Docs
    placeholder_200x200

    Last Updated: 2019-03-04

    This guide will walk you through how to set up an IAM policy with read-only access to AWS services, and an IAM role or user with API access that can be used in the Blue Matador AWS integration. To set up the AWS integration, read this guide.

     

    IAM Policy


    1. Log in to the AWS Web Console and access the IAM dashboard via Services > IAM.

    setup-aws-iam-search

    2. Select Policies from the left navigation and then click the Create Policy button.

    setup-aws-iam-create-policy

    3. Switch to the JSON tab of the policy editor and copy and paste the entire IAM policy below into the editor.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "acm:Describe*",
                    "acm:Get*",
                    "acm:List*",
                    "apigateway:GET",
                    "application-autoscaling:Describe*",
                    "athena:List*",
                    "athena:GetWorkGroup",
                    "autoscaling-plans:Describe*",
                    "autoscaling:Describe*",
                    "batch:List*",
                    "batch:Describe*",
                    "cloudformation:Describe*",
                    "cloudformation:Get*",
                    "cloudformation:List*",
                    "cloudformation:Estimate*",
                    "cloudformation:Preview*",
                    "cloudfront:Get*",
                    "cloudfront:List*",
                    "cloudsearch:Describe*",
                    "cloudsearch:List*",
                    "cloudwatch:Describe*",
                    "cloudwatch:Get*",
                    "cloudwatch:List*",
                    "dax:Describe*",
                    "dax:ListTags",
                    "dynamodb:Describe*",
                    "dynamodb:List*",
                    "ec2:Describe*",
                    "ec2:Get*",
                    "ec2messages:Get*",
                    "ecr:BatchGet*",
                    "ecr:Describe*",
                    "ecr:Get*",
                    "ecr:List*",
                    "ecs:Describe*",
                    "ecs:List*",
                    "eks:Describe*",
                    "eks:List*",
                    "elasticache:Describe*",
                    "elasticache:List*",
                    "elasticbeanstalk:Describe*",
                    "elasticbeanstalk:List*",
                    "elasticbeanstalk:Request*",
                    "elasticfilesystem:Describe*",
                    "elasticloadbalancing:Describe*",
                    "elasticmapreduce:Describe*",
                    "elasticmapreduce:List*",
                    "elasticmapreduce:View*",
                    "es:Describe*",
                    "es:List*",
                    "events:Describe*",
                    "events:List*",
                    "events:Test*",
                    "firehose:Describe*",
                    "firehose:List*",
                    "glue:BatchGet*",
                    "glue:Get*",
                    "iam:Get*",
                    "iam:List*",
                    "kinesisanalytics:Describe*",
                    "kinesisanalytics:Discover*",
                    "kinesisanalytics:Get*",
                    "kinesisanalytics:List*",
                    "kinesisvideo:Describe*",
                    "kinesisvideo:Get*",
                    "kinesisvideo:List*",
                    "kinesis:Describe*",
                    "kinesis:Get*",
                    "kinesis:List*",
                    "kms:Describe*",
                    "kms:Get*",
                    "kms:List*",
                    "lambda:List*",
                    "lambda:Get*",
                    "lightsail:Get*",
                    "lightsail:Is*",
                    "lightsail:Download*",
                    "logs:Describe*",
                    "logs:Get*",
                    "logs:FilterLogEvents",
                    "logs:ListTagsLogGroup",
                    "logs:TestMetricFilter",
                    "machinelearning:Describe*",
                    "machinelearning:Get*",
                    "mq:Describe*",
                    "mq:List*",
                    "rds:Describe*",
                    "rds:List*",
                    "redshift:Describe*",
                    "redshift:GetReservedNodeExchangeOfferings",
                    "redshift:View*",
                    "resource-groups:Describe*",
                    "resource-groups:Get*",
                    "resource-groups:List*",
                    "resource-groups:Search*",
                    "route53:Get*",
                    "route53:List*",
                    "route53:Test*",
                    "route53domains:Check*",
                    "route53domains:Get*",
                    "route53domains:List*",
                    "route53domains:View*",
                    "s3:GetBucket*",
                    "s3:Get*Configuration",
                    "s3:ListAllMyBuckets",
                    "sagemaker:Describe*",
                    "sagemaker:List*",
                    "sdb:Get*",
                    "sdb:List*",
                    "sdb:Select*",
                    "ses:Get*",
                    "ses:List*",
                    "ses:Describe*",
                    "ses:Verify*",
                    "sns:Get*",
                    "sns:List*",
                    "sns:Check*",
                    "sqs:Get*",
                    "sqs:List*",
                    "storagegateway:Describe*",
                    "storagegateway:List*",
                    "sts:Get*",
                    "tag:Get*",
                    "trustedadvisor:Describe*",
                    "xray:BatchGet*",
                    "xray:Get*"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }
    setup-aws-iam-policy-json

     4. Click the Review Policy button and enter a name and description for the policy.  Then click the Create Policy button to create the policy.

    setup-aws-iam-review-policy

    5. Proceed to create a role or user with this policy

     

     

    IAM Role


    1. In Blue Matador, create a new AWS integration via Setup > Integrations.

    2. Choose a name for your integration.

    docs-iam-role-bm-create

    3. In the Provide Authentication section, choose IAM Role. Note the account ID and external ID provided in the Blue Matador UI. These will be copied into the AWS Console when creating the role. 

    docs-iam-role-bm-authentication

    4. In another window navigate to the AWS Web Console and then to the IAM Dashboard. Select Roles from the left-side navigation and then click the Create Role button.

    docs-iam-role-list

    5. Under Select type of trusted entity choose Another AWS account.

    docs-iam-role-another-aws-account

    6. Ensure that Require External ID is checked, and Require MFA is unchecked. Copy the account ID and external ID from Blue Matador into the Account ID and External ID fields in the AWS console. Then click Next: Permissions.

    docs-iam-role-aws-copied

    7. Select the policy you created in the IAM Policy section of this page, then click Next: Tags

    docs-iam-role-attach-policy

    8. Add any tags you wish to the IAM role. This step will not affect Blue Matador’s AWS integration. Then click Next: Review.

    docs-iam-role-tags

    9. Enter a role name and optionally a description, and review the settings. Then click Create role.

    docs-iam-role-review

    10. The following confirmation should appear. Click on the name of the role to view the role Summary, or search for the role in the list of roles.

    docs-iam-role-confirmation 

    11. Copy the role ARN from the summary page and paste it into the Blue Matador App.

     

    docs-iam-role-copy-arn
     

    12. Click Verify Keys so that Blue Matador can test the role and its permissions, then Save the integration. Completing this step also completes the steps in AWS Install

    docs-iam-role-bm-arn

     

      

    IAM User


     1. In the IAM dashboard of the AWS Web Console, select Users from the left-side navigation and then click the Add User button.

    setup-aws-iam-users

    2. Enter a name for the user and check the Programmatic access option. Then click Next: Permissions

     

    setup-aws-iam-user-name

    3. Under Set Permissions select the Attach existing permissions directly option, then search for the policy you created before and check the box to the left of it.  Then click Next: Tags.

    setup-aws-iam-user-permissions

    4. Add any tags you wish to the IAM user. This step will not affect Blue Matador’s AWS integration. Then click Next: Review.

    setup-aws-iam-user-tags

    5. Review the user information. Double-check that AWS access type has the value “Programmatic access - with an access key” and that the correct Managed Policy is attached.  Then click Create User.

    setup-aws-iam-user-review

    6. You should now see the Success screen. Copy the Access Key ID and Secret access key. They will be needed when setting up the AWS integration in Blue Matador.

    setup-aws-iam-user-credentials 

    Replacing Access Keys


    If you have lost the original access keys for a user, you can create new access keys to use with the Blue Matador AWS integration.

    1. Log in to the AWS Web Console and access the IAM dashboard via Services > IAM.

    2. Select Users in the left navigation then select the User you want to create keys for to display the Summary page.

    setup-aws-iam-users

    3. If you have lost the original access keys for a user, you can create new access keys to use with the Blue Matador AWS integration. 

    setup-aws-iam-add-access-key

    4. Copy the Access key ID and Secret access key and use them when setting up the AWS integration

    setup-aws-iam-added-key

     

    Related


    AWS Install (Documentation)