πŸ”’Configure IAM

Sedai uses an agentless approach in order to securely access AWS resources.

Sedai programmatically connects to your cloud resources via Identity and Access Management (IAM) authentication. IAM provides granular control of your cloud environments so that you can specify user permissions to access certain resources.

IAM authentication requires the following:

Sedai's IAM policies provide visibility to your infrastructure and the option to autonomously modify resource configurations. They do not impact your privacy policies or include access to logs.

Once you configure IAM from your AWS Console, you will be able to connect the account/cluster to Sedai using either the Role ARN or User Secret/Access Keys.

The following steps are required in order to add an AWS environment and connect your AWS resources to Sedai:

  1. From your AWS Console, grant Sedai access via IAM authentication. You can configure this automatically using CloudFormation, or set it up manually.

  2. Integrate the account directly within Sedai via initial onboarding from sedai.io, or go to Settings > Integrations > Connect Cloud.

  3. Give your account a Nickname (since you can add multiple AWS accounts to the platform, this helps you easily identify different resources from a unique AWS environment within Sedai).

  4. If you connected via IAM role (recommended), enter the Role ARN (required) and the External ID (optional). Alternatively, if you connected via IAM User, enter the Access and Secret Key.

ItemWhere to find it

Role ARN

Required for connecting via IAM Role

This can be found in the Outputs section of the CloudFormation template after creating the IAM Role.

External ID Optional for connecting via IAM Role

This can be found in the AWS Console by navigating to the IAM service, selecting the relevant IAM role, and inspecting the role's trust policy to locate the external ID. If you leave this field blank (recommended), Sedai will generate an External ID for you.

Access and Secret Key Required for connecting via IAM User

From the AWS Console, navigate to the IAM service and click Users. Select the IAM user and go to the Security credentials tab, where you can view the Access and Secret Key.

  1. By default, Sedai will automatically connect to CloudWatch and use its monitoring data to analyze resource behavior. You can additionally connect monitoring data from other APM and observability providers.

If you plan on adding multiple AWS environments to Sedai, you will need to generate either a unique IAM User or Role per environment.

In addition to IAM authentication, for EKS resources you must also set up Kubernetes Role Based Access Control (RBAC) for authorization and add the IAM Role or User into the aws-auth configmap.

Configure IAM with CloudFormation

You can automatically set up IAM authentication using one of the following CloudFormation Stacks.

AWS CloudFormation simplifies provisioning and management on AWS. You can create templates for the service or application architectures you want and have AWS CloudFormation use those templates for quick and reliable provisioning of the services or applications (called β€œstacks”). You can also easily update or replicate the stacks as needed.

This collection of sample templates will help you get started with AWS CloudFormation and quickly build your own templates.

Select your preferred configuration below to launch the CloudFormation Stack from your AWS Console. This will automatically create your selected Sedai IAM policy as well as create your preferred IAM authentication method (Role or User) and attach the new policy to it.

Once the CloudFormation Stack executes, you will be able to copy either the Role ARN from the new IAM Sedai Role or Access and Secret Key from the new IAM Sedai User. This information is required in order to connect your AWS account within Sedai from the Integrations page.

You can alternatively manually create the IAM policy and IAM Role or IAM User from within your AWS Console.

Resources

Last updated