AWS

Connecting Hawkeye to your AWS environment allows us to collect key telemetry data from various services on your AWS console. These services include resource configurations, Cloudtrail change events, Cloudwatch metrics, logs, and alarms.

The scope of data that we can access depends on the permissions assigned to the AWS role and the configuration of your AWS services.

To ensure a smooth integration, we follow AWS’s best practices by utilizing an assumed role and external ID for secure access.

Note

For each step, we’ve created a short demo walkthrough and a step-by-step guide. You can check out the demo for a visual guide to setting up your AWS connection!

Step 1: Create an IAM Role

Sign in to the AWS management console with the appropriate permissions to create an IAM role. After that, follow the instructions below:

1. Access IAM: Navigate to the IAM service in the AWS console.

   

2. Create a new role: In the navigation pane on the left, choose Roles > Create role.

   

3. Choose a trusted entity: Select Another AWS account as the type of trusted entity.

   

4. Enter credentials:

   • Add Neubird’s Account ID: In the Account ID input box, paste the Neubird AWS Account ID: 905418326654. This will give us access to the IAM role.

   • Add an External ID: Under Options, enter an external ID. Use something that is particular to this connection, as it’ll be used in the next step.

     

   After this, click on the Next button at the bottom right corner.

5. Assign permissions: On the permissions console, use the Filter and select AWS managed - job function > ReadOnlyAccess.

   

   This grants Hawkeye the necessary permissions to view logs, metrics, and events from your AWS account without making changes to your resources.

   After this, click on the Next button at the bottom right corner.

6. Finalize and review: Create a name and description for the IAM role, and then review the configurations.

   

   

   If you’re satisfied with all these configurations, click the Create role button at the bottom right corner.

7. Copy the Role ARN: Once the role is created, navigate to it and copy the role ARN. You’ll need this to complete the connection setup on the Hawkeye dashboard.

   

Note

You can download our security disclosure to keep your IT team informed and prepared!

Step 2: Add AWS connection to Hawkeye

With your IAM role ready, navigate to the Hawkeye dashboard and follow these next steps:

1. Navigate to the connections tab: On the dashboard, navigate to the Connections section and select the New Coonnection card.

   

2. Select AWS connection: Select Amazon Web Services from the list of available connections.

   

   After this, click on the Next button in the top right corner.

3. Enter credentials: Provide the following credentials:

   • Name: This is the name of the connection you’re about to create.

   • Description: This gives an overview of the connection.

   • Role ARN: The ARN of the role you created in Step 1.

   • External ID: The external ID used in creating the IAM role in Step 1.

   • Regions: The region where you want Hawkeye to collect telemetry data.

     

   Verify all the credentials are correct and click the Save button at the top right corner.

4. Confirm that the AWS connection was successfully created. If yes, you should see the connection card display like this:

   

Step 3: Enable Configuration Change Telemetry

To keep an eye on the changes happening in your AWS environment, Hawkeye collects Configuration Change Telemetry using AWS CloudTrail.

This data helps monitor detailed configuration changes across your resources, clearly showing what’s been modified and when.

If you haven’t set up CloudTrail yet, no worries! Follow these steps to get it configured and ensure that the logs are delivered to a CloudWatch Log Group.

1. Create a CloudWatch Log Group:

   • Sign in to the AWS Management Console and navigate to the CloudWatch service.

     

   • In the left navigation pane, choose Logs > Log groups > Create log group.

     

   • Enter a Log group name and then click Create.

     

2. Create a Trail in CloudTrail:

   • Navigate to the CloudTrail service and click on Create a trail.

     

   • In the left navigation pane, choose Trails > Create trail.

     

   • Enter a trail name, and for storage location, choose Create new S3 bucket.

     

   • Enable CloudWatch Logs, then enter the log group you just created.

     

   • For IAM Role, choose New to create a new role, or select Existing to use a role.

     

     After this, click on the Next button at the bottom right corner.

   • For the event types, select all the options available and followed through with the configuration as displayed in the images below:

     

     

     After this, click on the Next button at the bottom right corner.

   • Review your configurations and click on the Create trail button.

     

     

3. Configure Permissions for CloudTrail:

   • On the IAM console, navigate to Roles, and find the role attached to the CloudTrail service created above.

     

   • Attach the following policies:

     • AWSCloudTrail_FullAccess
     • CloudWatchLogsFullAccess

     

4. Verify Log Delivery:

   • Go back to CloudWatch and check your created log group.

   • Ensure logs from CloudTrail are being delivered and new log streams are visible.

     

5. Create CloudWatch Alarms (Optional but recommended):

   • In CloudWatch, navigate to Alarms > In alarm > Create alarm.

     

   • Choose metrics related to CloudTrail logs, and click on Select metrics to follow through with the rest of the configuration process.