When an AWS account is created, you are signed-in as a root user (a single sign-in entity) with unrestricted access to the subscribed AWS services, using an email and password unique to your organization. As a best practice, avoid using the root user account for basic tasks. Use Identity and Access Management (IAM) credentials to authorize OpsRamp to manage your resources.
Install the AWS integration on the OpsRamp console using Identity and Access Management (IAM) by granting access through AssumeRole with External ID. IAM is a web service that helps in securely controlling access to AWS services. For more information, see What is IAM?
External ID is a set of temporary security credentials to access AWS resources using the OpsRamp cloud account. The External ID option aligns with AWS best practices that recommend not to share the static AWS credentials (Access ID and Secret Key) and also addresses the confused deputy problem.
Using External ID with Identity and Access Management (IAM) lets you allow a role to be assumed (Role ARN) only under specific circumstances. With External ID and Role ARN, you are assured that only OpsRamp assumes a predefined role and manages your resources. The External ID option automatically adds a condition to the trust policy that allows OpsRamp to assume the role only if the request includes the correct External ID. For more information, view How to use an External ID when granting access to your AWS services to a third party.
Prerequisites
Get OpsRamp’s AWS account number from the support team.
Workflow
OpsRamp configuration
To install AWS integration with IAM AssumeRole and External ID credentials:
Step 1: Get External ID from OpsRamp console.
- Go to Setup > Integrations > Integrations.
- Click All Clients and from the drop-down list, select a client.
- From the Available Integrations page, click Public Cloud and then click AWS.
- Click Install.
- On the Install AWS Integration page:
- Name: Give a suitable name for the integration.
- Region(s): Select the AWS region from the drop-down list.
The services that belong to the selected region are onboarded.
Note: You can select multiple regions to onboard the services. If you select two regions A and B, and if you are not authorized to access region B, then onboarding fails for both regions A and B. - AWSType: Select External ID.
Note: OpsRamp AWS account number and External ID are automatically populated. Copy the account number and External ID in a text editor such as Notepad. You need these details to create a role in the AWS console. - AssumeRole ARN:
Note: The AssumeRole ARN is generated only after creating the role. To provide the ARN in this field, navigate to your AWS account and do the actions described in Step 2.
Do not close the OpsRamp console window.
AWS configuration
Step 2: Create AssumeARN Role in AWS Console.
- Log into your AWS management console.
- Navigate to IAM > Roles > Create Role.
The Create Role window opens. - Click Another AWS account from the options and enter the OpsRamp AWS Account ID.
- Select the option Require External ID and enter the External ID (copied from the OpsRamp console in Step 1).
- Click Next: Permissions.
- Click Create Policy.
- On the Create Policy page, click the JSON tab and paste the policy snippet given in the Appendix.
To learn more about permission policy, refer to Creating IAM Policies (console). - Click Review Policy and give a suitable name to the policy.
- Review the role and then click Create role.
The details of the role created are displayed. - Copy the Role ARN at a safe location in a text editor such as Notepad.
OpsRamp configuration
Step 3: Complete installing the AWS integration in the OpsRamp console.
After you get the credentials from the AWS console, navigate back to the already open OpsRamp console.
- Enter the Role ARN (copied from the AWS console) in the AssumeRole ARN field.
- Select the Install All Linked Accounts checkbox if you have landing zones configured for your AWS account and want to onboard the child account(s) under the root (trusting) account.
Important
- If you select Install All Linked Accounts, all the linked child accounts are displayed in the list of integrations.
- The configurations of discovery profile created for the parent/master/payer account apply to all the child accounts at the time of the first scan. For successive scans, you have to edit the discovery profiles individually for each child account.
- Click Install.
The AWS icon appears in the list of installed integrations with the details such as installed time, installed by, and enable status.
- Click the AWS icon.
The AWS integration page opens and the credentials and discovery profiles are displayed.
Appendix: AWS permission policy for allowing access to OpsRamp.
Note: The permission policy may change due to addition of OpsRamp-supported AWS services.
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Resource": "*",
"Action": [
"autoscaling:Describe*",
"autoscaling:Get*",
"autoscaling:List*",
"cloudtrail:Describe*",
"cloudtrail:Get*",
"cloudtrail:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudfront:Describe*",
"cloudfront:Get*",
"cloudfront:List*",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"dynamodb:Describe*",
"dynamodb:Get*",
"dynamodb:List*",
"ec2:Describe*",
"ec2:Get*",
"ec2:List*",
"elasticache:Describe*",
"elasticache:Get*",
"elasticache:List*",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:Get*",
"elasticloadbalancing:List*",
"elasticmapreduce:Describe*",
"elasticmapreduce:Get*",
"elasticmapreduce:List*",
"iam:Describe*",
"iam:Get*",
"iam:List*",
"kinesis:Describe*",
"kinesis:Get*",
"kinesis:List*",
"route53:Describe*",
"route53:List*",
"route53:Get*",
"redshift:Describe*",
"redshift:List*",
"redshift:Get*",
"rds:Describe*",
"rds:List*",
"rds:Get*",
"s3:Describe*",
"s3:List*",
"s3:Get*",
"sdb:Describe*",
"sdb:List*",
"sdb:Get*",
"sns:Describe*",
"sns:List*",
"sns:Get*",
"sqs:Describe*",
"sqs:Get*",
"sqs:List*",
"lambda:list*",
"lambda:get*",
"lambda:describe*",
"MachineLearning:describe*",
"MachineLearning:list*",
"MachineLearning:get*",
"StorageGateway:describe*",
"StorageGateway:list*",
"StorageGateway:get*",
"ApiGateway:describe*",
"ApiGateway:get*",
"ApiGateway:list*",
"ecs:describe*",
"ecs:get*",
"ecs:list*",
"workspaces:list*",
"workspaces:get*",
"workspaces:describe*",
"lightsail:list*",
"lightsail:get*",
"lightsail:describe*"
]
}]
}