AWS Importer
Using this importer allows importing assets and links from existing AWS estates. The following table details all the types that can be imported. In addition, it provides a comprehensive overview in how far Txture can provide target architecture replacements and cost predictions.
Note that usage costs (e.g. data traffic) are not taken into account in the cost predictions.
| Imported type | Product Replacement | Cost prediction |
|---|---|---|
| Virtual Machine | ||
| Image | ||
| Volume | ||
| Network Zone (VPC) | ||
| Network Zone (Subnet) | ||
| Load balancer | ||
| RDS database | ||
| Elasticsearch Domain | ||
| Elasticache | ||
| Lambda function | ||
| Elastic File System | ||
| S3 Bucket | ||
| ECS Cluster | ||
| ECS Container | ||
| CloudFront Distributions | ||
| CloudFront Functions | ||
| CloudTrail | ||
| CloudWatch Metrics | ||
| DynamoDB Tables | ||
| Kafka Cluster | ||
| Kinesis Stream | ||
| Secrets Manager Secrets | ||
| Network Traffic | ||
| Scalabale Compute Group |
Note that link importers require the permissions for both types that will be linked.
Recommended Permission Configuration
As a prerequisite to connect to an AWS estate, Txture needs to be able to access AWS resources. For this, a read-only access policy is used in combination with an API-only access credential. The permission configuration is done via the AWS Console.
Please follow these general steps to create access credentials that are required as part of the importer configuration:
- Logon to your AWS Console and select the IAM service.
- Select
Usersto access user management. - Use
Create userto add a new user.
- Provide an arbitrary user name for the new user. It should be named in a way to later identify its purpose, like "txture-read-only".
- Credentials for actual management console access are not required.
- Select
Attach existing policies directlyto select the pre-defined, AWS managed policy "ReadOnlyAccess". In case you want to set a more restricted policy, e.g. to import only specific resources or resource types, you can do this by setting specific permissions. - Check the policy and proceed with the wizard. You can skip "Set permissions boundary - optional" and create the user.
- After the successful creation, you can view the newly created user by a click on it.
In the Summary section, select
Create access keyand select the use caseThird-party service. After that create the access key.
- Use
Download .csv filebutton to download the access key. The result contains a table with the access key ID and secret. Access key ID and secret need to be used to setup an AWS data source in Txture.
Setting Up AWS Assume Role
To properly set up AWS Assume Role, you need to configure two main components: a permissions policy on the user and a trust policy on the role. This allows an IAM user to temporarily assume the permissions of a specific IAM role.
1. Permissions Policy on the User
The IAM user or group that will assume the role needs a policy that allows the sts:AssumeRole action. This policy defines which roles the user is permitted to assume.
Here is an example policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/iamrole-assume-role"
},
{
"Effect": "Allow",
"Action": "organizations:ListAccounts",
"Resource": "*"
}
]
}
-
Action: "sts:AssumeRole": This is the key permission that allows the user to call the AWS Security Token Service (STS) to assume a role. TheResourceis set toarn:aws:iam::*:role/iamrole-assume-role, which allows the user to assume any role namediamrole-assume-rolein any AWS account. -
Action: "organizations:ListAccounts": This grants the user permission to view all accounts within the AWS Organization. This is required for discovering the account IDs of other accounts in the organization. TheResourceis set to*, meaning this permission applies to all resources.
2. Trust Policy on the Role
The IAM role itself needs a trust policy (also known as a trust relationship) that specifies which principals (users, services, or accounts) are allowed to assume it. This policy acts as the gatekeeper for the role.
Here is an example trust policy for a role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/iamrole-importer"
},
"Action": "sts:AssumeRole"
}
]
}
Principal: This section defines who can assume the role. It should specify the ARN of the IAM user, account, or service that will be making the request.Action: "sts:AssumeRole": This must be present to allow the specified principal to assume the role.Effect: "Allow": This statement grants the trust relationship.
Once the trust policy is in place, you can attach a permissions policy to the role. This second policy defines the actual permissions the user will have after assuming the role (e.g., s3:ListBucket, ec2:DescribeInstances, etc.).
Summary of the Flow:
- A user's identity-based policy grants them permission to request to assume a specific role (
sts:AssumeRoleaction). - The role's trust policy grants permission to a specific user to be assumed.
- Once assumed, the user's permissions are inherited from the role, not their own identity-based policy. The user can then perform the actions defined in the role's attached permissions policies.
Minimum Permission Configuration
If you don't want to make use of the default ReadOnlyAccess policy to allow read access for all resources, you can narrow the permissions to individual resources or resource types. The minimal required permissions without restriction of resources for each import type are listed below in Json format and can be copied to the AWS policy editor directly.
Permissions required for all Types
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"cloudfront:ListFunctions",
"cloudfront:ListDistributions",
"cloudtrail:DescribeTrails",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"eks:DescribeClusters",
"eks:ListClusters",
"ecs:DescribeClusters",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeCacheClusters",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"es:DescribeElasticsearchDomain",
"kafka:ListClusters",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"lambda:ListFunctions",
"rds:DescribeDBInstances",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:ListBucket",
"secretsmanager:ListSecrets"
],
"Resource": "*"
}
]
}
Virtual Machine Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeInstanceTypes",
"cloudwatch:GetMetricStatistics"
],
"Resource": [
"*"
]
}
]
}
Image Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeImages"
],
"Resource": [
"*"
]
}
]
}
Volume Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeInstances",
"cloudwatch:GetMetricStatistics",
],
"Resource": [
"*"
]
}
]
}
Network Zone (VPC) Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs"
],
"Resource": [
"*"
]
}
]
}
Permissions for Network Zone (Subnet) Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSubnets"
],
"Resource": [
"*"
]
}
]
}
Load balancer Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "elasticloadbalancing:DescribeLoadBalancers",
"Resource": "*"
}
]
}
RDS Database Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"cloudwatch:GetMetricStatistics"
]
"Resource": "*"
}
]
}
Elasticsearch Domain Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "es:DescribeElasticsearchDomain",
"Resource": "*"
}
]
}
Elasticache Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeCacheClusters"
],
"Resource": "*"
}
]
}
Lambda Function Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"cloudwatch:GetMetricStatistics",
],
"Resource": "*"
}
]
}
Elastic File System Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"ec2:DescribeNetworkInterfaces"
],
"Resource": "*"
}
]
}
S3 Bucket Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:ListBucket"
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
}
]
}
EKS Cluster Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"eks:ListClusters",
"eks:DescribeClusters"
],
"Resource": "*"
}
]
}
ECS Cluster Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecs:ListClusters",
"ecs:DescribeClusters"
],
"Resource": "*"
}
]
}
ECS Container Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecs:ListClusters",
"ecs:DescribeClusters",
"ecs:ListContainerInstances"
],
"Resource": "*"
}
]
}
CloudFront Distributions Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudfront:ListDistributions"
],
"Resource": "*"
}
]
}
CloudFront Functions Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudfront:ListFunctions",
"cloudwatch:GetMetricData"
],
"Resource": "*"
}
]
}
CloudTrail Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails"
],
"Resource": "*"
}
]
}
CloudWatch Metrics Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics"
],
"Resource": "*"
}
]
}
DynamoDB Tables Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:ListTables",
"dynamodb:DescribeTable"
],
"Resource": "*"
}
]
}
Kafka Cluster Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kafka:ListClusters"
],
"Resource": "*"
}
]
}
Kinesis Stream Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kinesis:ListStreams",
"kinesis:DescribeStream"
],
"Resource": "*"
}
]
}
Secrets Manager Secrets Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsManager:ListSecrets"
],
"Resource": "*"
}
]
}
Network Traffic Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricData"
],
"Resource": "*"
}
]
}
Scalable Compute Group Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"ec2:DescribeInstanceTypes",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
}
]
}
Fetching Usage Data
Fetching usage data with Amazon CloudWatch can cause additional costs.
The CloudWatch API is required by the asset-type Network Traffic and S3-Bucket and is optional for
Virtual Machine, Volume, RDS Database, CloudFront Function and Lambda Function.
Additional Configuration for EC2 Instances Metrics for Memory Usage
In order to be able to get RAM Utilization metric you need to follow the following guide : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/install-and-configure-cloudwatch-agent-using-ec2-console.html#install-and-configure-cw-agent-procedure
Additional Configuration for EC2 Autoscaling Groups for Avg/Min/Max Group Size / Replicas
In order to be able to get information about average/minimum/maximum replicas you need to enable the Auto Scaling Group metrics collection.