Skip to main content

On-prem AWS setup

In order to connect Cortex to your AWS resources, follow all steps for IAM policy, account, and resource types setup.

caution

If you do not see the settings page you're looking for, you may not have permission to access that page. Please contact your admin for assistance.

1. IAM policy setup

For each account:

  1. Log in to your AWS Management Console and open the IAM console.
  2. Click Policies, then choose Create policy.
  3. Switch to the JSON editor. Copy the JSON starting policy from Cortex, and paste it into the JSON editor.
    • This policy allows Cortex to list all resources, resource types, and resource tags.
    • If you are pulling in ECS resources, add the following actions to the JSON policy:
    "rds:Describe*",
    "rds:List*",
    "s3:Describe*",
    "s3:List*"
  4. For each resource type that you want to import into Cortex, add policies for reading that type of AWS resource.
    • For example, if you want to import resources of type "AWS::IAM::Role", we'll need to have permission to "iam:ListRoles", "iam:ListAttachedRolePolicies", "iam:GetRole", and "iam:ListRolePolicies". Because this is a dynamic feature, Cortex does not automatically determine this. One option is to start with ReadOnlyAccess permissions and remove sensitive permissions as deemed necessary.
  5. Click Review Policy, enter a name, then click Create Policy.

See the AWS documentation for more information: Create IAM policies.

2. Account setup

Single AWS account

There are two ways to fetch resources for a single AWS account.

1. Default credentials chain

  1. If you have already set up the access key id, access key secret, and account number environment variables from the second approach, remove them.
  2. Set up AWS credential providers in the environment Cortex is hosted on. This can be done in several ways, including Java system properties, ECS container credentials, or EC2 instance IAM role-provided credentials. See AWS documentation for the full list of approaches and further details.

Note that the AWS account configuration settings in the UI has no effect if this setup is used.

2. Accounts in environment variables

You can manually specify the credentials in Cortex. To do so, create access users along with access keys for each AWS account you'd like access to. They should have all the permissions listed above. For each set of access keys, set these environment variables (access key id, access key secret, and account number) in your ConfigMap:

  • AMAZON_ACCESS_0_ID
  • AMAZON_ACCESS_0_SECRET
  • AMAZON_ACCESS_0_ACCOUNT

Note that the AWS account configuration settings in the UI has no effect if this setup is used.

Multiple AWS accounts

There are two ways to fetch resources from multiple AWS accounts:

1. STS assume role

Prerequisite - you must be deploying Cortex in an AWS environment (e.g. EKS, or other managed services).

  1. If you have already set up the access key id, access key secret, and account number environment variables from the second approach, remove them.
  2. In AWS IAM, configure one AWS account that has authorization to use STS assume role for all AWS accounts that you want to fetch resources for. This configuration should encompass IAM roles, configs, and policies.
  3. In the AWS environment, set up AWS credential providers that are compatible with STS assume role authorization. The AWS documentation has the full list of approaches and further details, but not all of them are compatible.
  4. Set AMAZON_AUTH_MODE to ASSUME_ROLE in both the backend and the worker ConfigMap.
  5. In Cortex, configure a list of AWS accounts via settings in the UI or via API.

Note that these AWS accounts will share a common rotatable externalId.

2. Accounts in environment variables

If you don't want to use the credentials provided by the environment, you can manually specify the credentials in Cortex. To do so, create access users along with access keys for each AWS account you'd like access to. They should have all the permissions listed above. For each set of access keys, set these environment variables (access key id, access key secret, and account number) in your ConfigMap:

  • AMAZON_ACCESS_0_ID
  • AMAZON_ACCESS_0_SECRET
  • AMAZON_ACCESS_0_ACCOUNT
  • AMAZON_ACCESS_1_ID
  • AMAZON_ACCESS_1_SECRET
  • AMAZON_ACCESS_1_ACCOUNT
  • ...
  • AMAZON_ACCESS_N_ID
  • AMAZON_ACCESS_N_SECRET
  • AMAZON_ACCESS_N_ACCOUNT

Note that the AWS account configuration settings in the UI has no effect if this setup is used.

3. Resource types setup

Cortex will pull all the types you included in the IAM policy under the Cloud Control types field in the Settings section. If resource types aren't appearing in the list, there is likely a permission issue, and the role isn’t set up to discover Cloud Control types. Make sure that "cloudformation:ListTypes", "cloudformation:ListResources", and "cloudformation:GetResource" are added to the IAM policy, so Cortex can pull the list of all available types from AWS.

To select your cloud control types:

  1. In the Cloud control types field, select the types you want Cortex to discover/import.
  2. Click Save cloud control types.

Some Cloud Control types are not currently supported. If the type you're looking to import is in the list, please reach out to support@cortex.io to submit a feature request.

AWS::ApiGateway::DocumentationVersion
AWS::ApiGateway::Step
AWS::CloudFormation::ResourceVersion
AWS::CustomerProfiles::Integration
AWS::CustomerProfiles::ObjectType
AWS::EC2::TransitGatewayMulticastGroupMember
AWS::EC2::TransitGatewayMulticastGroupSource
AWS::ECS::TaskSet
AWS::ElasticLoadBalancingV2::Listener
AWS::ElasticLoadBalancingV2::ListenerRule
AWS::Glue::Attach::SchemaVersion
AWS::Glue::Attach::SchemaVersionMetadata
AWS::IoTSiteWise::AccessPolicy
AWS::IoTSiteWise::Dashboard
AWS::IoTSiteWise::Project
AWS::Kendra::DataSource
AWS::Kendra::Faq
AWS::MediaConnect::FlowEntitlement
AWS::MediaConnect::FlowOutput
AWS::MediaConnect::FlowSource
AWS::MediaConnect::FlowVpcInterface
AWS::MediaPackage::Asset
AWS::MediaPackage::PackagingConfiguration
AWS::NetworkFirewall::LoggingConfiguration
AWS::QuickSight::Analysis
AWS::QuickSight::Dashboard
AWS::QuickSight::DataSet
AWS::QuickSight::DataSource
AWS::QuickSight::Template
AWS::QuickSight::Theme
AWS::RDS::DBProxyTargetGroup
AWS::S3Outposts::AccessPoint
AWS::S3Outposts::Bucket
AWS::SSO::Assignment
AWS::SSO::InstanceAccessControlAttributeConfiguration
AWS::SSO::PermissionSet