AMI and Permissions

The AMI for the GigaVUE Cloud Suite for AWS is available in both the AWS Public Cloud and in AWS GovCloud.

GigaVUE Cloud Suite in AWS Public Cloud

The AMI for the GigaVUE Cloud Suite for AWS is available in the AWS Marketplace for the Bring Your Own License (BYOL) option.

For purchasing licensing with the BYOL option, contact the Gigamon Sales. Refer to Contact Sales.

GigaVUE Cloud Suite in AWS GovCloud

AWS GovCloud is an isolated AWS region that contains specific regulatory and compliance requirements of the US government agencies. The AWS GovCloud (US) Region adheres to U.S. International Traffic in Arms Regulations (ITAR) requirements.

To monitor the instances that contain all categories of Controlled Unclassified Information (CUI) data and sensitive government data in the AWS GovCloud (US) Region, the AWS GovCloud AMI provides the same robust features in the AWS GovCloud as in the AWS public cloud.

Permissions and Privileges

Before you begin configuring the components, you must enable the following permissions and attach the policies to an IAM role. You must then attach this IAM role to the GigaVUE-FM instance running in AWS:

For creating an IAM role, refer to the AWS documentation on AWS identity and Access Management (IAM) service.

For more information on access control of EC2 instances in AWS, refer to the AWS documentation on Controlling Access to Amazon EC2 Resources.

Note:  For VPC Traffic Mirroring, "ec2:*TrafficMirror*" is an additional set of permission required for the IAM role.

 

A few examples of the permissions and the policies that you must attach to an IAM role are listed below:

 

Launch the GigaVUE-FM instance

The following IAM policy must be used for launching the GigaVUE-FM instance:

 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateTags",
        "ec2:DescribeAddresses",
        "ec2:DescribeImages",
        "ec2:DescribeInstances",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeVpcs",
        "ec2:Describe*",
        "ec2:RebootInstances",
        "ec2:RunInstances",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "ec2:TerminateInstances",
        "ec2:ReportInstanceStatus",
        "ec2:Disassociate*",
        "ec2:AttachVolume",
        "ec2:AttachNetworkInterface",
        "ec2:Associate*",
        "ec2:Allocate*",
        "ec2:DeleteTags",
        "ec2:DeleteVolume",
        "ec2:DeleteNetworkInterface",
        "ec2:ModifyInstanceAttribute",
        "ec2:ModifyNetworkInterfaceAttribute",
        "ec2:ModifyVolumeAttribute",
        "ec2:ReleaseAddress",
        "elasticloadbalancing:Describe*",
        "autoscaling:Describe*"
      ],
      "Resource": "*"
    }
  ]
}

IAM Policy for GvTap method

The following IAM policy must be used for GvTap method:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "ec2:AttachVolume",
        "ec2:RebootInstances",
        "ec2:TerminateInstances",
        "ec2:StartInstances",
        "ec2:CreateTags",
        "ec2:ModifyNetworkInterfaceAttribute",
        "ec2:RunInstances",
        "ec2:AttachNetworkInterface"
      ],
      "Resource": [
        "arn:aws:ec2:*:Insert your AWS Account Number:vpc/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:volume/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:subnet/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:key-pair/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:network-interface/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:instance/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:security-group/*",
        "arn:aws:ec2:*::image/*"
      ]
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeImages",
        "ec2:DescribeAddresses",
        "ec2:DescribeInstances",
        "ec2:DescribeVpcs",
        "ec2:DescribeSubnets",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeSecurityGroups"
      ],
      "Resource": "*"
    },
    {
      "Sid": "VisualEditor2",
      "Effect": "Allow",
      "Action": "ec2:Associate*",
      "Resource": [
        "arn:aws:ec2:*:Insert your AWS Account Number:vpc/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:subnet/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:volume/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:key-pair/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:network-interface/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:instance/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:security-group/*",
        "arn:aws:ec2:*::image/*"
      ]
    }
  ]
}
 

IAM Policy for VPC mirroring with GwLB/NLB

The following IAM policy must be used for VPC mirroring with GwLB/NLB:

 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "ec2:TerminateInstances",
        "ec2:RunInstances",
        "ec2:CreateTags",
        "ec2:DeleteTags",
        "ec2:DeleteTrafficMirrorFilter",
        "ec2:CreateTrafficMirrorFilter",
        "ec2:CreateTrafficMirrorTarget",
        "ec2:DeleteTrafficMirrorTarget",
        "ec2:CreateTrafficMirrorFilterRule",
        "ec2:DeleteTrafficMirrorFilterRule",
        "ec2:DeleteTrafficMirrorSession",
        "ec2:CreateTrafficMirrorSession"
      ],
      "Resource": [
        "arn:aws:ec2:*:Insert your AWS Account Number:vpc/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:volume/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:subnet/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:key-pair/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:network-interface/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:instance/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:security-group/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:traffic-mirror-target/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:traffic-mirror-filter/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:traffic-mirror-filter-rule/*",
        "arn:aws:ec2:*:Insert your AWS Account Number:traffic-mirror-session/*",
        "arn:aws:elasticloadbalancing:*:Insert your AWS Account Number:targetgroup/*",
        "arn:aws:ec2:*::image/*"
      ]
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeImages",
        "ec2:DescribeAddresses",
        "ec2:DescribeInstances",
        "ec2:DescribeVpcs",
        "ec2:DescribeSubnets",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeTrafficMirrorSessions",
        "ec2:DescribeTrafficMirrorFilters",
        "ec2:DescribeTrafficMirrorTargets"
      ],
      "Resource": "*"
    }
  ]
}

 

Mirrored and Target IAM Policy for deploying Gigamon Cloud Suite on AWS behind NLB to Gain Cross Account Visibility

In the architecture, the GigaVUE Cloud Suite fabric components in a centralized VPC where the target VMs from Web tier and App tier across multiple AWS accounts are deployed behind an external AWS network load balancer. GigaVUE FM creates VPC mirroring on the target VMs to mirror and forward the traffic to the load balancer.

 

Mirrored IAM Policy for deploying Gigamon Cloud Suite on AWS behind NLB to Gain Cross Account Visibility

The following mirrored IAM policy for deploying Gigamon Cloud Suite on AWS behind NLB to Gain Cross Account Visibility

 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:CreateTags",
        "ec2:DeleteTags",
        "ec2:Describe*",
        "ec2:*TrafficMirror*",
        "ram:GetResourceShareInvitations"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}
 

 

Target IAM policy for deploying Gigamon Cloud Suite on AWS behind NLB to gain Cross Account Visibility

The following target IAM policy for deploying Gigamon Cloud Suite on AWS behind NLB to gain Cross Account Visibility :

 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "ec2:TerminateInstances",
        "ec2:RunInstances",
        "ec2:CreateTags",
        "ec2:DeleteTrafficMirrorFilter",
        "ec2:CreateTrafficMirrorFilter",
        "ec2:CreateTrafficMirrorTarget",
        "ec2:DeleteTrafficMirrorTarget",
        "ec2:CreateTrafficMirrorFilterRule",
        "ec2:DeleteTrafficMirrorFilterRule",
        "ec2:DeleteTrafficMirrorSession",
        "ec2:CreateTrafficMirrorSession",
        "elasticloadbalancing:RegisterTargets",
        "elasticloadbalancing:DeregisterTargets",
        "ram:CreateResourceShare",
        "ram:AssociateResourceShare",
        "ram:DisassociateResourceShare",
        "ram:DeleteResourceShare"
      ],
      "Resource": [
        "arn:aws:ec2:*:Insert your AWS Source Account Number:vpc/*",
        "arn:aws:ec2:*:Insert your AWS Source Account Number:volume/*",
        "arn:aws:ec2:*:Insert your AWS Source Account Number:subnet/*",
        "arn:aws:ec2:*:Insert your AWS Source Account Number:key-pair/*",
        "arn:aws:ec2:*:Insert your AWS Source Account Number:network-interface/*",
        "arn:aws:ec2:*:Insert your AWS Source Account Number:instance/*",
        "arn:aws:ec2:*:Insert your AWS Source Account Number:security-group/*",
        "arn:aws:ec2:*:Insert your AWS Source Account Number:traffic-mirror-target/*",
        "arn:aws:ec2:*:Insert your AWS Source Account Number:traffic-mirror-filter/*",
        "arn:aws:ec2:*:Insert your AWS Source Account Number:traffic-mirror-filter-rule/*",
        "arn:aws:ec2:*:Insert your AWS Source Account Number:traffic-mirror-session/*",
        "arn:aws:elasticloadbalancing:*:Insert your AWS Source Account Number:targetgroup/*",
        "arn:aws:ram:*:Insert your AWS Source Account Number:resource-share/*",
        "arn:aws:ec2:*::image/*"
      ]
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeImages",
        "ec2:DescribeAddresses",
        "ec2:DescribeInstances",
        "ec2:DescribeVpcs",
        "ec2:DescribeSubnets",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeTrafficMirrorSessions",
        "ec2:DescribeTrafficMirrorFilters",
        "ec2:DescribeTrafficMirrorTargets",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTargetHealth",
        "elasticloadbalancing:DescribeTargetGroups",
        "autoscaling:DescribeAutoScalingGroups",
        "iam:ListPolicies",
        "iam:GetPolicy",
        "iam:GetPolicyVersion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "VisualEditor2",
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": [
        "arn:aws:iam::Insert your AWS Target Account Number:role/Insert your STS Assume Role Created in the Target Account"
      ]
    }
  ]
}

For detailed instruction on creating an IAM policy, refer to the AWS documentation on Creating Customer Managed Policies.

KMS Permissions

From 6.0 onwards, the following KMS permission policy is required:

 
{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"VisualEditor0",
      "Effect":"Allow",
      "Action":[
        "kms:Decrypt",
        "kms:GenerateDataKey",
        "kms:DescribeKey",
        "kms:ListAliases"
      ]
    }
  ]
}
 

Amazon STS Support and Assume Role Policies Configuration

Prerequisites

You must complete the following prerequisites before configuring GigaVUE-FM for Amazon STS support.

  • A policy must be created in the account in which GigaVUE-FM is running.
    • Attach the created policy to a Role.
    • Attach the same Role to GigaVUE-FM, as an IAM instance Role.
  • A policy must be included in other accounts as well.
    • These policies must allow GigaVUE-FM to assume the role in that account.

Procedure

For the purposes of these instructions, the AWS account that runs the GigaVUE-FM instance is called the source account, and any other AWS account that runs monitored instances is called a target account.

To configure GigaVUE-FM for Amazon STS support:

  1. In each target account, create an IAM role with the source account number as a trusted entity and attach policies with permissions allowing GigaVUE-FM to perform its functions. Record the ARN of each role created.

    Note:  This role must exist in all accounts to support the ability to create a single Monitoring Domain in GigaVUE-FM that includes multiple accounts.

  2. In the source account, create a new IAM policy that allows GigaVUE-FM to retrieve IAM policies.

    IMPORTANT: The following is provided as an example.

    1. Use the following permissions if you are using IAM instance role for authentication:

      “iam:ListAttachedRolePolicies”,
      "iam:GetPolicy",
      "iam:GetPolicyVersion",
      "iam:ListRolePolicies",

      If there are inline policies linked to the role, then you must include the following permission:

      "iam:GetRolePolicy"
    2. Use the following permissions for basic authentication:

    "iam:ListGroupsForUser"
    “iam:ListAttachedUserPolicies”
    “iam:ListAttachedGroupPolicies”
    "iam:GetPolicy",
    "iam:GetPolicyVersion",
    “iam:ListUserPolicies”
    “iam:ListGroupPolicies”

    If there are inline policies attached to the user, then include the following permission:

    "iam:GetUserPolicy"

    If there are inline policies attached to the user group, then include the following permission:

    "iam:GetGroupPolicy"
  3. In the source account, create a new IAM policy that allows the “sts:AssumeRole” action on all role ARNs created in Step 1.
    IMPORTANT: The following is provided as an example.
    {
       "Version": "2012-10-17",
       "Statement": {  
         "Effect": "Allow",
         "Action": "sts:AssumeRole",
         "Resource": [  
    	"arn:aws:iam::123456789012:role/FM-Role-target-account"  
    	]  
         }  
    }

    Note:  In this example, 123456789012 is a target account and FM-Role-target-account is the role in the target account configured in step 1 with permissions required for GigaVUE-FM.

  4. In the source account, attach the policies created in steps 2 and 3 to the IAM role that is attached to the GigaVUE-FM instance.