Manually configuring SQS, SNS, and CloudWatch rules - Adaptive Applications - BlueCat Gateway - 21.1

Cloud Discovery & Visibility AWS Administration Guide

Locale
English (United States)
Product name
BlueCat Gateway
Version
21.1
If your AWS user account has write permissions to SQS, SNS, and CloudWatch, the Enable Visibility after Discovery option attempts to create the queue and rule if they do not exist in AWS. If your AWS user account does not have the correct write permissions, you must manually configure the SQS, SNS, and CloudWatch rules. The following section outlines how to create the required rules for your account in AWS to enable visibility.
Note: If any of the SQS, SNS, and CloudWatch permissions do not exist, an error appears in the Cloud Discovery & Visibility AWS UI indicating which specific permissions are missing and visibility will not run.
Cloud Discovery & Visibility creates a hash which is appended to the names of CloudWatch, SNS Topic, and SQS Queue strings. The hash is produced from a string that is a combination of the Address Manager URL, the Address Manager username, the AWS region name, the ARN username, and the configuration name, separated by underscores. In the following example, the string consists of the following information:
  • Address Manager URLhttp://10.10.10.111/Services/API?wsdl
  • Address Manager username api
  • AWS region nameap-southeast-1
  • ARN usernametdinh
  • Configuration namediscovery_visibility_aws_01

The example information produces the string http://10.10.10.111/Services/API?wsdl_api_ap-southeast-1_tdinh_discovery_visibility_aws_01. Cloud Discovery & Visibility produces the following hash from this information: 38b640be47bdd365b5e05dea01189899.

You can manually generate the hash of the string using the following command:
echo -n <string> | md5sum
If this fails due to the account having insufficient write permissions to those services, contact an AWS administrator to grant you temporary write access or have them configure the AWS SQS Standard queue, SNS, and CloudWatch Rule as follows:
  • Create a Standard SNS topic in your region with the name BC-DV-EC2-TOPIC-<hash string>. In the following example, the topic created is BC-DV-EC2-TOPIC-38b640be47bdd365b5e05dea01189899:

  • Create a Standard SQS queue in your region with a name in the following format: BC-DV-<hash string>. In the following example, the queue created is BC-DV-38b640be47bdd365b5e05dea01189899:

  • Create a CloudWatch Rule for AWS VPC, EC2 with a name in the following format: BC-DV-EC2-CW-<hash string>. Configure the following policy with the target configured as the name of the CloudWatch Rule for AWS VPC, EC2:
    {
        "source": [
            "aws.ec2",
            "aws.elasticloadbalancing"
        ],
        "detail-type": [
            "AWS API Call via CloudTrail"
        ],
        "detail": {
            "eventSource": [
                "ec2.amazonaws.com",
                "elasticloadbalancing.amazonaws.com"
            ]
        }
    }


  • Create a subscription with the previously configured topic, the protocol set as Amazon SQS, and the endpoint set to the ARN of the previously configured SQS.

  • If you are configuring visibility for AWS Route 53, create a Stardard SNS topic in the us-east-1 region with a name in the following format: BC-DV-R53-TOPIC-<hash string>. In the following example, the topic created is BC-DV-R53-TOPIC-38b640be47bdd365b5e05dea01189899:

  • Create a CloudWatch Rule for AWS Route53 with a name in the following format: BC-DV-R53-CW-<hash string>. Configure the following policy with the target configured as the name of the CloudWatch Rule for AWS Route53:
    {
        "source": [
            "aws.route53"
        ],
        "detail-type": [
            "AWS API Call via CloudTrail"
        ],
        "detail": {
            "eventSource": [
                "route53.amazonaws.com"
            ]
        }
    }


  • Create a subscription with the previously configured topic, the protocol set as Amazon SQS, and the endpoint set to the ARN of the previously configured SQS.

Once the configurations have been made in AWS, you can select the Enable Visibility after Discovery option. After the visibility task has run once, and the SQS, SNS, and CloudWatch rules are defined in AWS, your AWS administrator can revert your AWS account permissions to read-only if you were granted temporary write access.