Discover, catalog and map your cloud resources from Amazon Web Service (AWS) within your service catalog.
Cloud computing is the on-demand delivery of IT resources over the Internet with pay-as-you-go pricing. Instead of buying, owning, and maintaining physical data centers and servers, you can access technology services, such as computing power, storage, and databases, on an as-needed basis from a cloud provider like AWS.
AWS is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally.

AWS Resource Discovery

To perform auto discovery of your AWS resources for your service catalog, configure8 utilizes a an Identity and Access Management (IAM) role that delegates read-only permission for the configure8 discovery workers to read the AWS service metadata. That metadata is then recorded within your configure8 catalog for service mapping and drift detection. Each discovery worker runs in its own isolated container to ensure there is no cross pollination of resources for an organization.
For your convenience, configure8 has built an AWS CloudFormation template to assist you in creating the proper IAM role.
The list of permissions provisioned by the AWS CloudFormation template can be found here.

Creating an AWS Credential

To connect your AWS account to configure8, perform the following steps.
Start by launching the configure8 discovery AWS CloudFormation template in your account to create the delegated read-only permissions for the discovery workers.
Once the CloudFormation template is successfully deployed. Navigate to the Outputs tab of the deployed template and copy the Value of the discoveryRoleArn. This Amazon Resource Name (ARN) is used in the following steps to configure your AWS credential in configure8.
To create an AWS credential, navigate to the Credentials page by clicking on the "lock" icon on the menu bar.
Next, select the Add Credential button.
From the Add Credential pop-up, select AWS from the list of available providers.
Next, enter a Name for the new credential so you can recognize it and paste the discoveryRoleArn value, the Amazon Resource Name (ARN), created when you deployed the AWS CloudFormation template in your AWS account.
Select Save to create your AWS credential in configure8. The configure8 app will automatically validate the credentials to make sure they work. If they do not, the credentials will not be saved and you will be prompted to fix them.
If the credentials pass, your credentials will be saved and the configure8 discovery service will automatically run a one-time auto discovery to get a baseline of your AWS account resources.

Activating STS

If you receive an error saying STS is not activated in this region for account: xxxxxx, your administrator needs to enable STS for that region. To activate AWS STS:
  1. 1.
    Sign in as a root user or an IAM user with permissions to perform IAM administration tasks.
  2. 2.
    Open the IAM console and in the navigation pane choose Account settings.
  3. 3.
    If necessary, expand Security Token Service (STS), find the Region that you want to activate, and then choose Activate or Deactivate. For Regions that must be enabled, we activate STS automatically when you enable the Region. After you enable a Region, AWS STS is always active for the Region and you cannot deactivate it. To learn how to enable a Region, see Managing AWS Regions in the AWS General Reference.
You can read more on Amazon's documentation site here.

Scheduling an auto discovery

configure8 can auto discover the Cloud resources within your AWS account on an ad-hoc basis or by leveraging our scheduling engine to scan for new resources on a 2/4/6/8/10/12 hour interval.
To create a discovery job for your AWS account, start by navigating to the Credentials page by clicking on the "lock" icon on the menu bar.
Find the credentials you would like to schedule for auto discovery, select the ellipse button to display the context menu and select the Schedule option.
From the Schedule pop-up, you can run an ad-hoc discovery simply by clicking Run Now.
From the Schedule pop-up, you can also schedule an on-going auto discovery of your AWS account resources by choosing an hourly frequency from the dropdown and selecting Schedule Discovery.

Update Auto Discovery Role

As configure8 continue to expand the supported AWS services, the existing cross account access role for the auto discovery engine needs updated to reflect the new requested permissions required to read your used AWS service metadata.
You will need to have administrator privileges on the account to deploy the updated template because it is modifying the IAM cross account role.
To update the auto discovery role created in the Create an AWS Credential section above, perform the following:
  1. 1.
    Sign in to the AWS Management Console and open the AWS CloudFormation console at
  2. 2.
    Select the region where you initially deployed the Auto Discovery CloudFormation template
  3. 3.
    In the AWS CloudFormation console, from the list of stacks, select the running stack that you want to update. If you used the default name for the template, it would be c8-discovery-job-worker
  4. 4.
    In the stack details pane, choose Update.
  5. 5.
    Select Replace current template and specify the location of the updated template in the Specify template section.
  6. 6.
    Choose Amazon S3 URL. Paste the URL for the template, and then choose Next.
  7. 7.
    On the Specify stack details page, choose Next.
  8. 8.
    On the Configure stack options page, select Next.
  9. 9.
    Review the stack information and any changes that you submitted. Select I acknowledge that this template may create IAM resources to specify that you want to use IAM resources in the template.
  10. 10.
    When you are satisfied with your changes, choose Update stack. CloudFormation displays the stack details page for your stack, with the Events pane selected. Your stack now has a status of UPDATE_IN_PROGRESS. After CloudFormation has successfully finished updating the stack, it sets the stack status to UPDATE_COMPLETE.
    If the stack update fails, CloudFormation; automatically rolls back changes, and sets the stack status to UPDATE_ROLLBACK_COMPLETE.

Resource Permissions

The configure8 discovery role CloudFormation template provisions read-only to the following services:
  • AWS Certificate Manager
  • AWS App Mesh
  • AWS AppSync
  • Amazon Athena
  • Auto Scaling
  • AWS CloudFormation
  • Amazon CloudFront
  • Amazon CloudWatch
  • Amazon DynamoDB
  • Amazon EC2
  • Amazon ECS
  • Amazon EKS
  • Amazon EMR
  • Amazon ElasticCache
  • Amazon OpenSearch Service
  • Amazon Kinesis
  • Amazon S3
  • Amazon S3 Glacier
  • AWS Health
  • Amazon MSK
  • AWS Lambda
  • Amazon MQ
  • Amazon QLDB
  • Amazon RDS
  • Amazon Redshift
  • Amazon Route53
  • Amazon SageMaker
  • Savings Plan
  • AWS Security Hub
  • Amazon SES
  • Amazon SQS
  • Amazon SNS
  • Amazon Timestream
  • AWS Trusted Advisor

Kubernetes (EKS)

configure8 now supports deep discovery of EKS Pods and Containers. Request access here.
Copyright © 2022 configure8, Inc. All rights reserved.