Connect AWS account

Learn how to connect AWS compute and storage resources to Sedai.

Sedai currently supports the following AWS cloud resources:

  • Compute:

    • Elastic Cloud Compute (EC2)

    • Elastic Container Service (ECS)

    • Elastic Kubernetes Service (EKS) (autonomous management for stateless workloads only; recommendations available for stateful workloads)

    • Fargate

    • Lambda (Serverless functions)

  • Storage:

    • Elastic Block Store (EBS)

    • Simple Storage Service (S3)

Sedai individually connects to Kubernetes clusters, so EKS clusters are displayed independent of their corresponding AWS account.

To connect to EKS, we recommend deploying Sedai's Smart Agent within the cluster; however, you can alternatively setup agentless access via IAM authentication and Kubernetes Role Based Access Control (RBAC).

Requirements

Sedai connects to AWS accounts via Identity and Access Management (IAM) to discover your cloud resources. To set up secure access, the following need to be set up before integrating an AWS account within Sedai:

  • Create IAM Policy Statement for Sedai: Defines access permissions to services Sedai will reference or manage. Keep in mind that you can configure how each resource type is managed from the Settings > Resources page. Even if you allow read-write permission, you can still run Sedai in recommendation mode.

  • Create IAM Role: Provides secure and continuous access to discover resources and detect infrastructure changes. If you plan on adding multiple AWS accounts to Sedai, you will need to generate a unique IAM Role per account. (Note: You can alternately setup an IAM User; however, if your team follows a scheduled key rotation, you will need to reconnect to Sedai each time. We recommend connecting your AWS cloud with an IAM Role instead to ensure uninterrupted access.)

You can easily configure the IAM policy and Role with Sedai's CloudFormation Template. Once executed, you will need to copy the Role ARN output to integrate with Sedai. (Note: You will need permission to execute a CloudFormation Template within your organization's AWS Console).

Alternatively, you can manually create the IAM policy and IAM Role on your own.

IAM Policy Statement for Sedai

Sedai's IAM autonomous policy provides visibility to your infrastructure and the option to autonomously modify resource configurations. It does not impact your privacy policies or include access to logs. The following summarizes which services Sedai needs access to and how each is used.

Even if you're not ready to run fully autonomous, we still recommend integrating your account with read-write permissions. You can set Sedai's features to run in Recommend Mode, which will only generate recommendations for you to review and optionally execute.

Tutorial

Once you've configured IAM, log in to your Sedai account and navigate to Settings > Integrations. Select the Add Cloud button and follow the prompts. Since you can add multiple AWS accounts to Sedai, you will be asked to give your integration a unique nickname β€” this helps you easily identify resources within Sedai.

If you use the CloudFormation Template to create your IAM policy and Role, copy the Role ARN from the Outputs tab once the template has fully executed. By default, Sedai will automatically extract the external ID once you provide the Role ARN. (Note: The external ID needs to match what's listed for the Role ARN. To verify, navigate to IAM within your console and select the Sedai Role, then view Trust Relationship).

By default, Sedai will automatically connect to CloudWatch and use its monitoring data to analyze resource behavior. You can also connect monitoring data from other APM and observability providers.

Once you save the integration, Sedai starts discovering your resources and prioritizes relevant CloudWatch metrics to initiate its analysis.

The following video will walk you through how to integrate your AWS cloud resources and CloudWatch monitoring data:

Last updated