Skip to content
NeuBird

AWS

Connecting Hawkeye to your AWS environment allows us to collect key telemetry data from various services on your AWS console. These services include resource configurations, Cloudtrail change events, Cloudwatch metrics, logs, and alarms.

The scope of data that we can access depends on the permissions assigned to the AWS role and the configuration of your AWS services.

To ensure a smooth integration, we follow AWS’s best practices by utilizing an assumed role and external ID for secure access.

Step 1: Create an IAM Role

Fig.1 - A walkthrough of to create an IAM Role

Sign in to the AWS management console with the appropriate permissions to create an IAM role. After that, follow the instructions below:

  1. Access IAM: Navigate to the IAM service in the AWS console.

    AWS

    Fig.2 - Access IAM

  2. Create a new role: In the navigation pane on the left, choose Roles > Create role.

    AWS-1

    Fig.3 - Create a new role

  3. Choose a trusted entity: Select Another AWS account as the type of trusted entity.

    AWS-2

    Fig.4 - Choose a trusted entity

  4. Enter credentials:

    • Add Neubird’s Account ID: In the Account ID input box, paste the Neubird AWS Account ID: 905418326654. This will give us access to the IAM role.

    • Add an External ID: Under Options, enter an external ID. For this, you’ll need to navigate to your AWS connection on the Hawkeye dashboard, and copy the External ID.

      External ID

      Fig.5 - Enter external ID

      Once you have the External ID, paste it in the External ID input box.

      AWS-3

      Fig.6 - Paste external ID

    After this, click on the Next button at the bottom right corner.

  5. Assign permissions: On the permissions console, use the Filter and select AWS managed - job function > ReadOnlyAccess.

    AWS-4

    Fig.7 - Assign permissions

    This grants Hawkeye the necessary permissions to view logs, metrics, and events from your AWS account without making changes to your resources.

    After this, click on the Next button at the bottom right corner.

  6. Finalize and review: Create a name and description for the IAM role, and then review the configurations.

    AWS-5

    Fig.8 - Create a name and description

    AWS-6

    Fig.9 - Create role

    If you’re satisfied with all these configurations, click the Create role button at the bottom right corner.

  7. Copy the Role ARN: Once the role is created, navigate to it and copy the role ARN. You’ll need this to complete the connection setup on the Hawkeye dashboard.

    AWS-7

    Fig.10 - Copy the role ARN

Step 2: Add Kubernetes (EKS) Access

If you want Hawkeye to read your Kubernetes clusters on AWS, you need to grant access at the EKS cluster level. Repeat the steps below for each cluster.

  1. Navigate to the EKS Cluster and Access Tab:

    • Go to the Amazon EKS service console.
    • Select the target EKS cluster (e.g., testing_cluster).
    • Click on the Access tab.
    • In the IAM access entries section, click Manage.

    AWS-7

  2. Create a new IAM Access Entry:

    • Configure IAM Access Entry:
      • IAM principal ARN: Enter the full ARN for the Neubird role or user that needs access.
      • Type: Select Standard.
      • Click Next.

    AWS-7

  3. Add Access Policies:

    • In the Access policies section, click Add policy.
      • Policy to associate: Select the required AWS-managed or custom policy, like AmazonEKSViewPolicy, as it is the minimum required for our kubernetes access to work.
      • Access scope: Choose Cluster.

    AWS-7

  4. Review and Create:

    • Click Next to proceed to Review and create.
    • Verify the details: The IAM principal ARN and the associated access policy (AmazonEKSViewPolicy) should be listed.
    • Click Create to finalize the EKS Access Entry. AWS-7

Step 3: Enable Configuration Change Telemetry

Fig.19 - A walkthrough of how to enable configuration change Telemetry

To keep an eye on the changes happening in your AWS environment, Hawkeye collects Configuration Change Telemetry using AWS CloudTrail.

This data helps monitor detailed configuration changes across your resources, clearly showing what’s been modified and when.

If you haven’t set up CloudTrail yet, no worries! Follow these steps to get it configured and ensure that the logs are delivered to a CloudWatch Log Group.

  1. Create a CloudWatch Log Group:

    • Sign in to the AWS Management Console and navigate to the CloudWatch service.

      Create CloudWatch

      Fig.20 - Create a cloudwatch log group

    • In the left navigation pane, choose Logs > Log groups > Create log group.

      Create log group

      Fig.21 - Create log group

    • Enter a Log group name and then click Create.

      Enter a log group

      Fig.22 - Enter a log group name

  2. Create a Trail in CloudTrail:

    • Navigate to the CloudTrail service and click on Create a trail.

      Navigate to CloudTrail

      Fig.23 - Navigate to CloudTrail and click create trail

    • In the left navigation pane, choose Trails > Create trail.

      Create trail

      Fig.24 - Choose Trails

    • Enter a trail name, and for storage location, choose Create new S3 bucket.

      Create new S3 bucket

      Fig.25 - Create new S3 bucket

    • Enable CloudWatch Logs, then enter the log group you just created.

      Enable cloud watch

      Fig.26 - Enable cloud watch

    • For IAM Role, choose New to create a new role, or select Existing to use a role.

      Create new or select existing role

      Fig.27 - Create new or select existing role

      After this, click on the Next button at the bottom right corner.

    • For the event types, select all the options available and followed through with the configuration as displayed in the images below:

      Select all events type

      Fig.28 - Select all events type

      Click Next

      Fig.29 - Click next

      After this, click on the Next button at the bottom right corner.

    • Review your configurations and click on the Create trail button.

      Review configuration

      Fig.30 - Review configuration

      Create trail

      Fig.31 - Create trail

  3. Configure Permissions for CloudTrail:

    • On the IAM console, navigate to Roles, and find the role attached to the CloudTrail service created above.

      Navigate to roles

      Fig.32 - Navigate to roles

    • Attach the following policies:

      • AWSCloudTrail_FullAccess
      • CloudWatchLogsFullAccess

      Attach policies

      Fig.33 - Attach policies

  4. Verify Log Delivery:

    • Go back to CloudWatch and check your created log group.

    • Ensure logs from CloudTrail are being delivered and new log streams are visible.

      Verify log delivery

      Fig.34 - Verify log delivery

  5. Create CloudWatch Alarms (Optional but recommended):

    • In CloudWatch, navigate to Alarms > In alarm > Create alarm.

      Create CloudWatch Alarms

      Fig.35 - Create CloudWatch alarm

    • Choose metrics related to CloudTrail logs, and click on Select metrics to follow through with the rest of the configuration process.

      Select metrics

      Fig.36 - Select metrics

Step 4: Add AWS connection to Hawkeye

There are 3 ways to add AWS to Hawkeye and each have their respective requirements. The 3 ways include:

1. Role ARN: Here, the required credentials include:

  • Name: This is the name of the connection you’re about to create.
  • Description (Optional): This gives an overview of the connection.
  • Role ARN: The ARN of the role you created in Step 1.
  • Regions: The region where you want Hawkeye to collect telemetry data.

see demo below:

Fig.11 - A walkthrough of how to add AWS connection to Hawkeye

With your IAM role ready, navigate to the Hawkeye dashboard and follow these next steps:

  1. Navigate to the connections tab: On the dashboard, navigate to the Connections section and select the New Connection card.

    new-connection

    Fig.12 - New connection

  2. Select AWS connection: Select Amazon Web Services from the list of available connections.

    aws-connection

    Fig.13 - Select AWS connection

    After this, click on the Next button in the top right corner.

  3. Enter credentials: Provide the following credentials:

    • Name: This is the name of the connection you’re about to create.

    • Description (Optional): This gives an overview of the connection.

    • Role ARN: The ARN of the role you created in Step 1.

    • Regions: The region where you want Hawkeye to collect telemetry data.

      aws-connection-details

      Fig.14 - Enter credentials

    Verify all the credentials are correct and click the Save button at the top right corner.

  4. Confirm that the AWS connection was successfully created.

    aws-connection-successful

    Fig.15 - Confirm AWS connection was successfully created

  5. On the list of connections, you should see the new connection card display like this: new-connection-created

    Fig.16 - New connection created

2. Access key: This option requires:

  • Name: This is the name of the connection you’re about to create.
  • Description (Optional): This gives an overview of the connection.
  • Access Key ID: Access key ID from your AWS account
  • Access Key Secret: Access key secret from your AWS account
  • Regions: The region where you want Hawkeye to collect telemetry data.

see demo below:

Fig.17 - A walkthrough of how to add connection with access key

3. AWS OIDC: The AWS OIDC option requires:

  • Name: This is the name of the connection you’re about to create.
  • Description (Optional): This gives an overview of the connection.
  • Regions: The region where you want Hawkeye to collect telemetry data.
  • To complete this step, you’ll be required to log connect you AWS account. see demo below:

Fig.18 - A walkthrough of how to add connection with AWS OIDC