Skip to main content
Skip table of contents

AWS

AWS (Amazon Web Services) is a comprehensive, evolving cloud computing platform provided by Amazon that includes a mixture of infrastructure as a service (IaaS), platform as a service (PaaS) and packaged software as a service (SaaS) offerings.

Click here for the video tutorial on configuring the AWS Connector for multiple AWS accounts.

Click here for the video tutorial on configuring the AWS Connector for a single AWS account.

Lucidum uses the AWS connector to ingest data from the following AWS services:

  • AWS Database Services (DynamoDB)

  • AWS EC2 Instance

  • AWS IAM User/Policy

  • AWS EKS Kubernetes Service

  • AWS ECS Container Service

  • AWS S3 File Storage

  • AWS Inspector

  • AWS Logs (CloudWatch/CloudTrail)

  • AWS ELB Load Balancer

  • AWS Elastic Network Interface

  • AWS Security Groups

  • AWS Route53

  • AWS Lambda Function

  • AWS Config

  • AWS Organizations

  • AWS Elastic Cache

  • AWS Workspaces

Requirements

To use the AWS Connector in Lucidum:

  1. If you want to monitor multiple instances of AWS, you must define cross-account access that allows Lucidum to ingest information from multiple AWS accounts.

  2. You can then configure the AWS connector in Lucidum and start ingesting data from AWS.

Prerequisite: Define Cross-Account Access in AWS

If you want to use Lucidum to monitor multiple AWS accounts, you can use cross-account access. With cross-account access, Lucidum can assume roles that allow it to ingest data from multiple AWS accounts.

To define cross-account access, you must create a role in each AWS account(s) and allow the Lucidum SaaS AWS account to assume this role.

In each of the additional AWS accounts you want to access with a Lucidum Connector:

  1. Log in to the AWS Management Console as an administrator for the account you want to allow Lucidum to access. Open the IAM console at https://console.aws.amazon.com/iam/. You will create a new role that allows Lucidum to access the account.

  2. In the navigation pane on the left, choose Policies.

  3. Choose Create policy.

  4. Choose the JSON tab.

  5. Type or paste the JSON text from Lucidum’s public Github (https://github.com/LucidumInc/lucidum-deployment-x-account/blob/master/x_account_deployment/lucidum_assume_role_policy.json).

  6. The following is an example JSON file:

    CODE
    {
      "Version": "2012-10-17",
      "Statement": {
        "Effect": "Allow",
        "Action": [
                    "cloudtrail:Describe*",
                    "cloudtrail:Get*",
                    "cloudtrail:List*",
                    "cloudtrail:LookupEvents",
                    "cloudwatch:Describe*",
                    "cloudwatch:Get*",
                    "cloudwatch:List*",
                    "codecommit:List*",
                    "codecommit:Get*",
                    "config:Describe*",
                    "config:Get*",
                    "config:List*",
                    "dynamodb:Describe*",
                    "dynamodb:List*",
                    "dynamodb:Scan",
                    "ec2:Describe*",
                    "ec2:Get*",
                    "ecr:Batch*",
                    "ecr:Describe*",
                    "ecr:Get*",
                    "ecr:List*",
                    "ecs:Describe*",
                    "ecs:List*",
                    "eks:Describe*",
                    "eks:List*",
                    "elasticache:Describe*",
                    "elasticloadbalancing:Describe*",
                    "guardduty:Get*",
                    "guardduty:List*",
                    "iam:Get*",
                    "iam:List*",
                    "inspector:Describe*",
                    "inspector:Get*",
                    "inspector:List*",
                    "kms:Describe*",
                    "kms:Get*",
                    "kms:List*",
                    "lambda:Get*",
                    "lambda:List*",
                    "logs:PutLogEvents",
                    "logs:CreateLogStream",
                    "logs:CreateLogGroup",
                    "logs:Describe*",
                    "logs:FilterLogEvents",
                    "logs:Get*",
                    "logs:List*",
                    "organizations:Describe*",
                    "organizations:List*",
                    "pricing:Describe*",
                    "pricing:Get*",
                    "route53:List*",
                    "s3:Get*",
                    "s3:List*",
                    "securityhub:Describe*",
                    "securityhub:Get*",
                    "securityhub:List*",
                    "sns:List*",
                    "ssm:Describe*",
                    "ssm:Get*",
                    "sts:Get*",
                    "sts:AssumeRole",
                    "tag:Get*",
                    "workspaces:Describe*"
        ],
        "Resource": "*"
      }
    }
  7. Choose Review policy.

  8. Choose Next: Tags

  9. On the Review policy page, type the following:

    • Name. Type Lucidum-Readonly-Policy.

    • Description. Optional. Description of the policy.

  10. Review the policy Summary.

  11. Choose Create policy to save your work.

  12. In the IAM console, choose Roles from the left menu.

  13. Choose Create Role.

  14. Create a new role, named lucidum_assume_role.

  15. Choose Another AWS Account. Enter the following:

    • Account ID. Type the Lucidum SaaS AWS account ID where the Lucidum instance resides. The Lucidum SaaS AWS account ID is provided by Lucidum technical support.

    • External ID. This is optional but highly recommended for better security. Under “Options”, select “Require external ID” and fill in an external ID under the “External ID” text box (a random unique ID is preferred)

  16. Click Next.

  17. To attach the policy Lucidum-Readonly-Policy to lucidum_assume_role, select the checkbox next to Lucidum-Readonly-Policy.

  18. Click Next

  19. Enter the details to create the role and save and create the new role.

  20. Select the lucidum_asssume_role. Change the maximum session duration to 4 hours and click Save changes.

  21. Check the “Trust relationships” tab. The policy should look like this:

    CODE
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::[Lucidum SaaS AWS account ID]:root"
          },
          "Action": "sts:AssumeRole",
          "Condition": {}
        }
      ]
    }
    
    
  22. Perform steps 1-21 for each additional AWS account you want the Lucidum AWS connector to connect to.

  23. Lucidum is now able to assume the roles from additional AWS accounts.

Configuring the AWS Connector

To configure Lucidum to ingest data from AWS:

  1. Log in to Lucidum.

  2. In the left pane, click Connector.

  3. On the Connector page, click Add Connector.

  4. Scroll until you find the Connector for AWS. Click Connect. The Settings page appears.

  5. In the Settings page, enter the following:

    • Access Key ID. Provide the AWS Access Key ID for the AWS account you want to ingest data from.

      • If you specify a value in the Role name field, you can leave this blank.

    • Access Key Secret. Provide the AWS Access Key Secret for the AWS account you want to ingest data from.

      • If you specify a value in the Role name field, you can leave this blank.

    • External role ID (optional). The default value is “lucidum-access”. External Role ID for the cross-account role.

    • Role duration (optional). Duration for cross-account role assuming. By default, Lucidum will set the duration as 4 hours.

    • Role name. Role Name for cross-account role assuming. In the previous section, you created the role lucidum_assume_role.

      • If you specified values in Access key ID and Access key secret, you can leave this blank.

    • AWS accounts (optional). Account ID for each AWS account that will allow Lucidum to use the role to ingest data. Click the “Add Row” button to add more AWS account IDs as needed if the same role has been set up in multiple AWS accounts.

    • Auto Scaling Regions. Specify the regions where you have implemented AWS Auto Scaling. AWS Auto Scaling is available in Asia Pacific (Mumbai), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Sydney), Canada (Central), US West (Northern California), Europe (London), Europe (Frankfurt), EU (Paris), EU (Milan), US East (Virginia), US East (Ohio), US West (Oregon), EU (Ireland), and Asia Pacific (Singapore).  

    • AWS Regions. Enter the AWS Region code (for example, us-east-2) to ingest data from. If left blank, the connector will ingest data from all regions.

  6. To test the configuration, click Test.

    • If the connector is configured correctly, Lucidum displays a list of services that are accessible with the connector.

    • If the connector is not configured correctly, Lucidum displays an error message.

Supported Actions

The AWS Connector supports these Actions in Lucidum:

  • Start/Stop AWS EC2 instances

  • Add Tag to AWS EC2 instance

  • Remove Tag from AWS EC2 instance

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.