AWS

Lumeus integrates with the AWS Console using AWS Cloud SDK APIs to collect inventory and telemetry of cloud resources.

Prerequisites

You need to create an AWS IAM user for Lumeus to collect data and logs. The IAM user should have the following IAM permissions:

AWS managed Policies:

  • AmazonEC2ReadOnlyAccess

  • AmazonVPCReadOnlyAccess

  • ElasticLoadBalancingReadOnly

  • AWSWAFReadOnlyAccess

AWS Inline Policies:

  • TGW Route Table

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:SearchTransitGatewayRoutes",
            "Resource": "*"
        }
    ]
}
  • STS Key

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:GetAccessKeyInfo",
            "Resource": "*"
        }
    ]
}

Setup

  1. Go to Settings -> Integrations and Click on + AWS.

  2. In the Create AWS Integration form add the following:

    • Name & Description

    • Authentication Type: The are the supported authentication types with AWS IAM:

      1. Programmatic Access:

        • Authentication with this type uses Access Key and Secret from AWS Console as credentials.

        • The keys are long term keys. Whenever they are rotated or modified on AWS, the secret should be updated on the Lumeus Portal.

      2. Temporary Access:

        • Authentication is based on AWS STS Assumed Role policy.

        • Enter the ARN of the AWS IAM user/role which should be used for STS assumed role.

        • External ID: If AWS STS role is protected, then enter the external ID.

        • Session ID: Can be used to track all API calls made by Lumeus on AWS.

    • Regions: Select the regions which you want to monitor via Lumeus. You can select multiple regions.

    • Flow Log Collection: Enable the checkbox if traffic flow logs should be collected and analyzed e.g. CloudWatch Flow Logs.

    • Flow Logs can be collected either via CloudWatch or can be read from S3 bucket files.

For more details on how to configure AWS IAM for different types, please refer to AWS documentation below:

https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html

Last updated