AMI and Permissions

The AMI for the GigaVUE Cloud Suite for AWS is available in both the AWS Public Cloud and in AWS GovCloud.

Note:  Refer Troubleshoot AWS Cloud Issues to resolve the GigaVUE-FM access issues.

GigaVUE Cloud Suite in AWS Public Cloud

The AMI for the GigaVUE Cloud Suite for AWS is available in the AWS Marketplace for the Bring Your Own License (BYOL) option.

For purchasing licensing with the BYOL option, contact the Gigamon Sales. Refer to Contact Sales.

GigaVUE Cloud Suite in AWS GovCloud

AWS GovCloud is an isolated AWS region that contains specific regulatory and compliance requirements of the US government agencies. The AWS GovCloud (US) Region adheres to U.S. International Traffic in Arms Regulations (ITAR) requirements.

To monitor the instances that contain all categories of Controlled Unclassified Information (CUI) data and sensitive government data in the AWS GovCloud (US) Region, the AWS GovCloud AMI provides the same robust features in the AWS GovCloud as in the AWS public cloud.

Permissions

Before you begin configuring the components, you must enable the following permissions and attach the policies to an IAM role. You must then attach this IAM role to the GigaVUE-FM instance running in AWS:

• Full EC2 Instance access
• Read-only permission for IAM role
• EC2 pass role permission
• GigaVUE-FM Instance Role Policy
• STS AssumeRole Policies

For creating an IAM role, refer to the AWS documentation on AWS identity and Access Management (IAM) service.

For more information on access control of EC2 instances in AWS, refer to the AWS documentation on Controlling Access to Amazon EC2 Resources.

Note:  For VPC Traffic Mirroring, "ec2:*TrafficMirror*" is an additional set of permission required for the IAM role.

An example of the above permissions is to associate the following policies to your IAM role before launching the GigaVUE-FM instance (you can attach this IAM at any time the instance exists):

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"ec2:CreateTags",

"ec2:DescribeAddresses",

"ec2:DescribeImages",

"ec2:DescribeInstances",

"ec2:DescribeKeyPairs",

"ec2:DescribeSecurityGroups",

"ec2:DescribeSubnets",

"ec2:DescribeTrafficMirrorFilters",

"ec2:DescribeTrafficMirrorSessions",

"ec2:DescribeTrafficMirrorTargets",

"ec2:DescribeVpcs"

],

"Resource": "*"

},

{

"Effect": "Allow",

"Action": [

"ec2:RunInstances",

"ec2:TerminateInstances"

],

"Resource": "*"

},

{

"Effect": "Allow",

"Action": [

"ec2:CreateTrafficMirrorFilterRule",

"ec2:CreateTrafficMirrorSession",

"ec2:CreateTrafficMirrorFilter",

"ec2:DeleteTrafficMirrorFilter",

"ec2:DeleteTrafficMirrorSession",

"ec2:CreateTrafficMirrorTarget",

"ec2:DeleteTrafficMirrorTarget"

],

"Resource": "*"

}

]

}

---EC2 Permissions 

"ec2:Describe*",

"ec2:RebootInstances", 

"ec2:RunInstances",

"ec2:StartInstances", 

"ec2:StopInstances",

"ec2:TerminateInstances", 

"ec2:ReportInstanceStatus",

"ec2:Disassociate*", 

"ec2:CreateTags",

"ec2:AttachVolume", 

"ec2:AttachNetworkInterface",

"ec2:Associate*", 

"ec2:Allocate*", 

"ec2:DeleteTags",

"ec2:DeleteVolume", 

"ec2:DeleteNetworkInterface",

"ec2:ModifyInstanceAttribute",

"ec2:ModifyNetworkInterfaceAttribute",

"ec2:ModifyVolumeAttribute", 

"ec2:ReleaseAddress",

"elasticloadbalancing:Describe*", 

"autoscaling:Describe*"

If you choose Amazon CloudWatch integration in GigaVUE-FM, you may also associate the following optional policies to your IAM role:

---S3 Permissions 

"s3:CreateBucket", 

"s3:DeleteBucket",

"s3:DeleteObject", 

"s3:DeleteObjectVersion", 

"s3:Get*",

"s3:ListAllMyBuckets", 

"s3:PutBucketNotification",

"s3:PutBucketTagging", 

"s3:PutBucketVersioning",

"s3:PutObject", 

"s3:PutObjectTagging",

"s3:ReplicateDelete", 

"s3:ReplicateObject",

"s3:RestoreObject",

"cloudwatch:*",

            "logs:*",
        

"sns:*", 

"sqs:*", "events:*"

---IAM Permissions 

For detailed instruction on creating an IAM policy, refer to the AWS documentation on Creating Customer Managed Policies.

Amazon STS Support and AssumeRole Policies Configuration

GigaVUE-FM supports VPC connections in only one account. You can add additional accounts using Access and Secret Keys. From GigaVUE-FM version 5.7.01, GigaVUE-FM connections to AWS can use the Amazons STS (Secure Token Service) and Assume Role policies. Using these policies, you can attach a role to a GigaVUE-FM instance running in AWS, thus enabling GigaVUE-FM to monitor multiple accounts in AWS.

You can still use the Access and Secret Keys to create additional accounts. However, using the STS option is the recommended best practice for security reasons.

This section provides guidance on configuring your GigaVUE-FM instance to enable Amazon STS support.

Prerequisites

You must complete the following prerequisites before configuring GigaVUE-FM for Amazon STS support.

• A policy must be created in the account in which GigaVUE-FM is running.
  • Attach the created policy to a Role.
  • Attach the same Role to GigaVUE-FM, as an IAM instance Role.
• A policy must be included in other accounts as well.
  • These policies must allow GigaVUE-FM to assume the role in that account.

Procedure

For the purposes of these instructions, the AWS account that runs the GigaVUE-FM instance is called the source account, and any other AWS account that runs monitored instances is called a target account.

To configure GigaVUE-FM for Amazon STS support:

1. In each target account, create an IAM role with the source account number as a trusted entity and attach policies with permissions allowing GigaVUE-FM to perform its functions. Record the ARN of each role created.

   Note:  This role must exist in all accounts to support the ability to create a single Monitoring Domain in GigaVUE-FM that includes multiple accounts.

2. In the source account, create a new IAM policy that allows GigaVUE-FM to retrieve IAM policies.

   IMPORTANT: The following example is provided as an illustration only.

   {
      "Version": "2012-10-17",
      "Statement": {  
        "Effect": "Allow",
        "Action": [  
   	"iam:ListPolicies",  
   	"iam:GetPolicy",  
   	"iam:GetPolicyVersion"  
      ],  
        "Resource": "*"  
      }  
   }

3. In the source account, create a new IAM policy that allows the “sts:AssumeRole” action on all role ARNs created in Step 1.
   IMPORTANT: The following example is provided as an illustration only.

   {
      "Version": "2012-10-17",
      "Statement": {  
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": [  
   	"arn:aws:iam::123456789012:role/FM-Role-target-account"  
   	]  
        }  
   }

   Note:  In this example, 123456789012 is a target account and FM-Role-target-account is the role in the target account configured in step 1 with permissions required for GigaVUE-FM.

4. In the source account, attach the policies created in steps 2 and 3 to the IAM role that is attached to the GigaVUE-FM instance.