Permissions

Before you begin configuring the components, you must enable the following permissions and attach the policies to an IAM role. You must then attach this IAM role to the GigaVUE-FM instance running in AWS:

• Full EC2 Instance access
• Read-only permission for IAM role
• EC2 pass role permission
• GigaVUE-FM Instance Role Policy
• STS AssumeRole Policy

For creating an IAM role, refer to AWS identity and Access Management (IAM) service. For more information on access control of EC2 instances in AWS, refer to the AWS documentation on Controlling Access to Amazon EC2 Resources.

Note:  For VPC Traffic Mirroring, "ec2:*TrafficMirror*" is an additional set of permission required for the IAM role.

An example of the above permissions is to associate the following policies to your IAM role before launching the GigaVUE-FM instance (you can attach this IAM at any time the instance exists):

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"ec2:CreateTags",

"ec2:DescribeAddresses",

"ec2:DescribeImages",

"ec2:DescribeInstances",

"ec2:DescribeKeyPairs",

"ec2:DescribeSecurityGroups",

"ec2:DescribeSubnets",

"ec2:DescribeTrafficMirrorFilters",

"ec2:DescribeTrafficMirrorSessions",

"ec2:DescribeTrafficMirrorTargets",

"ec2:DescribeVpcs"

],

"Resource": "*"

},

{

"Effect": "Allow",

"Action": [

"ec2:RunInstances",

"ec2:TerminateInstances"

],

"Resource": "*"

},

{

"Effect": "Allow",

"Action": [

"ec2:CreateTrafficMirrorFilterRule",

"ec2:CreateTrafficMirrorSession",

"ec2:CreateTrafficMirrorFilter",

"ec2:DeleteTrafficMirrorFilter",

"ec2:DeleteTrafficMirrorSession",

"ec2:CreateTrafficMirrorTarget",

"ec2:DeleteTrafficMirrorTarget"

],

"Resource": "*"

}

]

}

For detailed instruction on creating an IAM policy, refer to the AWS documentation on Creating Customer Managed Policies.

Amazon STS Support and AssumeRole Policies

GigaVUE-FM supports VPC connections in only one account. You can add additional accounts using Access and Secret Keys. From GigaVUE-FM version 5.7.01, GigaVUE-FM connections to AWS can use the Amazons STS (Secure Token Service) and Assume Role policies. Using these policies, you can attach a role to a GigaVUE-FM instance running in AWS, thus enabling GigaVUE-FM to monitor multiple accounts in AWS.

You can still use the Access and Secret Keys to create additional accounts. However, using the STS option is the recommended best practice for security reasons.

Configuration

This section provides guidance on configuring your GigaVUE-FM instance to enable Amazon STS support.

Prerequisites

You must complete the following prerequisites before configuring GigaVUE-FM for Amazon STS support.

• A policy must be created in the account in which GigaVUE-FM is running.
  • Attach the created policy to a Role.
  • Attach the same Role to GigaVUE-FM, as an IAM instance Role.
• A policy must be included in other accounts as well.
  • These policies must allow GigaVUE-FM to assume the role in that account.

Procedure

For the purposes of these instructions, the AWS account that runs the GigaVUE-FM instance is called the source leader in a bidirectional clock relationship (formerly master) account, and any other AWS account that runs monitored instances is called a target account.

To configure GigaVUE-FM for Amazon STS support:

1. In each target account, create an IAM role with the source account number as a trusted entity and attach policies with permissions allowing GigaVUE-FM to perform its functions. Record the ARN of each role created.

   Note:  This role must exist in all accounts to support the ability to create a single Monitoring Domain in GigaVUE-FM that includes multiple accounts.

2. In the source account, create a new IAM policy that allows GigaVUE-FM to retrieve IAM policies.

   IMPORTANT: The following example is provided as an illustration only.

   {
      "Version": "2012-10-17",
      "Statement": {  
        "Effect": "Allow",
        "Action": [  
   	"iam:ListPolicies",  
   	"iam:GetPolicy",  
   	"iam:GetPolicyVersion"  
      ],  
        "Resource": "*"  
      }  
   }

3. In the source account, create a new IAM policy that allows the “sts:AssumeRole” action on all role ARNs created in Step 1.
   IMPORTANT: The following example is provided as an illustration only.

   {
      "Version": "2012-10-17",
      "Statement": {  
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": [  
   	"arn:aws:iam::123456789012:role/FM-Role-target-account"  
   	]  
        }  
   }

   Note:  In this example, 123456789012 is a target account and FM-Role-target-account is the role in the target account configured in step 1 with permissions required for GigaVUE-FM.

4. In the source account, attach the policies created in steps 2 and 3 to the IAM role that is attached to the GigaVUE-FM instance.