In the Hyperglance Admin Panel i.e https://IP_address:8443/#/admin, select the 'Amazon' Collector under the 'Collectors' section. Click on 'Add Record' button which brings up a pop up with the necessary fields (shown below).


Note: Hyperglance Admin Panel is visible only to admin users of Hyperglance.




1. Account Alias

You can enter in multiple user accounts into the AWS integration so you need a distinguishing keyword. Enter in a unique identifying keyword.

If you plan to use Role-Based Access Control then your choice of Account Alias will decide the roles that you need to assign to your users in order for them to access this account's topology.


2. Access Key

An access key associated to a user with the required permissions for Hyperglance to read the Amazon environment (see AWS permissions below).

This field is optional when Hyperglance is running as an AWS Instance, if left blank Hyperglance will rely on the EC2 Metadata service to retrieve credentials associated with the IAM policy assigned to the instance.


3. Secret Key

A secret access key that is used to sign programmatic requests that Hyperglance makes to AWS.

This field is optional when Hyperglance is running as an AWS Instance, if left blank Hyperglance will rely on the EC2 Metadata service to retrieve credentials associated with the IAM policy assigned to the instance.


4. Role ARN

The ARN of an account trusted role to use for STS AssumeRole. Use this when you want Hyperglance to make use of STS temporary security credentials.


5. Regions

The regions you wish to visualize. Only select the regions that you use, increasing the  number of regions increases the API calls to AWS and therefore slows down the collection unnecessarily. 


When you finish to fill the form please press on the "Submit" button. If the account was added successfully, the popup disappears and the newly added record will be listed under the records for Amazon collector.



AWS permissions needed

The IAM user must have certain rights in order to allow Hyperglance to poll the relevant information from the API. See below for the full list of permissions Hyperglance needs.

 

Read/Write Policy:


{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
          "ec2:Describe*",
            "ec2:RebootInstances",
            "ec2:StopInstances",
            "ec2:TerminateInstances",
            "ec2:StartInstances",
            "ec2:CreateTags",
            "ec2:DeleteTags",
            "ec2:CreateImage",
            "sts:GetCallerIdentity",
            "dynamodb:Describe*",
            "dynamodb:ListTables",
            "elasticloadbalancing:Describe*",
            "cloudwatch:ListMetrics",
            "cloudwatch:GetMetricStatistics",
            "cloudwatch:Describe*",
            "autoscaling:Describe*",
            "rds:Describe*",
            "rds:ListTagsForResource",
            "rds:AddTagsToResource",
            "rds:RemoveTagsFromResource",
            "rds:DeleteDBInstance",
            "rds:RebootDBInstance"
            ],
    "Resource": "*"
  }]
}



Read Only Policy


{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
          "ec2:Describe*",
            "sts:GetCallerIdentity",
            "dynamodb:Describe*",
            "dynamodb:ListTables",
            "elasticloadbalancing:Describe*",
            "cloudwatch:ListMetrics",
            "cloudwatch:GetMetricStatistics",
            "cloudwatch:Describe*",
            "autoscaling:Describe*",
            "rds:Describe*",
            "rds:ListTagsForResource",
          ],
    "Resource": "*"
  }]
}


Note: If you wish to make use of a Role ARN for STS AssumeRole then you must also allow the sts:AssumeRole action.