Cloud Discovery & Visibility (CDV) must be authorized with the Amazon Web Services (AWS) infrastructure in order to perform discovery. CDV supports two kinds of AWS authentication directly:
-
AWS user account credentials: An AWS user accounts has an access key and a secret key, which you specify in the CDV AWS Credentials settings. Permissions required by CDV must be assigned to the AWS user account that it uses.
-
AWS EC2 instance credentials: If CDV is deployed on an EC2 instance, CDV can instead automatically acquire authorization credentials from the EC2 instance metadata.
Using Assume Role providers with CDV:
CDV also supports AWS Assume Role providers for authentication during discovery. When using Assume Role providers, CDV remains signed in to a specified account, but will temporarily assume the role of a different account so that it can perform discovery on that account. While assuming a role, CDV gains permissions and access assigned to the assumed role.
CDV can use Assume Role providers for both standard AWS user accounts and EC2 instance credentials.
AWS authentication scenarios
The following table lists possible AWS authentication scenarios with CDV and summarizes the required setup and configuration.
Scenario | Summary |
---|---|
A single AWS user account |
CDV signs in as a specfied AWS user account. This account should have the needed permissions and trust relationships for CDV to perform discovery. For a list of needed permissions, see Amazon Web Services (AWS) environments. In CDV, follow the instructions in Setting up a single AWS user account for Cloud Discovery & Visibility. In particular, in the Setup page, within the AWS Credentials section and in the Basic tab, make sure the Use EC2 instance credentials checkbox is cleared. |
A single AWS user account and an assumed role |
CDV signs in as a specified AWS user account. During discovery, it accesses a separate role that is configured as an Assume Role provider in AWS, temporarily gaining the access and permissions that are assigned to the assumed role. In AWS, this scenario requires the following:
Account A does not need the permissions that the role on Account B
has. Instead, Account A should have the
Within CDV, follow the instructions in Setting up a single AWS user account for Cloud Discovery & Visibility. In particular, in the Setup page, within the AWS Credentials section and in the Basic tab, make sure the Use EC2 instance credentials checkbox is cleared. Also make sure you tick the Enable AWS Role Assumption checkbox and enter the AWS Role ARN for the assumed role. |
AWS EC2 instance credentials (only) |
CDV acquires the appropriate credentials from the EC2 instance. These credentials should have the needed permissions and trust relationships for CDV to perform discovery. For a list of needed permissions, see Amazon Web Services (AWS) environments. In CDV, follow the instructions in Setting up CDV to use EC2 instance accounts for authentication. In particular, in the Setup page, within the AWS Credentials section and in the Basic tab, make sure the Use EC2 instance credentials checkbox is ticked. |
AWS EC2 instance credentials and an assumed role |
CDV acquires the appropriate credentials from the EC2 instance. During discovery, it accesses a separate role that is configured as an Assume Role provider in AWS, temporarily gaining the access and permissions that are assigned to the assumed role. In CDV, follow the instructions in Setting up CDV to use EC2 instance accounts for authentication. In particular, in the Setup page, within the AWS Credentials section and in the Basic tab, make sure the Use EC2 instance credentials checkbox is ticked. Within AWS, make sure the |
Multiple authorization credentials for different regions |
In order to apply different AWS credentials for different regions, you must first prepare a text file with credential information for each region. Each line in the file defines a single set of credentials, listing the region, access key, and (optionally) the ARN role that CDV should use when using those specific credentials. Within CDV, you then import this file in the Setup page, within the AWS Credentials section and in the Advanced tab. For more details, see AWS Credentials: Advanced tab. |
Multiple accounts in an Organization |
CDV supports discovery for multiple accounts in an organization, accessed from one set of credentials. For more details, see Setting up and running AWS Organization-level discovery jobs. |