AWS Automation

Connecting Hawkeye to your AWS environment allows us to collect key telemetry data from various services on your AWS console. These services include resource configurations, Cloudtrail change events, Cloudwatch metrics, logs, and alarms.

The scope of data that we can access depends on the permissions assigned to the AWS role and the configuration of your AWS services.

To ensure a smooth integration, we follow AWS’s best practices by utilizing an assumed role and external ID for secure access.

Step 1: Create an IAM Role

Sign in to the AWS management console with the appropriate permissions to create an IAM role. After that, follow the instructions below:

Access IAM: Navigate to the IAM service in the AWS console.
Create a new role: In the navigation pane on the left, choose Roles > Create role.
Choose a trusted entity: Select Another AWS account as the type of trusted entity.
Enter credentials:
- Add Neubird’s Account ID: In the Account ID input box, paste the Neubird AWS Account ID: 810918113647. This will give us access to the IAM role.
- Add an External ID: Under Options, enter an external ID. For this, you’ll need to navigate to your AWS connection on the Hawkeye dashboard, and copy the External ID.
  
  Once you have the External ID, paste it in the External ID input box.
After this, click on the Next button at the bottom right corner.
Assign permissions: On the permissions console, use the Filter and select AWS managed - job function > ReadOnlyAccess.

This grants Hawkeye the necessary permissions to view logs, metrics, and events from your AWS account without making changes to your resources.

After this, click on the Next button at the bottom right corner.
Finalize and review: Create a name and description for the IAM role, and then review the configurations.

If you’re satisfied with all these configurations, click the Create role button at the bottom right corner.
Copy the Role ARN: Once the role is created, navigate to it and copy the role ARN. You’ll need this to complete the connection setup on the Hawkeye dashboard.

Step 2: Add AWS connection to Hawkeye

There are 3 ways to add AWS to Hawkeye and each have their respective requirements. The 3 ways include:

1. Role ARN: Here, the required credentials include:

Name: This is the name of the connection you’re about to create.
Description (Optional): This gives an overview of the connection.
Role ARN: The ARN of the role you created in Step 1.
Regions: The region where you want Hawkeye to collect telemetry data.

see demo below:

With your IAM role ready, navigate to the Hawkeye dashboard and follow these next steps:

Navigate to the connections tab: On the dashboard, navigate to the Connections section and select the New Connection card.
Select AWS connection: Select Amazon Web Services from the list of available connections.

After this, click on the Next button in the top right corner.
Enter credentials: Provide the following credentials:
- Name: This is the name of the connection you’re about to create.
- Description (Optional): This gives an overview of the connection.
- Role ARN: The ARN of the role you created in Step 1.
- Regions: The region where you want Hawkeye to collect telemetry data.
Verify all the credentials are correct and click the Save button at the top right corner.
Confirm that the AWS connection was successfully created.
On the list of connections, you should see the new connection card display like this:

2. Access key: This option requires:

Name: This is the name of the connection you’re about to create.
Description (Optional): This gives an overview of the connection.
Access Key ID: Access key ID from your AWS account
Access Key Secret: Access key secret from your AWS account
Regions: The region where you want Hawkeye to collect telemetry data.

see demo below:

3. AWS OIDC: The AWS OIDC option requires:

Name: This is the name of the connection you’re about to create.
Description (Optional): This gives an overview of the connection.
Regions: The region where you want Hawkeye to collect telemetry data.
To complete this step, you’ll be required to log connect you AWS account. see demo below:

Step 3: Enable Configuration Change Telemetry

To keep an eye on the changes happening in your AWS environment, Hawkeye collects Configuration Change Telemetry using AWS CloudTrail.

This data helps monitor detailed configuration changes across your resources, clearly showing what’s been modified and when.

If you haven’t set up CloudTrail yet, no worries! Follow these steps to get it configured and ensure that the logs are delivered to a CloudWatch Log Group.

Create a CloudWatch Log Group:
- Sign in to the AWS Management Console and navigate to the CloudWatch service.
- In the left navigation pane, choose Logs > Log groups > Create log group.
- Enter a Log group name and then click Create.
Create a Trail in CloudTrail:
- Navigate to the CloudTrail service and click on Create a trail.
- In the left navigation pane, choose Trails > Create trail.
- Enter a trail name, and for storage location, choose Create new S3 bucket.
- Enable CloudWatch Logs, then enter the log group you just created.
- For IAM Role, choose New to create a new role, or select Existing to use a role.
  
  After this, click on the Next button at the bottom right corner.
- For the event types, select all the options available and followed through with the configuration as displayed in the images below:
  
  After this, click on the Next button at the bottom right corner.
- Review your configurations and click on the Create trail button.
Configure Permissions for CloudTrail:
- On the IAM console, navigate to Roles, and find the role attached to the CloudTrail service created above.
- Attach the following policies:
  - AWSCloudTrail_FullAccess
  - CloudWatchLogsFullAccess
Verify Log Delivery:
- Go back to CloudWatch and check your created log group.
- Ensure logs from CloudTrail are being delivered and new log streams are visible.
Create CloudWatch Alarms (Optional but recommended):
- In CloudWatch, navigate to Alarms > In alarm > Create alarm.
- Choose metrics related to CloudTrail logs, and click on Select metrics to follow through with the rest of the configuration process.

Step 4: Add AWS connection to Project.

The following steps will guide you on how to add ysour AWS connection to projects.

Navigate to the Projects Tab: In the Hawkeye dashboard, go to the Projects section and click on New project.
Enter project details: In the new project page, enter the following details:
- Project name: Give your project a descriptive name.
- Project description: Enter a detailed description for your project.
- Color: Select a color you want to identify your project with.
Select connection: From the list of connections that appear, select AWS. In the AWS accordion;
- Check the Create automated session box to enable automated session
- Select An Alert from the Alerts options.
Click Next when done.
Enter project Instructions: State precisely, the details of your project, and what resources you expect to monitor or ignore. (This helps Hawkeye understand the context of your project and to deliver better and more relevant analysis).
Navigate back to Project: After your Project has been created successfully, navigate back to Projects page.
View new project: In the list of Projects in the Projects page, you’ll find your newly created Project with AWS connection.
Start Session: If project status is Ready, click to start a new session.
Enter a prompt: Select from the list of prompts on the session page or enter a prompt manually to start a session.
Your automated session is begins: This page displays your session analytics. You can click the input box below to ask further questions.