Amazon EC2
Amazon EC2 (Elastic Cloud Compute) by Amazon Web Services (AWS) provides management for your cloud instances. You can bring instance data from Amazon EC2 into Brinqa to gain a comprehensive view of your cloud security landscape, thus strengthening your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Amazon EC2 and how to obtain that information from Amazon. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Amazon EC2 from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Amazon EC2 with Brinqa:
-
Access key ID and Secret access key: The access keys associated with the Amazon EC2 account, which must have permissions to log in to the API server and return data.
-
Default region: The AWS region for the Amazon EC2 connector. If not specified, the connector uses the AWS default region provider chain to automatically determine the most appropriate region. This ensures that the connector adheres to the recommended AWS practices for region selection. For additional information on the AWS default region provider chain, refer to the AWS documentation.
-
Assume role: The Amazon Resource Name (ARN) for the role that the connector assumes when accessing AWS services, which must have permissions to log in to the API server and return data.
Obtain Amazon EC2 access keys
For the Amazon EC2 connector to access the Amazon EC2 API, you must provide access keys. To do so, follow these steps:
-
Sign in to your organization's AWS Management Console as an administrator.
-
Navigate to the Identify and Access Management (IAM) page and click Users in the navigation pane.
-
Select the user for whom you wish to create access keys and click the Security credentials tab.
- Before you proceed, ensure that the user has the AdministratorAccess policy assigned to them.
-
Click Create access key.
-
Select the appropriate use case for the keys or select Other if you aren't sure, then click Next.
-
Provide a description and click Create access key.
The access key ID and secret access key display. The secret access key is shown only once and cannot be retrieved again, so copy the key and save it to a secure location.
If you do not have the permissions to create access keys, contact your Amazon EC2 administrator. For additional information, see AWS documentation.
Create a role and assign permissions
After you have obtained your Amazon EC2 authentication credentials, you must create a new role and assign the required permissions for the connector to access your data. To do so, follow these steps:
-
Navigate to the IAM page and in the navigation pane, click Roles, and then click Create role.
-
For the Trusted entity type, select AWS account, and then click Next.
-
On the Add permissions page, select the PowerUserAccess permission, and then click Next.
-
Provide a name and description for the role and click Create role.
On the Roles page, click the new role and copy the value in the ARN field as shown below. The ARN, along with the access key ID and secret access key, are required for authentication in the integration configuration:
If you do not have the permissions to create roles, contact your Amazon EC2 administrator. For additional information, see AWS documentation.
Additional settings
The Amazon EC2 connector contains an additional option for specific configuration:
-
Session duration: The duration, in seconds, for the assumed role session. This determines the time period during which the credentials issued by the assumed role remain valid. The default setting is 900 seconds, or 15 minutes.
-
Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
Types of data to retrieve
The Amazon EC2 connector can retrieve the following types of data from the Amazon EC2 API:
Table 1: Data retrieved from Amazon EC2
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Instance | Yes | Host |
For detailed steps on how to view the data retrieved from Amazon EC2 in the Brinqa Platform, see How to view your data.
Operation options
The Amazon EC2 connector supports the following operation options. See connector operation options for information about how to apply them.
Table 2: Amazon EC2 connector operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Instance | maxResults | Any numeric value | Limit the number of instances returned per API call. The default value is 1000. | Key: maxResults Value: 10. This key and value combination only retrieves 10 instances per API call. |
| regions | Any region where your Amazon EC2 instances reside | Retrieve instances by the specified AWS regions. | Key: regions Value: us-east-1,us-west-1. This key and value combination only retrieves instances from the us-east-1 and us-west-1 AWS regions. |
The option keys and values are case-sensitive as they are shown in this documentation.
AWS SDK
The Amazon EC2 connector uses the AWS SDK version 1.11.569. Specifically, it uses the following classes and methods:
Table 3: Amazon EC2 AWS SDK classes
| AWS SDK Class | Description |
|---|---|
com.amazonaws.auth.AWSCredentialsProvider | Returns AWS credentials. |
com.amazonaws.services.ec2.AmazonEC2 | Interacts with the Amazon EC2 service. |
com.amazonaws.services.ec2.model.AmazonEC2Exception | Handles exceptions specific to Amazon EC2 operations. |
com.amazonaws.services.ec2.model.DescribeInstancesRequest | Retrieves instance details. |
com.amazonaws.services.ec2.model.DescribeInstancesResult | Processes the results of instance details requests. |
com.amazonaws.services.ec2.model.DescribeTagsRequest | Manages EC2 tags retrieval. |
com.amazonaws.services.ec2.model.DescribeTagsResult | Processes the results of EC2 tags requests. |
com.amazonaws.services.ec2.model.Filter | Applies filtering for data retrieval. |
com.amazonaws.services.ec2.model.GroupIdentifier | Provides details related to instance security groups. |
com.amazonaws.services.ec2.model.Reservation | Provides information about reserved EC2 instances. |
com.amazonaws.services.ec2.model.TagDescription | Provides detailed information about EC2 tags. |
Changelog
The Amazon EC2 connector has undergone the following changes:
3.0.5
- Fixed an issue where the connector wasn't timing out properly.
3.0.2
- Added API call timeouts and API call attempt timeouts.
3.0.1
- Added the AWS icon and some missing attributes.
3.0.0
- Initial Integration+ release.