eG Help

Agents Administration - Tests

Creating a new AWS Role

To monitor the Amazon cloud infrastructure, the eG agent can either be configured with the access key and secret key of a user with a valid AWS account or configured with an AWS Account ID and an AWS Role that is exclusively created for eG monitoring purpose.

The AWS role can be created either manually or automatically.

Manual Creation of AWS Role

To create an AWS Role manually, you first need to do the following:

Create a Policy on AWS Cloud

Create a new role for monitoring purposes and assign the created policy to the role.

Configure the eG agent with the AWS Account ID that is to be monitored and the role that was created.

To create a new Policy on AWS cloud, do the following:

Login to the AWS management console as a root user.
Upon successful login, the Services page will appear. Keep scrolling down this page until you view the IAM option.
The first step to creating a role is to create a policy that defines the rights and privileges of that role. To create a policy, click on the Policies link in the left panel .
The Policies page will then appear listing all the pre-existing policies. Click on Create Policy button to create a new policy.
In the Create policy page that appears, click on the JSON tab. The JSON tab page will then appear.

Replace the contents of the JSON tab page with the following:


{
	"Version": "2012-10-17",


	"Statement": [

		{

			“Action”: [

				“acm:DescribeCertificate”,

				“acm:List*”,

				“acm:GetCertificate”,

				“autoscaling:Describe*”,

				“budgets:Describe*”,

				“cloudfront:List*”,

				“cloudfront:GetDistributionConfig”,

				“cloudfront:GetStreamingDistributionConfig”,

				“cloudsearch:Describe*”,

				“cloudtrail:DescribeTrails”,

				“cloudtrail:GetTrailStatus”,

				“cloudwatch:Describe*”,

				“cloudwatch:Get*”,

				“cloudwatch:List*”,

				“dynamodb:List*”,

				“dynamodb:Describe*”,

				“ec2:Describe*”,

				“ec2:Get*”,

				“ecs:List*”,

				“ecs:Describe*”,

				“elasticache:Describe*”,

				“elasticache:List*”,

				“elasticbeanstalk:Describe*”,

				“elasticbeanstalk:List*”,

				“elasticfilesystem:Describe*”,

				“elasticloadbalancing:Describe*”,

				“elasticmapreduce:Describe*”,

				“"elasticmapreduce:List*”,

				“iam:Get*”,

				“iam:List*”,

				“iam:GenerateCredentialReport”,

				“iot:Describe*”,

				“iot:List*”,

				“kinesis:List*”,

				“kinesis:Describe*”,

				“kinesis:Get*”,

				“lambda:List*”,

				“logs:Get*”,

				“logs:Describe*”,

				“logs:FilterLogEvents”,

				“logs:TestMetricFilter”,

				“logs:PutLogEvents”,

				“opsworks:Describe*”,

				“polly:Describe*”,

				“polly:GetLexicon”,

				“polly:ListLexicons”,

				“rds:Describe*”,

				“rds:List*”,

				“redshift:Describe*”,

				“redshift:ViewQueriesInConsole”,

				“route53:List*”,

				“s3:Get*”,

				“s3:List*”,

				“s3:*Object”,

				“s3:Object*”,

				“ses:ListIdentities”,

				“ses:Get*”,

				“support:*”,

				“sns:Get*”,

				“sns:List*”,

				“sns:Publish”,

				“sqs:List*”,

				“sqs:Get*”,

				“storagegateway:Describe*”,

				“storagegateway:List*”,

				“waf:List*”,

				“waf:Get*”,

				“workspaces:Describe*”,

				“Organizations:List*”,

				“Organizations:Describe*”,

				“appstream:ListAssociated*”,

				“appstream:Describe*”,

				“ce:Get*”

			],

			“Effect”: “Allow”,

			“Resource”: “*”

		}

	]

}

Note:

If you copy the above code block directly from this document and paste it in the JSON tab page, you will find that the page numbers in the document also get copied on to the tab page inadvertently. Therefore, after copying the code block to the JSON tab page, make sure you remove the page numbers from the code block and then proceed.

Then, click the Next: Tags button in the JSON tab page to review the policy that you have defined. In the Review Policy page that appears, provide a Name for the new policy and a brief Description of the policy.
The Summary section lists all the services that this policy allows access to, the level of access (whether Full or Limited), and the resources that can be accessed.
Then, click the Create Policy button to create the new policy.

To create a new Role on AWS cloud, do the following:

Navigate to the AWS IAM Console and click the Roles option in the left panel.
The context sensitive right panel will now display the Roles page that will list all the pre-existing roles.
Click the Create Role button to create a new role.
The Select trusted entity page will then appear. Choose the AWS account tile from this page.
A context-sensitive An AWS account section will then appear. Now, selecting Another AWS account option will list an Account ID text box. Here, you should specify the Account ID of eG Enterprise that is shared with you. By default, to monitor the target AWS Cloud, eG ageent uses the AWS Account ID of eG Enterprise that is exclusively created for monitoring purpose. This AWS Account ID when linked to the role that you are about to create will ensure that the eG agent collect metrics from the target AWS Cloud.
Then, select the check box preceding the Require external ID field. An External ID text box will then appear. Here, specify an ID of your choice and click the Next button. This External ID should be specified as the Nickname of the AWS Cloud component.

Note:

Ensure that you have unchecked the Require MFA text box.
The Add permissions page will then appear. In this page, all the policies that pre-exist in your environment will be listed. Select the policy that you have created exclusively for monitoring purpose and click the Next button.
In the Name, review, and create page that appears, specify the name of the role that you wish to create in the Role name text box. Also, specify a description of your choice in the Description text box. Remember that the Role name that you specify here should be specified against the AWS ROLE NAME parameter while configuring the tests pertaining to AWS Cloud component.
Clicking the Create Role button will create the new role.

Automatic Creation of AWS Role

In some environments, administrators may find it difficult to manually create an AWS Role. To aid such administrators in this regard, eG Enterprise offers a specialized URL that is built out of a standard CloudFormation template. By hitting this URL, administrators can execute the CloudFormation template and create an AWS Role without having to navigate across multiple screens in the AWS IAM console.

To create an AWS Role automatically, do the following:

Copy and paste the URL specified below in any browser in your target environment:

https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/quickcreate?templateUrl=https%3A%2F%2Feg-innovations.s3.amazonaws.com%2FRole-Creation.yml&stackName=eG-IntegrationStack&param_ExternalId=eG-Monitoring&param_RoleName=eG-IntegrationRole
The login page of AWS will then appear. Login to the AWS console as a user with administrator privileges.
16-09-2022
The Quick Create Stack page will then appear. The Stack name text box will be auto populated with the name of the Role that is to be created and the Enter the External ID text box will be auto populated with the Nickname of the AWS Cloud component that is to be monitored.
Ensure that you select the check box preceding the I acknowledge that AWS CloudFormation might create IAM resources with custom names field and click the Create stack button.
The stack will then be created and a page with the Stack name will appear. Here, ensure that the Status of the stack is displayed as CREATE_COMPLETE.
Then, navigate to the Outputs tab. Here, the ExternalID and the RoleName will be displayed. Note down these parameters. Ensure that you specify the ExternalID against the Nickname field while you manually add the AWS Cloud component to eG Enterprise. The RoleName should be specified against the AWS ROLE NAME parameter while you configure the tests pertaining to AWS Cloud component.