prerequisites

  • You have an AWS root account (trusting account).
  • Create another AWS account (trusted account).

Workflow

Process Flow - Installing AWS integrations with IAM AssumeRole credentials

AWS configuration

To install AWS with IAM AssumeRole credentials:

Step 1: Configure the trusting account

  1. Sign into your AWS management console with your root account credentials and create a new role.

  2. Select the role type as Another AWS account.

  3. In the Account ID field, enter the AWS account ID to which you want to grant access, the trusted account.

  4. Click Next: Permissions.

  5. Click Create Policy.

  6. On the Create Policy page, click the JSON tab and paste the policy snippet given in the Appendix.

    To learn more about permission policy, refer to Creating IAM Policies (console).

  7. Click Review Policy and give a suitable name to the policy.

  8. Review the role and click Create role.
    The details of the role created are displayed.

  9. Copy the Role ARN at a safe location in a text editor such as Notepad.

Step 2: Configure the trusted account

  1. Sign in to your trusted account in AWS management console.

  2. From the navigation pane, click Users > Add user and give a suitable name to the new user.

    For details, see AWS documentation on Creating users on AWS console.

  3. Select programmatic access as a type of access and click Next: Permissions.

    Programmatic access is for the users who require access to the API, AWS CLI, or Tools for Windows PowerShell. The programmatic access option creates an access key and security access key for each new user.

    On the Set permissions page, specify how you want to assign permissions to the user and click Next: Tags. Refer to Creating IAM Policies (console).

  4. (Optional) Add metadata to the user by attaching tags as key-value pairs and click Next: Review to see the details.

  5. Click Create user.
    The page displays the user access key ID and secret access keys.

  6. Save the access keys by clicking Download.csv at a safe location.

This is your only opportunity to view or download the secret access keys. Save the access key ID and secret access key generated in a secure place. You do not have access to the secret keys again after this step.

OpsRamp configuration

  1. Go to Setup > Integrations and Apps. If apps are already installed, the INSTALLED APPS page is displayed, else the AVAILABLE APPS page is displayed.

  2. From the Available Integrations page, click Public Cloud and click AWS.

  3. Click Install.

  4. On the Install AWS Integration page:

    • Name: Give a suitable name for the integration.
    • Region(s): Select the AWS region from the drop-down list. The services that belong to the selected region are onboarded.
      You can select multiple regions to onboard the services. If you select two regions A and B, and if you are not authorized to access region B, onboarding fails for both regions A and B.
    • AWSType: Select IAM with AssumeRole.
    • Account Number: Enter the account number of the trusted account.
    • Access Key: Provide Access Key generated in the AWS console of the trusted account.
    • Security Key: Provide Security Key generated in the AWS console of the trusted account.
    • AssumeRole ARN: Enter the AssumeRole ARN of the trusting account saved from Step 1.
    • External ID: (Optional) Enter the External ID if you want to grant access through this option.
    • Install All Linked Accounts: Select the checkbox if you have landing zones configured for your AWS account and want to onboard the child accounts under the root (trusting) account.

    If you select Install All Linked Accounts, all the linked child accounts are displayed in the list of integrations.

    The configurations of discovery profile created for the parent/master/payer account apply to all the child accounts at the time of the first scan. For successive scans, you have to edit the discovery profiles individually for each child account.

  5. Click Install. The AWS icon is displayed in the list of installed integrations with the details such as installed time, installed by, and enable status.

  6. Click the AWS icon. The AWS integration page opens and the credentials and discovery profiles are displayed.

Appendix: AWS permission policy for allowing access to OpsRamp

{
"Version": "2012-10-17",
	"Statement": [{
		"Effect": "Allow",
		"Resource": "*",
		"Action": [
			"autoscaling:Describe*",
			"autoscaling:Get*",
			"autoscaling:List*",
			"cloudtrail:Describe*",
			"cloudtrail:Get*",
			"cloudtrail:List*",
			"cloudformation:Describe*",
			"cloudformation:Get*",
			"cloudformation:List*",
			"cloudfront:Describe*",
			"cloudfront:Get*",
			"cloudfront:List*",
			"cloudwatch:Describe*",
			"cloudwatch:Get*",
			"cloudwatch:List*",
			"dynamodb:Describe*",
			"dynamodb:Get*",
			"dynamodb:List*",
			"ec2:Describe*",
			"ec2:Get*",
			"ec2:List*",
			"elasticache:Describe*",
			"elasticache:Get*",
			"elasticache:List*",
			"elasticloadbalancing:Describe*",
			"elasticloadbalancing:Get*",
			"elasticloadbalancing:List*",
			"elasticmapreduce:Describe*",
			"elasticmapreduce:Get*",
			"elasticmapreduce:List*",
			"iam:Describe*",
			"iam:Get*",
			"iam:List*",
			"kinesis:Describe*",
			"kinesis:Get*",
			"kinesis:List*",
			"route53:Describe*",
			"route53:List*",
			"route53:Get*",
			"redshift:Describe*",
			"redshift:List*",
			"redshift:Get*",
			"rds:Describe*",
			"rds:List*",
			"rds:Get*",
			"s3:Describe*",
			"s3:List*",
			"s3:Get*",
			"sdb:Describe*",
			"sdb:List*",
			"sdb:Get*",
			"sns:Describe*",
			"sns:List*",
			"sns:Get*",
			"sqs:Describe*",
			"sqs:Get*",
			"sqs:List*",
			"lambda:list*",
			"lambda:get*",
			"lambda:describe*",
			"MachineLearning:describe*",
			"MachineLearning:list*",
			"MachineLearning:get*",
			"StorageGateway:describe*",
			"StorageGateway:list*",
			"StorageGateway:get*",
			"ApiGateway:describe*",
			"ApiGateway:get*",
			"ApiGateway:list*",
			"ecs:describe*",
			"ecs:get*",
			"ecs:list*",
			"workspaces:list*",
			"workspaces:get*",
			"workspaces:describe*",
			"lightsail:list*",
			"lightsail:get*",
			"lightsail:describe*"
		]
	}]
}