To add an AWS data source:

About this task

Prerequisites

  • The custom policy of the AWS account user to add AWS data source is as follows:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "iam:ListAccountAliases"
                ],
                "Resource": [
                    "*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:Describe*"
                ],
                "Resource": "*"
            },
            {
                "Action": [
                    "logs:Describe*",
                    "logs:Get*",
                    "logs:TestMetricFilter",
                    "logs:FilterLogEvents"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }
  • There are a list of URLs which should be accessible from the Collector VM to access AWS. The AWS can be deployed in multiple regions. There are separate URLs associated with different regions. If you are unaware of the region or the service, have a wildcard entry for the URL such as *.amazonaws.com.

    Note:

    The wildcard entry does not work for the China region.

    But if you want to give fine-grained access to separate URLs, there are 4 services based on the region:

    Regions except GovCloud and China

    • ec2.<REGION>.amazonaws.com

    • logs.<REGION>.amazonaws.com

    • sts.<REGION>.amazonaws.com

    • iam.amazonaws.com

    GovCloud Region

    • ec2.us-gov-west-1.amazonaws.com

    • logs.us-gov-west-1.amazonaws.com

    • sts.us-gov-west-1.amazonaws.com

    • iam.us-gov.amazonaws.com

    China (Beijing) Region

    • ec2.cn-north-1.amazonaws.con.cn

    • logs.cn-north-1.amazonaws.com.cn

    • sts.cn-north-1.amazonaws.com.cn

    • iam.cn-north-1.amazonaws.com.cn

    You can use any of the following values for REGION based on the AWS region:

    Region Name

    Region

    US East (Ohio)

    us-east-2

    US East (N. Virginia)

    us-east-1

    US West (N. California)

    us-west-1

    US West (Oregon)

    us-west-2

    Asia Pacific (Mumbai)

    ap-south-1

    Asia Pacific (Seoul)

    ap-northeast-2

    Asia Pacific (Singapore)

    ap-southeast-1

    Asia Pacific (Sydney)

    ap-southeast-2

    Asia Pacific (Tokyo)

    ap-northeast-1

    Canada (Central)

    ca-central-1

    EU (Frankfurt)

    eu-central-1

    EU (Ireland)

    eu-west-1

    EU (London)

    eu-west-2

    South America (São Paulo)

    sa-east-1

    Gov Cloud

    us-gov-west-1

    China (Beijing)

    cn-north-1

Procedure

  1. Select Account/Data Sources. Click Add Source.
  2. Under Public Clouds, click Amazon Web Services.
  3. Add your AWS account by using Amazon Access Key ID and corresponding Secret Access Key.
    Note:

    Your Amazon Access Key ID is a 20-digit string with a corresponding Secret Access Key. For more details, see http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html.

    Note:

    To add AWS Gov Cloud Region as a data source, create an AWS IAM user by using the recommended policy in the AWS account with access to the Gov Cloud region. Use the Access key and the Secret key for the newly created account to add the data source to vRealize Network Insight.

    This process might take 15–20 minutes for adding and displaying your account data.

  4. After you have validated your AWS account, you can select Enable Flows data collection to get deeper insights.