AWS Importer
Using this importer allows importing assets and links from existing AWS estates. The following table details all the types that can be imported. In addition, it provides a comprehensive overview in how far Txture can provide target architecture replacements and cost predictions.
Note that usage costs (e.g. data traffic) are not taken into account in the cost predictions.
| Imported type | Product Replacement | Cost prediction |
|---|---|---|
| Virtual Machine | ||
| Image | ||
| Volume | ||
| Network Zone (VPC) | ||
| Network Zone (Subnet) | ||
| Load balancer | ||
| RDS database | ||
| Elasticsearch Domain | ||
| Elasticache | ||
| Lambda function | ||
| Elastic File System | ||
| S3 Bucket | ||
| ECS Cluster | ||
| ECS Container | ||
| CloudFront Distributions | ||
| CloudFront Functions | ||
| CloudTrail | ||
| CloudWatch Metrics | ||
| DynamoDB Tables | ||
| Kafka Cluster | ||
| Kinesis Stream | ||
| Secrets Manager Secrets | ||
| Network Traffic | ||
| Scalabale Compute Group |
Note that link importers require the permissions for both types that will be linked.
Recommmended Permission Configuration
As a prerequisite to configuring an AWS importer, Txture needs to be able to access AWS resources. For this, a read-only access policy is used in combination with an API-only access credential. The permission configuration is done via the AWS Console.
Please follow these general steps to create access credentials that are required as part of the importer configuration:
- Logon to your AWS console and select the IAM service
- Select "Users" to access user management
- Use "Add user" to create a new user
- Provide an arbitrary user name for the new user. It should be named in a way to later identify its purpose, like "txture-read-only".
- Choose "Programmatic access", since Txture CT does not require credentials for actual management console access. Choose "Next: Permissions" to continue the user creation wizard.
- Select "Attach existing policies directly" to select the pre-defined, AWS managed policy "ReadOnlyAccess". In case you want to set a more restricted policy, e.g. to import only specific resources or resource types, you can do this by setting specific permissions.
- Check the policy and proceed with the wizard. You can skip "tags" and directly go to the review section. Choose "Create user".
- After the successful creation of the user you can directly copy or download the read-only credentials as CSV-file. Use "Download .csv" for this. The result contains a table with user name, an access key ID and a secret. Access key ID and secret need to be provided in the importer configuration to setup an AWS data source.
Minimum Permission Configuration
If you don't want to make use of the default ReadOnlyAccess policy to allow read access for all resources, you can narrow the permissions to individual resources or resource types. The minimal required permissions without restriction of resources for each import type are listed below in Json format and can be copied to the AWS policy editor directly.
Permissions required for all Types
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"cloudfront:ListFunctions",
"cloudfront:ListDistributions",
"cloudtrail:DescribeTrails",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"eks:DescribeClusters",
"eks:ListClusters",
"ecs:DescribeClusters",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeCacheClusters",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"es:DescribeElasticsearchDomain",
"kafka:ListClusters",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"lambda:ListFunctions",
"rds:DescribeDBInstances",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:ListBucket",
"secretsmanager:ListSecrets"
],
"Resource": "*"
}
]
}
Virtual Machine Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeInstanceTypes",
"cloudwatch:GetMetricStatistics"
],
"Resource": [
"*"
]
}
]
}
Image Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeImages"
],
"Resource": [
"*"
]
}
]
}
Volume Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeInstances",
"cloudwatch:GetMetricStatistics",
],
"Resource": [
"*"
]
}
]
}
Network Zone (VPC) Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs"
],
"Resource": [
"*"
]
}
]
}
Permissions for Network Zone (Subnet) Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSubnets"
],
"Resource": [
"*"
]
}
]
}
Load balancer Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "elasticloadbalancing:DescribeLoadBalancers",
"Resource": "*"
}
]
}
RDS Database Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"cloudwatch:GetMetricStatistics"
]
"Resource": "*"
}
]
}
Elasticsearch Domain Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "es:DescribeElasticsearchDomain",
"Resource": "*"
}
]
}
Elasticache Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeCacheClusters"
],
"Resource": "*"
}
]
}
Lambda Function Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"cloudwatch:GetMetricStatistics",
],
"Resource": "*"
}
]
}
Elastic File System Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"ec2:DescribeNetworkInterfaces"
],
"Resource": "*"
}
]
}
S3 Bucket Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:ListBucket"
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
}
]
}
EKS Cluster Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"eks:ListClusters",
"eks:DescribeClusters"
],
"Resource": "*"
}
]
}
ECS Cluster Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecs:ListClusters",
"ecs:DescribeClusters"
],
"Resource": "*"
}
]
}
ECS Container Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecs:ListClusters",
"ecs:DescribeClusters",
"ecs:ListContainerInstances"
],
"Resource": "*"
}
]
}
CloudFront Distributions Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudfront:ListDistributions"
],
"Resource": "*"
}
]
}
CloudFront Functions Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudfront:ListFunctions",
"cloudwatch:GetMetricData"
],
"Resource": "*"
}
]
}
CloudTrail Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails"
],
"Resource": "*"
}
]
}
CloudWatch Metrics Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics"
],
"Resource": "*"
}
]
}
DynamoDB Tables Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:ListTables",
"dynamodb:DescribeTable"
],
"Resource": "*"
}
]
}
Kafka Cluster Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kafka:ListClusters"
],
"Resource": "*"
}
]
}
Kinesis Stream Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kinesis:ListStreams",
"kinesis:DescribeStream"
],
"Resource": "*"
}
]
}
Secrets Manager Secrets Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsManager:ListSecrets"
],
"Resource": "*"
}
]
}
Network Traffic Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricData"
],
"Resource": "*"
}
]
}
Scalable Compute Group Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"ec2:DescribeInstanceTypes",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
}
]
}
Fetching Usage Data
Fetching usage data with Amazon CloudWatch can cause additional costs.
The CloudWatch API is required by the asset-type Network Traffic and S3-Bucket and is optional for
Virtual Machine, Volume, RDS Database, CloudFront Function and Lambda Function.
Additional Configuration for EC2 Instances Metrics for Memory Usage
In order to be able to get RAM Utilization metric you need to follow the following guide : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/install-and-configure-cloudwatch-agent-using-ec2-console.html#install-and-configure-cw-agent-procedure