About AWS authentication in Cloud Discovery & Visibility - Adaptive Applications - BlueCat Gateway - 24.1.1

Cloud Discovery & Visibility Administration Guide

Locale
English
Product name
BlueCat Gateway
Version
24.1.1

Cloud Discovery & Visibility (CDV) must be authorized with the Amazon Web Services (AWS) infrastructure in order to perform discovery. CDV supports two kinds of AWS authentication directly:

  • AWS user account credentials: An AWS user accounts has an access key and a secret key, which you specify in the CDV AWS Credentials settings. Permissions required by CDV must be assigned to the AWS user account that it uses.

  • AWS EC2 instance credentials: If CDV is deployed on an EC2 instance, CDV can instead automatically acquire authorization credentials from the EC2 instance metadata.

Using Assume Role providers with CDV:

CDV also supports AWS Assume Role providers for authentication during discovery. When using Assume Role providers, CDV remains signed in to a specified account, but will temporarily assume the role of a different account so that it can perform discovery on that account. While assuming a role, CDV gains permissions and access assigned to the assumed role.

CDV can use Assume Role providers for both standard AWS user accounts and EC2 instance credentials.

AWS authentication scenarios

The following table lists possible AWS authentication scenarios with CDV and summarizes the required setup and configuration.

Scenario Summary
A single AWS user account

CDV signs in as a specfied AWS user account. This account should have the needed permissions and trust relationships for CDV to perform discovery. For a list of needed permissions, see Amazon Web Services (AWS) environments.

In CDV, follow the instructions in Setting up a single AWS user account for Cloud Discovery & Visibility. In particular, in the Setup page, within the AWS Credentials section and in the Basic tab, make sure the Use EC2 instance credentials checkbox is cleared.

A single AWS user account and an assumed role

CDV signs in as a specified AWS user account. During discovery, it accesses a separate role that is configured as an Assume Role provider in AWS, temporarily gaining the access and permissions that are assigned to the assumed role.

In AWS, this scenario requires the following:

  • A user account for CDV to use ("Account A").

  • A second user account ("Account B"), to which you created a role that CDV will assume during discovery. This role should have the needed permissions and trust relationships for CDV to perform discovery. For a list of needed permissions, see Amazon Web Services (AWS) environments.

Account A does not need the permissions that the role on Account B has. Instead, Account A should have the sts:AssumeRole permission, associated with an Account Resource Name (ARN) that specifies Account B and the role in question. For example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor4",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<Account B name>:role/<Role name>"
        }
    ]
}                            

Within CDV, follow the instructions in Setting up a single AWS user account for Cloud Discovery & Visibility. In particular, in the Setup page, within the AWS Credentials section and in the Basic tab, make sure the Use EC2 instance credentials checkbox is cleared. Also make sure you tick the Enable AWS Role Assumption checkbox and enter the AWS Role ARN for the assumed role.

AWS EC2 instance credentials (only)

CDV acquires the appropriate credentials from the EC2 instance. These credentials should have the needed permissions and trust relationships for CDV to perform discovery. For a list of needed permissions, see Amazon Web Services (AWS) environments.

In CDV, follow the instructions in Setting up CDV to use EC2 instance accounts for authentication. In particular, in the Setup page, within the AWS Credentials section and in the Basic tab, make sure the Use EC2 instance credentials checkbox is ticked.

AWS EC2 instance credentials and an assumed role

CDV acquires the appropriate credentials from the EC2 instance. During discovery, it accesses a separate role that is configured as an Assume Role provider in AWS, temporarily gaining the access and permissions that are assigned to the assumed role.

In CDV, follow the instructions in Setting up CDV to use EC2 instance accounts for authentication. In particular, in the Setup page, within the AWS Credentials section and in the Basic tab, make sure the Use EC2 instance credentials checkbox is ticked.

Within AWS, make sure the sts:AssumeRole permission is attached to the IAM role for the EC2 instance. This role should have the needed permissions and trust relationships for CDV to perform discovery. For a list of needed permissions, see Amazon Web Services (AWS) environments.

Multiple authorization credentials for different regions

In order to apply different AWS credentials for different regions, you must first prepare a text file with credential information for each region. Each line in the file defines a single set of credentials, listing the region, access key, and (optionally) the ARN role that CDV should use when using those specific credentials. Within CDV, you then import this file in the Setup page, within the AWS Credentials section and in the Advanced tab.

For more details, see AWS Credentials: Advanced tab.

Multiple accounts in an Organization

CDV supports discovery for multiple accounts in an organization, accessed from one set of credentials. For more details, see Setting up and running AWS Organization-level discovery jobs.