Skip to main content

AWS

CatalogDiscovery

Summary

Amazon Web Services, Inc. (AWS) that provides on-demand cloud computing platforms and APIs. You can use AWS to drive insights into values such as:

  • Catalog
  • Ownership
  • Dependencies

Setup

In order to connect Cortex to your AWS resources, follow all steps for IAM policy, account, and resource types setup. See this page for setting up the AWS integration for self-hosted Cortex.

caution

If you do not see the Settings page you're looking for in the sidebar, you likely don't have the proper permissions and need to contact your admin.

1. IAM policy setup

For each account:

  1. Log onto the AWS management console and navigate to IAM
  2. Create a new IAM policy by navigating to Policies | Create Policy.
  3. Switch to the JSON editor and insert the following starting policy, which allows Cortex to list all resources, resource types, and resource tags:
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Action": [
    "cloudformation:GetResource",
    "cloudformation:ListResources",
    "cloudformation:ListTypes",
    "tag:GetResources",
    "tag:GetTagKeys",
    "tag:GetTagValues"
    ],
    "Effect": "Allow",
    "Resource": "*"
    }
    ]
    }
  4. For each resource type that you want to import into Cortex, add policies for reading that type of AWS resouce. For example, if you want to import resources of type "AWS::IAM::Role", we'll need to have permission to "iam:ListRoles", "iam:ListAttachedRolePolicies", "iam:GetRole", and "iam:ListRolePolicies". Because this is a dynamic feature, Cortex does not automatically determine this. One option is to start with ReadOnlyAccess permissions and remove sensitive permissions as deemed necessary.
  5. Click Review Policy, name it whatever you like, then Create Policy.

2. Account setup

This section is only relevant for Cloud Cortex. See this page for AWS account setup for self-hosted Cortex.

  1. Next, let's create a new role and attach the new policy to it. Navigate to Roles | Create Role.
  2. Select Another AWS account as the trusted entity type.
  3. For Account ID, fill in the Cortex AWS account ID from Settings | AWS.
  4. Click Require External ID and insert the Cortex external ID from Settings | AWS, then click Next: Permissions.
  5. Select your newly created policy, and click Next: Tags, if you'd like to add any, otherwise skip the next page with Next: Review.
  6. Name your role, and click Create Role.
  7. Finally, copy your new role name and AWS account ID into the Cortex AWS settings page.

Note that if you use multiple AWS accounts, they will share a common rotatable externalId.

3. Resource types setup

Cortex will pull all the types you included in the IAM policy under the Cloud Control types field in the Settings section. From there, select the types that you want Cortex to discover/import. If resource types aren't appearing in the list, there is likely a permission issue, and the role isn’t set up to discover Cloud Control types. Make sure that "cloudformation:ListTypes", "cloudformation:ListResources", and "cloudformation:GetResource" are added to the IAM policy, so Cortex can pull the list of all available types from AWS.

Some Cloud Control types are not currently supported. If the type you're looking to import is in the list, please reach out to support@cortex.io to submit a feature request.

AWS::ApiGateway::DocumentationVersion
AWS::ApiGateway::Step
AWS::CloudFormation::ResourceVersion
AWS::CustomerProfiles::Integration
AWS::CustomerProfiles::ObjectType
AWS::EC2::TransitGatewayMulticastGroupMember
AWS::EC2::TransitGatewayMulticastGroupSource
AWS::ECS::TaskSet
AWS::ElasticLoadBalancingV2::Listener
AWS::ElasticLoadBalancingV2::ListenerRule
AWS::Glue::Attach::SchemaVersion
AWS::Glue::Attach::SchemaVersionMetadata
AWS::IoTSiteWise::AccessPolicy
AWS::IoTSiteWise::Dashboard
AWS::IoTSiteWise::Project
AWS::Kendra::DataSource
AWS::Kendra::Faq
AWS::MediaConnect::FlowEntitlement
AWS::MediaConnect::FlowOutput
AWS::MediaConnect::FlowSource
AWS::MediaConnect::FlowVpcInterface
AWS::MediaPackage::Asset
AWS::MediaPackage::PackagingConfiguration
AWS::NetworkFirewall::LoggingConfiguration
AWS::QuickSight::Analysis
AWS::QuickSight::Dashboard
AWS::QuickSight::DataSet
AWS::QuickSight::DataSource
AWS::QuickSight::Template
AWS::QuickSight::Theme
AWS::RDS::DBProxyTargetGroup
AWS::S3Outposts::AccessPoint
AWS::S3Outposts::Bucket
AWS::SSO::Assignment
AWS::SSO::InstanceAccessControlAttributeConfiguration
AWS::SSO::PermissionSet

Registration

Entity descriptor

You can associate a Cortex entity with one or more AWS entities. For certain AWS resource types, Cortex will display those AWS entities' metadata on the Cortex entity page. If you want to define a dependency from a Cortex service to an AWS entity, please see Dependencies and the Dependencies section on this page.

x-cortex-infra:
aws:
arns:
- arn:aws:rds:us-east-1:229540587644:cluster:alpha
- arn:aws:rds:us-east-1:229540587644:cluster:bravo

Dependencies

Cortex automatically discovers dependencies between your services and resources by scanning for resources with specific AWS tags. By default, a service will have dependencies on any Cortex resource that has a corresponding AWS resource with AWS tag key = "service" and tag value = the service's Cortex tag. In your Cortex settings under the AWS integration section, you can customize the tag key names, or leave them blank to use "service" as the key name.

You can also use explicit tag key/value pairs in the x-cortex-dependency block for AWS dependency discovery. Instead of making a service depend on a resource based on service tags, Cortex will make a service depend on a resource if any of the resource's AWS tags match the explicitly defined key/value pairs in the service's x-cortex-dependency block. For example, the service below will have dependencies on any AWS resource with tag (key = my-key-1, value = my-value-1) or tag (key = my-key-2, value = my-value-2).

x-cortex-dependency:
aws:
tags:
- key: my-key-1
value: my-value-1
- key: my-key-2
value: my-value-2

Ownership

Cortex can automatically discover ownership for your AWS resources using their owner tag. To enable this, make sure that your AWS resources have an owner tag matching the x-cortex-tag of the corresponding Cortex team and enable the “Sync ownership from AWS” toggle in Settings → Entities → Teams.

caution

We sync ownership from AWS every day at 6 am UTC.

Limiting discovery to specific regions

By default, Cortex will search for resources across all AWS regions, but you can limit that to specific regions in the Cortex AWS settings page.