Self-managed AWS

In order to connect Cortex to your Amazon Web Services (AWS) resources, follow all steps for IAM policy, account, and resource types setup.

How to configure the AWS integration for self-managed Cortex accounts

Step 1: Configure your IAM policy

For each account:

1. Log in to your AWS Management Console and open the .

2. Click Policies, then choose Create policy.

3. Switch to the JSON editor. Copy the JSON starting policy from Cortex, and paste it into the JSON editor.

   • This policy allows Cortex to list all resources, resource types, and resource tags.

   • If you are pulling in ECS resources, add the following actions to the JSON policy:

   Copy

   "rds:Describe*",
   "rds:List*",
   "s3:Describe*",
   "s3:List*"

4. For each resource type that you want to import into Cortex, add policies for reading that type of AWS resource.

   • For example, if you want to import resources of type "AWS::IAM::Role", we'll need to have permission to "iam:ListRoles", "iam:ListAttachedRolePolicies", "iam:GetRole", and "iam:ListRolePolicies". Because this is a dynamic feature, Cortex does not automatically determine this. One option is to start with and remove sensitive permissions as deemed necessary.

5. Click Review Policy, enter a name, then click Create Policy.

Step 2: Configure the AWS account

There are two options to fetch resources for a single AWS account:

• 1. If you have already set up the access key id, access key secret, and account number environment variables from the second approach, remove them.
• • You can manually specify the credentials in Cortex. To do so:

    • Create access users along with access keys for each AWS account you'd like access to. They should have all the permissions listed above.

    • For each set of access keys, set the following environment variables (access key id, access key secret, and account number) in both the backend and the worker ConfigMap:

      • AMAZON_ACCESS_0_ID

      • AMAZON_ACCESS_0_SECRET

      • AMAZON_ACCESS_0_ACCOUNT

Note that the AWS account configuration settings in the UI has no effect if these setups are used.

Multiple AWS accounts

There are two options to fetch resources from multiple AWS accounts:

• Option 1: STS assume role

  • To use this option, you must be deploying Cortex in an AWS environment (e.g. EKS, or other managed services):

    • If you have already set up the access key id, access key secret, and account number environment variables from the second approach, remove them.

    • In AWS IAM, configure one AWS account that has authorization to use STS assume role for all AWS accounts that you want to fetch resources for. This configuration should encompass IAM roles, configs, and policies.

    • Set AMAZON_AUTH_MODE to ASSUME_ROLE in both the backend and the worker ConfigMap.

    • In Cortex, configure a list of AWS accounts via settings in the UI or via API.

• • If you don't want to use the credentials provided by the environment, you can manually specify the credentials in Cortex:

    1. Create access users along with access keys for each AWS account you'd like access to. They should have all the permissions listed above.

    2. For each set of access keys, set these environment variables (access key id, access key secret, and account number) in your ConfigMap:

       • AMAZON_ACCESS_0_ID

       • AMAZON_ACCESS_0_SECRET

       • AMAZON_ACCESS_0_ACCOUNT

       • AMAZON_ACCESS_1_ID

       • AMAZON_ACCESS_1_SECRET

       • AMAZON_ACCESS_1_ACCOUNT

       • AMAZON_ACCESS_N_ID

       • AMAZON_ACCESS_N_SECRET

       • AMAZON_ACCESS_N_ACCOUNT

Note that the AWS account configuration settings in the UI has no effect if this setup is used.

Step 3: Configure resource types

Cortex will pull all the types you included in the IAM policy under the Cloud Control types field in the Settings section. If resource types aren't appearing in the list, there is likely a permission issue, and the role isn’t set up to discover Cloud Control types. Make sure that "cloudformation:ListTypes", "cloudformation:ListResources", and "cloudformation:GetResource" are added to the IAM policy, so Cortex can pull the list of all available types from AWS.

To select your cloud control types:

1. In the Cloud control types field, select the types you want Cortex to discover/import.

2. Click Save cloud control types.

AWS::ApiGateway::DocumentationVersion
AWS::ApiGateway::Step
AWS::CloudFormation::ResourceVersion
AWS::CustomerProfiles::Integration
AWS::CustomerProfiles::ObjectType
AWS::EC2::TransitGatewayMulticastGroupMember
AWS::EC2::TransitGatewayMulticastGroupSource
AWS::ECS::TaskSet
AWS::Glue::Attach::SchemaVersion
AWS::Glue::Attach::SchemaVersionMetadata
AWS::IoTSiteWise::AccessPolicy
AWS::IoTSiteWise::Dashboard
AWS::IoTSiteWise::Project
AWS::Kendra::DataSource
AWS::Kendra::Faq
AWS::MediaConnect::FlowEntitlement
AWS::MediaConnect::FlowOutput
AWS::MediaConnect::FlowSource
AWS::MediaConnect::FlowVpcInterface
AWS::MediaPackage::Asset
AWS::MediaPackage::PackagingConfiguration
AWS::NetworkFirewall::LoggingConfiguration
AWS::QuickSight::Analysis
AWS::QuickSight::Dashboard
AWS::QuickSight::DataSet
AWS::QuickSight::DataSource
AWS::QuickSight::Template
AWS::QuickSight::Theme
AWS::RDS::DBProxyTargetGroup
AWS::S3Outposts::AccessPoint
AWS::S3Outposts::Bucket
AWS::SSO::Assignment
AWS::SSO::InstanceAccessControlAttributeConfiguration
AWS::SSO::PermissionSet