Manually configuring SQS, SNS, and EventBridge rules - Adaptive Applications - BlueCat Gateway - 21.3.1

Cloud Discovery & Visibility Administration Guide

Locale
English (United States)
Product name
BlueCat Gateway
Version
21.3.1
If your AWS user account has write permissions to SQS, SNS, and EventBridge, the Enable Visibility after Discovery option attempts to create the queue and rule if they do not exist in AWS. If your AWS user account does not have the correct write permissions, you must manually configure the SQS, SNS, and EventBridge rules. The following section outlines how to create the required rules for your account in AWS to enable visibility.
Note: If any of the SQS, SNS, and EventBridge permissions do not exist, an error appears in the Cloud Discovery & Visibility AWS UI indicating which specific permissions are missing and visibility will not run.
Cloud Discovery & Visibility creates a hash which is appended to the names of EventBridge, SNS Topic, and SQS Queue strings. The hash is produced from a string that is a combination of the ARN username, Address Manager URL, the Address Manager username, the AWS region name, the AWS account, and the configuration name, separated by underscores. In the following example, the string consists of the following information:
  • ARN usernamedduong
  • Address Manager URL192.168.56.93
  • Address Manager username dduong
  • AWS region nameus-west-1
  • AWS account938684065067
  • Configuration nameus-west-1
    Note: If the BLUECAT CONFIGURATION field is empty, the configuration name is the AWS region name. In this example, us-west-1.

The example information produces the string dduong_192.168.56.93_dduong_us-west-1_938684065067_us-west-1. Cloud Discovery & Visibility produces the following hash from this information: 30d431e82a945cd7819fb3cce23c61a8.

You can manually generate the hash of the string using the following command:
echo -n <string> | md5sum
If this fails due to the account having insufficient write permissions to those services, contact an AWS administrator to grant you temporary write access or have them configure the AWS SQS Standard queue, SNS, and EventBridge Rule as follows:
  • Create a Standard SNS topic in your region with the name BC-CDV-SNS-EC2-TOPIC-<hash string>. In the following example, the topic created is BC-CDV-SNS-EC2-TOPIC-30d431e82a945cd7819fb3cce23c61a8:

    When configuring the Standard SNS topic, use the following values for each associated key:
    Key Value
    Type Standard
    Name BC-CDV-SNS-EC2-TOPIC-<hash string>

    In this example, BC-CDV-SNS-EC2-TOPIC-30d431e82a945cd7819fb3cce23c61a8

    Encryption - optional Disabled
    Access policy - optional
    • Method: Basic
    • Define who can publish messages to the topic: Only the topic owner
    • Define who can subscribe to this topic: Only the topic owner
    Delivery retry policy (HTTP/S) - optional Use the default delivery retry policy
    {
      "http": {
        "defaultHealthyRetryPolicy": {
          "numRetries": 3,
          "numNoDelayRetries": 0,
          "minDelayTarget": 20,
          "maxDelayTarget": 20,
          "numMinDelayRetries": 0,
          "numMaxDelayRetries": 0,
          "backoffFunction": "linear"
        },
        "disableSubscriptionOverrides": false
      }
    }
    Delivery status logging - optional Default
  • Create a Standard SQS queue in your region with a name in the following format: BC-CDV-<hash string>. In the following example, the queue created is BC-CDV-30d431e82a945cd7819fb3cce23c61a8:

    When configuring the Standard SQS queue, use the following values for each associated key:
    Key Value
    Type Standard
    Env Prod
    Queue name BC-CDV-<hash string>

    In this example, BC-CDV-30d431e82a945cd7819fb3cce23c61a8

    Configuration
    Visibility timeout 30 seconds
    Message retention period 4 days
    Delivery delay 0 seconds
    Maximum message size 256 KB
    Receive message wait time 0 seconds
    Access policy - Define who can access your queue
    Method Basic
    Define who can send messages to the queue Only the queue owner
    Define who can receive messages from the queue Only the queue owner
    Optional Configuration
    Dead-letter queue Disable
    Delivery status logging - optional Default
  • Create a EventBridge Rule for AWS VPC, EC2 with a name in the following format: BC-CDV-EC2-CW-<hash string>. Configure the following policy with the target configured as the name of the EventBridge Rule for AWS VPC, EC2:

    When configuring the EventBridge Rule, use the following values for each associated key:
    Key Value
    Event Pattern
    {
        "source": [
            "aws.ec2",
            "aws.elasticloadbalancing"
        ],
        "detail-type": [
            "AWS API Call via CloudTrail"
        ],
        "detail": {
            "eventSource": [
                "ec2.amazonaws.com",
                "elasticloadbalancing.amazonaws.com"
            ]
        }
    }
    Targets BC-CDV-SNS-EC2-TOPIC-<hash string>

    In this example, BC-CDV-SNS-EC2-TOPIC-30d431e82a945cd7819fb3cce23c61a8

    Name BC-CDV-EC2-CW-<hash string>

    In this example, BC-CDV-EC2-CW-30d431e82a945cd7819fb3cce23c61a8

    State Enabled
  • Create a subscription with the previously configured topic, the protocol set as Amazon SQS, and the endpoint set to the ARN of the previously configured SQS.

    When configuring the subscription, use the following values for each associated key:
    Key Value
    Topic ARN The topic ARN of topic name BC-CDV-SNS-EC2-TOPIC-<hash string>

    In this example, arn:aws:sns:us-west-1:<aws-account-id>:BC-CDV-SNS-EC2-TOPIC-30d431e82a945cd7819fb3cce23c61a8

    Protocol Amazon SQS
    Endpoint The SQS ARN of queue name BC-CDV-<hash string>

    In this example, arn:aws:sqs:us-west-1:<aws-account-id>:BC-CDV-30d431e82a945cd7819fb3cce23c61a8

    Enable raw message delivery Unchecked
    Subscription filter policy - optional None
    Redrive policy (dead-letter queue) - optional Disabled
  • If you are configuring visibility for AWS Route 53, create a Standard SNS topic in the us-east-1 region with a name in the following format: BC-CDV-SNS-R53-TOPIC-<hash string>. In the following example, the topic created is BC-CDV-SNS-R53-TOPIC-30d431e82a945cd7819fb3cce23c61a8:

    When configuring the Standard topic for AWS Route 53, use the following values for each associated key:
    Key Value
    Type Standard
    Name BC-CDV-SNS-R53-TOPIC-<hash string>

    In this example, BC-CDV-SNS-R53-TOPIC-30d431e82a945cd7819fb3cce23c61a8

    Encryption - optional Disabled
    Access policy - optional
    • Method: Basic
    • Define who can publish messages to the topic: Only the topic owner
    • Define who can subscribe to this topic: Only the topic owner
    Delivery retry policy (HTTP/S) - optional Use the default delivery retry policy
    {
      "http": {
        "defaultHealthyRetryPolicy": {
          "numRetries": 3,
          "numNoDelayRetries": 0,
          "minDelayTarget": 20,
          "maxDelayTarget": 20,
          "numMinDelayRetries": 0,
          "numMaxDelayRetries": 0,
          "backoffFunction": "linear"
        },
        "disableSubscriptionOverrides": false
      }
    }
    Delivery status logging - optional Default
  • Create a EventBridge Rule for AWS Route53 with a name in the following format: BC-DV-R53-CW-<hash string>. Configure the following policy with the target configured as the name of the EventBridge Rule for AWS Route53:

    When configuring the AWS Route 53 EventBridge Rule, use the following values for each associated key:
    Key Value
    Event Pattern
    {
        "source": [
            "aws.route53"
        ],
        "detail-type": [
            "AWS API Call via CloudTrail"
        ],
        "detail": {
            "eventSource": [
                "route53.amazonaws.com"
            ]
        }
    }
    Targets BC-CDV-SNS-R53-TOPIC-<hash string>

    In this example, BC-CDV-SNS-R53-TOPIC-30d431e82a945cd7819fb3cce23c61a8

    Name BC-CDV-CW-R53-RULE-<hash string>

    In this example, BC-CDV-CW-R53-RULE-30d431e82a945cd7819fb3cce23c61a8

    State Enabled
  • Create a subscription with the previously configured topic, the protocol set as Amazon SQS, and the endpoint set to the ARN of the previously configured SQS.

    When configuring the Amazon Route 53 subscription, use the following values for each associated key:
    Key Value
    Topic ARN The topic ARN of topic name BC-CDV-SNS-R53-TOPIC-<hash string>

    In this example, arn:aws:sns:us-west-1:<aws-account-id>:BC-CDV-SNS-R53-TOPIC-30d431e82a945cd7819fb3cce23c61a8

    Protocol Amazon SQS
    Endpoint The SQS ARN of queue name BC-CDV-<hash string>

    In this example, arn:aws:sqs:us-west-1:<aws-account-id>:BC-CDV-30d431e82a945cd7819fb3cce23c61a8

    Enable raw message delivery Unchecked
    Subscription filter policy - optional None
    Redrive policy (dead-letter queue) - optional Disabled

Once the configurations have been made in AWS, you can select the Enable Visibility after Discovery option. After the visibility task has run once, and the SQS, SNS, and EventBridge rules are defined in AWS, your AWS administrator can revert your AWS account permissions to read-only if you were granted temporary write access.