Installing CDV on AWS EC2 instances - Adaptive Applications - BlueCat Gateway - 23.3.2

Cloud Discovery & Visibility Administration Guide

Locale
English
Product name
BlueCat Gateway
Version
23.3.2

When you configure Cloud Discovery & Visibility (CDV) on an AWS EC2 (Elastic Compute Cloud) Instance, you can use the credentials of the AWS EC2 instance to authenticate with your AWS environment instead of manually entering in the AWS Key ID and AWS Secret Access Key values.

BlueCat supports the following two deployment scenarios:
  • Deploying on an AWS EC2 Instance where the discovery and visibility resources, and EC2 Instance host are on the same AWS account.
  • Deploying on an AWS EC2 Instance where the discovery and visibility resources are on a different AWS account from the EC2 Instance host.

To install Cloud Discovery & Visibility on an AWS EC2 instance within the same AWS account as the discovery and visibility resources:

  1. Log in to the AWS Management Console.

  2. Create an IAM role as follows:

    1. In the navigation page, click Roles > Create role.

    2. Under Trusted entity type, select AWS service.

    3. Under Use case, select EC2 and click Next.

    4. Under Add permissions, select the required policies and permissions to run AWS discovery and visibility and click Next.

      For more information on required permissions, see the list for Resources on the same account in Amazon Web Services (AWS) environments.

    5. Under Name, review, and create, enter the name of the IAM role and click Create.

  3. Create an AWS EC2 Instance running Ubuntu 22.04. For more information on creating AWS EC2 instances, refer to https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html.

  4. Attach the newly created IAM role to the AWS EC2 Instance.

    To do so, in the Advanced Details section, in IAM instance profile, select the profile for the CDV role that you created earlier.

    For more information, refer to https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html.
  5. From the Instances page, click the name of the newly created AWS EC2 Instance. The Instance summary page appears.

  6. Click Connect.

  7. From the Connect to instance page, select the SSH client tab.

  8. Follow the guide to connect to the AWS EC2 Instance using SSH.

  9. After you successfully connect to the EC2 Instance using SSH, install Docker using the following commands:

    sudo apt update
    sudo apt install docker.io
  10. Click Y and click ENTER.

Once you successfully install Docker on the EC2 Instance, you can install the Cloud Discovery & Visibility image using the Docker commands outlined in Installing the Cloud Discovery & Visibility Docker image.

To install Cloud Discovery & Visibility on an AWS EC2 instance with a different account from the discovery and visibility resources:

  1. Log in to the AWS Management Console.

  2. In the navigation page, click Roles > Create role.

    Fill in the following fields to create an IAM role for the account with the resources:

    1. In Trusted entity type, select AWS account.

    2. In An AWS account, select Another AWS account.

    3. Within the Account ID field, enter the AWS account ID of the EC2 Instance host and click Next.

    4. In Add permissions, select the required permissions to run AWS discovery and visibility and click Next.

      For more information on required permissions, see the list for Resources on different accounts in Amazon Web Services (AWS) environments.

    5. In Name, review, and create, enter the resource role name of the IAM role.

    When you're done, click Create.

  3. In the navigation page, click Roles > Create role.

    Create IAM roles for the account with the EC2 Instance host by performing the following:

    1. In Trusted entity type, select AWS service.

    2. In Use case, select EC2 and click Next.

    3. In Add permissions, add a permissions policy as follows:

      1. Create an AssumeRole policy with the following JSON content:

        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": "sts:AssumeRole",
                    "Resource": "arn:aws:iam::<ResourceAccountId>:role/<ResourceRoleName>"
                }
            ]
        }

        If you are configuring discovery only (not from an Organization level), create an AssumeRole policy with the following JSON content:

        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "VisualEditor0",
                    "Effect": "Allow",
                    "Action": [
                        "eks:ListNodegroups",
                        "ec2:DescribeInstances",
                        "eks:ListTagsForResource",
                        "route53:GetHostedZone",
                        "route53:ListHostedZones",
                        "ec2:DescribeVpcEndpointServiceConfigurations",
                        "elasticloadbalancing:DescribeLoadBalancers",
                        "eks:DescribeNodegroup",
                        "ec2:DescribeNetworkInterfaces",
                        "ec2:DescribeVpcs",
                        "route53:ListResourceRecordSets",
                        "elasticloadbalancing:DescribeTargetHealth",
                        "elasticloadbalancing:DescribeTargetGroups",
                        "eks:DescribeCluster",
                        "ec2:DescribeVpcEndpoints",
                        "ec2:DescribeVpcEndpointServices",
                        "eks:ListClusters",
                        "ec2:DescribeSubnets"
                    ],
                    "Resource": "*"
                }
            ]
        }

        If you will run discoveries from the Organization level (that is, on multiple AWS accounts within that Organization), you must also assign permissions necessary for CDV to access the needed information across the Organization's accounts. To do so, use the following JSON code:

        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "DelegatingNecessaryDescribeListActions",
                    "Effect": "Allow",
                    "Action": [
                        "organizations:ListAccountsForParent",
                        "organizations:ListRoots",
                        "organizations:ListAccounts",
                        "organizations:ListTagsForResource",
                        "account:ListRegions",
                        "organizations:ListOrganizationalUnitsForParent",
                        "organizations:ListChildren"
                    ],
                    "Resource": "*"
                }
            ]
        }

        For more details on setting up CDV to run discovery at the AWS Organization level, see Setting up and running AWS Organization-level discovery jobs.

      2. Click Next: Tags, then Next: Review.

      3. Enter the name of the AssumeRole policy.

      When you're done, click Create policy.

    4. Within the Add permissions page, select the newly created AssumeRole policy and click Next.

    5. Under Name, review, and create, enter the host role name of the IAM role.

    When you're done, click Create.

  4. Create an AWS EC2 Instance running Ubuntu 22.04. For more information on creating AWS EC2 instances, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html.
  5. Attach the newly created EC2 Instance host IAM role to the AWS EC2 Instance.

    To do so, in the Advanced Details section, in IAM instance profile, select the profile for the CDV role that you created earlier.

    For more information, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html.

  6. From the Instances page, click the name of the newly created AWS EC2 Instance. The Instance summary page appears.

  7. Click Connect.

  8. From the Connect to instance page, select the SSH client tab.

  9. Follow the guide to connect to the AWS EC2 Instance using SSH.

  10. After you successfully connect to the EC2 Instance using SSH, install Docker using the following commands:

    sudo apt update
    sudo apt install docker.io
  11. Click Y and click ENTER.

After you successfully install Docker on the EC2 Instance, you can install the Cloud Discovery & Visibility image using the Docker commands outlined in Installing the Cloud Discovery & Visibility Docker image.