Connect AWS account
Connect your AWS account to Sedai's cloud management system by configuring IAM roles. Follow this detailed guide to set up secure access for autonomous operations.
Last updated
Connect your AWS account to Sedai's cloud management system by configuring IAM roles. Follow this detailed guide to set up secure access for autonomous operations.
Last updated
If you do not have access to configure IAM or run CloudFormation stacks within your organization, we recommend raising a ticket with your security team.
Summary: Sedai securely connects to your cloud account and discovers supported cloud resources and automatically imports relevant CloudWatch metrics. The integration does not impact your privacy policies or include access to logs. We provide a CloudFormation stack to easily create an IAM Role and attach Sedai's policies to it, so that you will only need to provide Sedai with the Role ARN. These steps need to be repeated for each AWS account you want to connect to Sedai. In this page:
To experience the full value of Sedai, we recommend providing read-write access and managing permissions/reinforcement learning within the platform via the Crawl-Walk-Run modes: Datapilot, Copilot, and Autopilot. It's important to note that Sedai will not make any changes to your resources unless you update the mode setting. Learn more about Sedai's operation modes, permissions and what to expect when you integrate your resources.
Keep in mind that all integrated resources (irrespective of the policy used) will automatically run in Datapilot mode, which only analyzes monitoring data and does not make changes to your cloud resources. You can configure how Sedai manages your resources from the Settings > Resources page (learn more).
Sedai's IAM policy provides visibility to your infrastructure and the option to allow it to autonomously modify resource configurations. The following summarizes services Sedai supports and how permission is used:
Use these policies if you want to enable autonomous management within your AWS account. These policies include read-write access to the respective cloud resource type, which allows Sedai to make changes on your behalf (if set to Copilot or Autopilot mode), as well as enable Sedai's ML models.
Common (includes read-only access to CloudWatch)
Even if you're not ready to run autonomous, we still recommend integrating your account with read-write permissions. You can set Sedai's features to run in Datapilot mode, which will only generate recommendations for you to review.
Sedai individually connects to Kubernetes clusters, so EKS clusters are displayed independent of their corresponding AWS account.
To connect to EKS, we recommend deploying Sedai's Smart Agent within the cluster; however, you can alternatively set up agentless access via IAM authentication and Kubernetes Role Based Access Control (RBAC).
This approach uses a CloudFormation Stack that by default provides read-write access. From Sedai's interface you will be able to select which resources you want Sedai to import and manage.
Navigate to your Sedai account (https://yourcompany.sedai.app). If you have not yet integrated cloud resources, by default you should see the integration wizard; otherwise, navigate to Settings > Integrations and click Connect Cloud.
Choose the AWS products within your account that you want to integrate to Sedai. Based on your selection, Sedai will generate your custom policy. By default, this policy includes read-write access. If you want to use read-only access, you will need to manually configure IAM.
Click to execute the CloudFormation stack. This will open your AWS console (ensure you are logged in to the correct AWS account). Once completed, navigate to the Outputs tab to copy the Role ARN and go back to Sedai to enter it. Sedai will generate an External ID based on the provided ARN.
From the AWS Console, navigate to Policies under Identity and Access Management. Select Create Policy. Copy your preferred Sedai policy and paste it into the JSON policy editor. View AWS documentation to learn more.
Go to Settings > Integrations and select Connect Cloud.
Select AWS as your cloud provider & select your resource types and the cloud products you'd like Sedai to manage.
After giving you cloud a nickname, click the button the Launch CloudFormation (Make sure you're logged in to the AWS account you wish to integrate with Sedai)
On the screen that will open in the CloudFormation console, leave the selections as is and click Next.
In the Specify stack details page, enter the stack name.
In the Sedai app configuration section, leave the custom external ID field empty (unless a custom external ID was provided previously).
In the Permission section, select which cloud products you'd like Sedai to manage (please ensure this matches the selections you previously made within Sedai when connecting your account)
Click Next, then scroll down and click Next again.
In the Review and create page, check the capabilities and click Submit
If you plan to connect multiple EKS clusters from the same environment to Sedai, you will only need to create one IAM Role. The same ARN can be used to connect each cluster to Sedai.
If your organization follows a scheduled key rotation, you will need to reconnect to Sedai each time. We recommend connecting your AWS cloud with an IAM Role instead to ensure uninterrupted access.
Navigate to Identity and Access Management (IAM) within your AWS Console.
Create Sedai's IAM policy.
Select Role > Create User
Select Add Users and enter an easy to identify User name.
Under AWS credential type, select Access key - Programmatic access. Select Next: Permissions.
Under Set Permissions, select Attach existing policies directly and select the policy you created in Step 2.
You can optionally add Tags in the next step. Otherwise proceed to Review and Create User to finish setup.
You can optionally view or download the created User's security credentials. You will need the Access and Secret Key to connect your resources to Sedai.
You can update a CloudFormation stack to change Sedai's permissions. If read-only access is disabled, you can then manage which cloud products Sedai has permission to optimize, as long as optimization is enabled in Settings > Resources within Sedai.
To update Sedai's cloud product permissions, adjust permissions both within Sedai and the AWS console. Within the AWS console, follow the steps below. Within Sedai, go to Settings > Integrations, select the cloud account, and click Edit under Managed Cloud Products.
When updating a CloudFormation stack, change sets allow you to preview planned changes before applying them, ensuring no unintended consequences. To do this, follow this process:
Access the CloudFormation console within the AWS Management Console.
Select the desired stack from the list and select the Change Sets tab.
Click Create change set then name the change set.
On the page to specify the template, choose Use existing template and click Next.
Update the Permission sections to reflect which cloud products you'd like Sedai to manage.
Click Next, then scroll down and click Next again.
In the Review and create page, check the capabilities and click Submit.
Review the planned changes then click Execute change set.
On the Execute change set? pop up, review the planned changes and specify your preferred options (We recommend using the pre-selected options).
Click Execute change set to enact the changes.
After updating a CloudFormation stack, we recommend monitoring the deployment.
When you create or update a CloudFormation stack, you can track the update's progress ensure to it's functioning properly. Within the CloudFormation console, the Events tab displays the status of each resource during the update process. Refresh this tab to ensure it shows the CREATE_COMPLETE
or UPDATE_COMPLETE
status. If the deployment has failed, try re-deploying it.
AWS Service | Purpose |
---|---|
ECS
Fargate
Lambda
EC2 S3 ELB
RDS Autoscaling
Discovers resources so that the system can create ML models and use reinforcement learning to reduce cost, improve performance, and prevent availability issues. Note: Sedai will only act if feature settings are set to Copilot or Autopilot mode and if the operation passes rigorous safety checks.
CloudWatch
(Read-only) Pulls monitoring data for continuous seasonality and performance analysis. By default, Sedai automatically imports relevant metrics to analyze resource behavior. You can additionally connect monitoring data from other APM and observability providers.
X-Ray ELB Kinesis DynamoDB Logs App Mesh
(Read-only) Informs discovery process to help Sedai understand topology infrastructure.