Create AWS Access Policy and Role for Monitored Accounts

Follow the steps below to new resource access policy:

1. Go to Policies in Identity and Access Management (IAM).
2. Create a new resource access policy to grant read access to the services for monitoring purposes.
   
   

   Copy Code Code

   { "Version": "2012-10-17", "Statement": [ { "Action": [ "autoscaling:Describe*", "autoscaling:Get*", "autoscaling-plans:Describe*", "autoscaling-plans:GetScalingPlanResourceForecastData", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "directconnect:Describe*", "ec2:Describe*", "ec2:Get*", "ec2:SearchTransitGatewayRoutes", "network-firewall:DescribeFirewall", "network-firewall:DescribeFirewallPolicy", "network-firewall:DescribeRuleGroup", "network-firewall:ListFirewallPolicies", "network-firewall:ListFirewalls", "network-firewall:ListRuleGroups", "network-firewall:ListTagsForResource", "elasticloadbalancing:Describe*", "batch:Describe*", "batch:List*", "batch:Get*", "ecs:Describe*", "ecs:List*", "ecs:Get*", "apigateway:GET", "globalaccelerator:Describe*", "globalaccelerator:List*", "route53:List*", "route53:Get*", "route53:TestDNSAnswer", "vpc-lattice:Get*", "vpc-lattice:List*", "dynamodb:Describe*", "dynamodb:List*", "dynamodb:Get*", "memorydb:Describe*", "memorydb:List*", "cassandra:Get*", "cassandra:List*", "neptune-db:connect", "fsx:Describe*", "fsx:List*", "backup:List*", "backup:Get*", "backup:Describe*", "storagegateway:List*", "storagegateway:Describe*", "connect:Describe*", "connect:List*", "connect:Get*", "sns:Get*", "sns:List*", "events:Describe*", "events:List*", "sqs:Get*", "sqs:List*", "swf:List*", "swf:Describe*", "swf:Get*", "mq:Describe*", "mq:List*", "lightsail:Get*", "elasticbeanstalk:Describe*", "elasticbeanstalk:List*", "lambda:Get*", "lambda:List*", "cloudfront:Get*", "cloudfront:List*", "cloudfront:Describe*", "rds:Describe*", "rds:List*", "elasticache:Describe*", "elasticache:List*", "s3:Get*", "s3:List*", "elasticfilesystem:Describe*", "elasticfilesystem:List*", "athena:StartQueryExecution", "athena:Get*", "athena:StartQueryExecution", "athena:Get*" ], "Effect": "Allow", "Resource": "*" } ] }

   
   
   

Once we created the policy, we need to attach this policy to the Role.

Follow the steps below to configure the role:

1. Go to Roles in Identity and Access Management (IAM).
2. Create a new role by selecting Trusted entity type as Custom trust Policy. Add a Trust policy to allow the EC2 instance’s Role from the gateway account to assume this role.
   The sample trust relationship JSON statements are as follows. In the policy JSON, instead of the placeholder value, you should specify the full ARN of the IAM role attached to your EC2 instance in the gateway account. This is the role that the EC2 instance running NetBrain FrontServer will use to access resources.
   The ExternalId value in the policy JSON can be any user-defined string. This same value must be entered in the NetBrain API Server configuration to ensure successful role assumption.
   

   Note: The role name of the EC2 instance, for example, NetbrainAccessRoleForEC2, must match the EC2 instance role name configured in the gateway account.

   Copy Code Code

   3. { 4. "Version": "2012-10-17", 5. "Statement": [ 6. { 7. "Effect": "Allow", 8. "Action": "sts:AssumeRole", 9. "Principal": { 10. "AWS": [ 11. "<ARN of the IAM role attached to your EC2 instance in the gateway account 12. (i.e. NetbrainAccessRoleForEC2)>" 13. ] 14. }, 15. "Condition": { 16. "StringEquals": { 17. "sts:ExternalId": "<External ID generated from tenant>" 18. } 19. } 20. } 21. ] 21.1. }

   
   

3. Attach the policy (created previously) to the role.