On-prem AWS setup
In order to connect Cortex to your AWS resources, follow all steps for IAM policy, account, and resource types setup.
If you do not see the Settings page you're looking for, you likely don't have the proper permissions and need to contact your admin.
1. IAM policy setup
For each account:
- Log onto the AWS management console and navigate to IAM
- Create a new IAM policy by navigating to Policies | Create Policy.
- Switch to the JSON editor and insert the following starting policy, which allows Cortex to list all resources, resource types, and resource tags:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:GetResource",
"cloudformation:ListResources",
"cloudformation:ListTypes",
"tag:GetResources",
"tag:GetTagKeys",
"tag:GetTagValues"
],
"Effect": "Allow",
"Resource": "*"
}
]
} - For each resource type that you want to import into Cortex, add policies for reading that type of AWS resouce. For example, if you want to import resources of type "AWS::IAM::Role", we'll need to have permission to "iam:ListRoles", "iam:ListAttachedRolePolicies", "iam:GetRole", and "iam:ListRolePolicies". Because this is a dynamic feature, Cortex does not automatically determine this. One option is to start with ReadOnlyAccess permissions and remove sensitive permissions as deemed necessary.
- Click Review Policy, name it whatever you like, then Create Policy.
2. Account setup
Single AWS account
There are two ways to fetch resources for a single AWS account.
1. Default credentials chain
- If you have already set up the access key id, access key secret, and account number environment variables from the second approach, remove them.
- Set up AWS credential providers in the environment Cortex is hosted on. This can be done in several ways, including Java system properties, ECS container credentials, or EC2 instance IAM role-provided credentials. See AWS documentation for the full list of approaches and further details.
Note that the AWS account configuration settings in the UI has no effect if this setup is used.
2. Accounts in environment variables
You can manually specify the credentials in Cortex. To do so, create access users along with access keys for each AWS account you'd like access to. They should have all the permissions listed above. For each set of access keys, set these environment variables (access key id, access key secret, and account number) in your ConfigMap:
AMAZON_ACCESS_0_IDAMAZON_ACCESS_0_SECRETAMAZON_ACCESS_0_ACCOUNT
Note that the AWS account configuration settings in the UI has no effect if this setup is used.
Multiple AWS accounts
There are two ways to fetch resources from multiple AWS accounts:
1. STS assume role
Prerequisite - you must be deploying Cortex in an AWS environment (e.g. EKS, or other managed services).
- If you have already set up the access key id, access key secret, and account number environment variables from the second approach, remove them.
- In AWS IAM, configure one AWS account that has authorization to use STS assume role for all AWS accounts that you want to fetch resources for. This configuration should encompass IAM roles, configs, and policies.
- In the AWS environment, set up AWS credential providers that's compatible with STS assume role authorization. The AWS documentation has the full list of approaches and further details, but not all of them are compatible.
- Set
AMAZON_AUTH_MODEtoASSUME_ROLEin your ConfigMap. - In Cortex, configure a list of AWS accounts via settings in the UI or via API.
Note that these AWS accounts will share a common rotatable externalId.
2. Accounts in environment variables
If you don't want to use the credentials provided by the environment, you can manually specify the credentials in Cortex. To do so, create access users along with access keys for each AWS account you'd like access to. They should have all the permissions listed above. For each set of access keys, set these environment variables (access key id, access key secret, and account number) in your ConfigMap:
AMAZON_ACCESS_0_IDAMAZON_ACCESS_0_SECRETAMAZON_ACCESS_0_ACCOUNTAMAZON_ACCESS_1_IDAMAZON_ACCESS_1_SECRETAMAZON_ACCESS_1_ACCOUNT...AMAZON_ACCESS_N_IDAMAZON_ACCESS_N_SECRETAMAZON_ACCESS_N_ACCOUNT
Note that the AWS account configuration settings in the UI has no effect if this setup is used.
3. Resource types setup
Cortex will pull all the types you included in the IAM policy under the Cloud Control types field in the Settings section. From there, select the types that you want Cortex to discover/import. If resource types aren't appearing in the list, there is likely a permission issue, and the role isn’t set up to discover Cloud Control types. Make sure that "cloudformation:ListTypes", "cloudformation:ListResources", and "cloudformation:GetResource" are added to the IAM policy, so Cortex can pull the list of all available types from AWS.
Some Cloud Control types are not currently supported. If the type you're looking to import is in the list, please reach out to support@cortex.io to submit a feature request.
AWS::ApiGateway::DocumentationVersion
AWS::ApiGateway::Step
AWS::CloudFormation::ResourceVersion
AWS::CustomerProfiles::Integration
AWS::CustomerProfiles::ObjectType
AWS::EC2::TransitGatewayMulticastGroupMember
AWS::EC2::TransitGatewayMulticastGroupSource
AWS::ECS::TaskSet
AWS::ElasticLoadBalancingV2::Listener
AWS::ElasticLoadBalancingV2::ListenerRule
AWS::Glue::Attach::SchemaVersion
AWS::Glue::Attach::SchemaVersionMetadata
AWS::IoTSiteWise::AccessPolicy
AWS::IoTSiteWise::Dashboard
AWS::IoTSiteWise::Project
AWS::Kendra::DataSource
AWS::Kendra::Faq
AWS::MediaConnect::FlowEntitlement
AWS::MediaConnect::FlowOutput
AWS::MediaConnect::FlowSource
AWS::MediaConnect::FlowVpcInterface
AWS::MediaPackage::Asset
AWS::MediaPackage::PackagingConfiguration
AWS::NetworkFirewall::LoggingConfiguration
AWS::QuickSight::Analysis
AWS::QuickSight::Dashboard
AWS::QuickSight::DataSet
AWS::QuickSight::DataSource
AWS::QuickSight::Template
AWS::QuickSight::Theme
AWS::RDS::DBProxyTargetGroup
AWS::S3Outposts::AccessPoint
AWS::S3Outposts::Bucket
AWS::SSO::Assignment
AWS::SSO::InstanceAccessControlAttributeConfiguration
AWS::SSO::PermissionSet