Obtaining an Access key and Secret key
To monitor the Amazon cloud infrastructure, the eG agent has to be configured with the access key and secret key of a user with a valid AWS account.
For this purpose, you need to follow the following broad steps:
- Create a special user on the AWS cloud for monitoring purposes.
- Configure the eG agent with the access key and secret key of the special user.
To create a user on the AWS cloud, do the following:
- Login to the AWS management console as a root user.
-
After logging in, click on the Services tile in the Title bar of the AWS console that appears, select the All services option within, scroll down the list of services that appears, and select the IAM option (see Figure 1).
-
Figure 2 will then appear. The first step to creating a user is to create a policy that defines the rights and privileges of that user. To create a policy, click on the Policies link in the left panel (as indicated by Figure 2).
-
Figure 3 will then appear listing all the policies that pre-exist. Click on Create Policy to create a new policy.
-
Figure 5 will then appear.
-
Replace the contents of the JSON tab page with the following (see Figure 6):
{
"Version":"2012-10-17",
"Statement":[
{
"Action":[
"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:GetCertificate",
"acm:*Certificate",
"autoscaling:Describe*",
"budgets:Describe*",
"cloudfront:List*",
"cloudfront:GetDistributionConfig",
"cloudfront:GetStreamingDistributionConfig",
"cloudsearch:Describe*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"dynamodb:List*",
"dynamodb:Describe*",
"ec2:Describe*",
"ec2:Get*",
"ecs:List*",
"ecs:Describe*",
"elasticache:Describe*",
"elasticache:List*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticfilesystem:Describe*",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:List*",
"iam:Get*",
"iam:List*",
"iam:GenerateCredentialReport",
"iot:Describe*",
"iot:List*",
"kinesis:List*",
"kinesis:Describe*",
"kinesis:Get*",
"lambda:List*",
"logs:Get*",
"logs:Describe*",
"logs:FilterLogEvents",
"logs:TestMetricFilter",
"logs:PutLogEvents",
"opsworks:Describe*",
"polly:Describe*",
"polly:GetLexicon",
"polly:ListLexicons",
"rds:Describe*",
"rds:List*",
"redshift:Describe*",
"redshift:ViewQueriesInConsole",
"route53:List*",
"s3:Get*",
"s3:List*",
"s3:*Object",
"s3:Object*",
"ses:ListIdentities",
"ses:Get*",
"support:*",
"sns:Get*",
"sns:List*",
"sns:Publish",
"sqs:List*",
"sqs:Get*",
"storagegateway:Describe*",
"storagegateway:List*",
"waf:List*",
"waf:Get*",
"workspaces:Describe*",
"Organizations:List*",
"Organizations:Describe*",
"appstream:ListAssociated*",
"appstream:Describe*",
"ce:Get*"
],
"Effect":"Allow",
"Resource":"*"
}
]
}
Note:
If you copy the above code block directly from this document and paste it in the JSON tab page, you will find that the page numbers in the document also get copied on to the tab page inadvertently. Therefore, after copying the code block to the JSON tab page, make sure you remove the page numbers from the code block and then proceed.
-
Then, click the Next button in Figure 6 to review the policy that you have defined. This will open Figure 7, where you have to provide a name for the new policy and a brief description of the policy.
-
Scroll down Figure 7 to view the Permissions section. This section (see Figure 8) lists all the services that this policy allows access to, the level of access (whether Full or Limited), and the resources that can be accessed.
Figure 8 : Viewing the Permissions defined within the policy
-
Scroll down further and click the Create policy button (see Figure 9) to create the policy.
Figure 9 : Reviewing permissions and clicking on the Create policy button
-
Figure 10 will then appear displaying the new policy.
Figure 10 : Verifying whether the new policy appears in the list of policies
-
Now, proceed to create a new user. For that, first click the Users option in the left panel (as indicated by Figure 10). Figure 11 will then appear listing users who pre-exist. Here, click on the Create user button to create a new user.
-
Figure 12 will then appear. Specify the new User name here. Then, click the Next button to proceed.
-
This will invoke Figure 13. Select the Attach policies directly option from the Permission options section, so you can assign the policy you created previously to the new user. Then, scroll down to view the Permissions policies section. Specify the name of the new policy you created in the Search text box here, to locate that policy. Once the policy name is displayed in the search results, select the check box that is available alongside the policy name, to attach the policy to the new user. Finally, click the Create policy button in Figure 13.
-
Figure 14 will then appear. Review your user specifications using Figure 14, and if satisfied, click the Create user button therein to create the new user.
-
Figure 15 will then appear. You will see that the user you created is appended to the Users list in Figure 15. Click on the View user button indicated by Figure 15.
-
When Figure 16 appears, you will see that it displays the details of the new user. Now, proceed to generate an access key for the new user. For that, click on the Create access key link indicated by Figure 16.
-
Figure 17 will then appear. Start access key creation by indicating the Use case - i.e., the reason why you need an access key. In the case of our example, the access key is required, so that a third-party software, like the eG agent, can use it to connect to the AWS cloud and monitor it. So, select the Third-party service option (see Figure 17).
Figure 17 : Indicating the Use case for the access key
-
Then, scroll down Figure 17 to read Microsoft's recommendation. Typically, Microsoft discourages the use of long-term credentials like access keys, and instead encourages the use of temporary security credentials. To proceed with the access key generation, read Microsoft's advice, and then select the 'I understand...' check box that you see in Figure 18. This way, you can indicate that you are aware of Microsoft's recommendation, but would still want to proceed with access key generation. Then, click the Next button to move on.
Figure 18 : Reading Microsoft's recommendation and still choosing to generate access key
-
Figure 19 will then appear. Describe the purpose of the access key in the Description tag value text area in Figure 19. Finally, click the Create access key button in Figure 19 to proceed with the access key generation.
Figure 19 : Specifying the purpose of the access key against Description tag value
-
This will lead you to Figure 20, where the Access key and the Secret key (in encrypted form) will be displayed. Click the Show link adjacent to the Secret key to view the key in the decrypted form (see Figure 21). Then, copy both the Access key and Secret key to a Text editor.
Figure 20 : Viewing the Access key and Secret key
-
Make sure to configure the eG tests with the access key and secret key that you have copied to the editor.