AWS Importer
Using this importer allows importing assets and links from existing AWS estates. The following table details all the types that can be imported. In addition, it provides a comprehensive overview in how far Txture can provide target architecture replacements and cost predictions.
Note that usage costs (e.g. data traffic) are not taken into account in the cost predictions.
| Imported type | Product Replacement | Cost prediction |
|---|---|---|
| Virtual Machine | ||
| Image | ||
| Volume | ||
| Network Zone (VPC) | ||
| Network Zone (Subnet) | ||
| Load balancer | ||
| RDS database | ||
| Elasticsearch Domain | ||
| Elasticache | ||
| Lambda function | ||
| Elastic File System | ||
| S3 Bucket | ||
| ECS Cluster | ||
| ECS Container | ||
| CloudFront Distributions | ||
| CloudFront Functions | ||
| CloudTrail | ||
| CloudWatch Metrics | ||
| DynamoDB Tables | ||
| Kafka Cluster | ||
| Kinesis Stream | ||
| Secrets Manager Secrets | ||
| Network Traffic | ||
| Scalabale Compute Group |
Note that link importers require the permissions for both types that will be linked.
Recommended Permission Configuration
As a prerequisite to connect to an AWS estate, Txture needs to be able to access AWS resources. For this, a read-only access policy is used in combination with an API-only access credential. The permission configuration is done via the AWS Console.
Please follow these general steps to create access credentials that are required as part of the importer configuration:
- Logon to your AWS Console and select the IAM service.
- Select
Usersto access user management. - Use
Create userto add a new user.
- Provide an arbitrary user name for the new user. It should be named in a way to later identify its purpose, like "txture-read-only".
- Credentials for actual management console access are not required.
- Select
Attach existing policies directlyto select the pre-defined, AWS managed policy "ReadOnlyAccess". In case you want to set a more restricted policy, e.g. to import only specific resources or resource types, you can do this by setting specific permissions. - Check the policy and proceed with the wizard. You can skip "Set permissions boundary - optional" and create the user.
- After the successful creation, you can view the newly created user by a click on it.
In the Summary section, select
Create access keyand select the use caseThird-party service. After that create the access key.
- Use
Download .csv filebutton to download the access key. The result contains a table with the access key ID and secret. Access key ID and secret need to be used to setup an AWS data source in Txture.
Minimum Permission Configuration
If you don't want to make use of the default ReadOnlyAccess policy to allow read access for all resources, you can narrow the permissions to individual resources or resource types. The minimal required permissions without restriction of resources for each import type are listed below in Json format and can be copied to the AWS policy editor directly.
Permissions required for all Types
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"cloudfront:ListFunctions",
"cloudfront:ListDistributions",
"cloudtrail:DescribeTrails",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"eks:DescribeClusters",
"eks:ListClusters",
"ecs:DescribeClusters",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeCacheClusters",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"es:DescribeElasticsearchDomain",
"kafka:ListClusters",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"lambda:ListFunctions",
"rds:DescribeDBInstances",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:ListBucket",
"secretsmanager:ListSecrets"
],
"Resource": "*"
}
]
}
Virtual Machine Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeInstanceTypes",
"cloudwatch:GetMetricStatistics"
],
"Resource": [
"*"
]
}
]
}
Image Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeImages"
],
"Resource": [
"*"
]
}
]
}
Volume Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeInstances",
"cloudwatch:GetMetricStatistics",
],
"Resource": [
"*"
]
}
]
}
Network Zone (VPC) Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs"
],
"Resource": [
"*"
]
}
]
}
Permissions for Network Zone (Subnet) Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSubnets"
],
"Resource": [
"*"
]
}
]
}
Load balancer Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "elasticloadbalancing:DescribeLoadBalancers",
"Resource": "*"
}
]
}
RDS Database Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"cloudwatch:GetMetricStatistics"
]
"Resource": "*"
}
]
}
Elasticsearch Domain Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "es:DescribeElasticsearchDomain",
"Resource": "*"
}
]
}
Elasticache Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeCacheClusters"
],
"Resource": "*"
}
]
}
Lambda Function Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"cloudwatch:GetMetricStatistics",
],
"Resource": "*"
}
]
}
Elastic File System Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"ec2:DescribeNetworkInterfaces"
],
"Resource": "*"
}
]
}
S3 Bucket Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:ListBucket"
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
}
]
}
EKS Cluster Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"eks:ListClusters",
"eks:DescribeClusters"
],
"Resource": "*"
}
]
}
ECS Cluster Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecs:ListClusters",
"ecs:DescribeClusters"
],
"Resource": "*"
}
]
}
ECS Container Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecs:ListClusters",
"ecs:DescribeClusters",
"ecs:ListContainerInstances"
],
"Resource": "*"
}
]
}
CloudFront Distributions Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudfront:ListDistributions"
],
"Resource": "*"
}
]
}
CloudFront Functions Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudfront:ListFunctions",
"cloudwatch:GetMetricData"
],
"Resource": "*"
}
]
}
CloudTrail Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails"
],
"Resource": "*"
}
]
}
CloudWatch Metrics Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics"
],
"Resource": "*"
}
]
}
DynamoDB Tables Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:ListTables",
"dynamodb:DescribeTable"
],
"Resource": "*"
}
]
}
Kafka Cluster Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kafka:ListClusters"
],
"Resource": "*"
}
]
}
Kinesis Stream Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kinesis:ListStreams",
"kinesis:DescribeStream"
],
"Resource": "*"
}
]
}
Secrets Manager Secrets Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsManager:ListSecrets"
],
"Resource": "*"
}
]
}
Network Traffic Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricData"
],
"Resource": "*"
}
]
}
Scalable Compute Group Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"ec2:DescribeInstanceTypes",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
}
]
}
Fetching Usage Data
Fetching usage data with Amazon CloudWatch can cause additional costs.
The CloudWatch API is required by the asset-type Network Traffic and S3-Bucket and is optional for
Virtual Machine, Volume, RDS Database, CloudFront Function and Lambda Function.
Additional Configuration for EC2 Instances Metrics for Memory Usage
In order to be able to get RAM Utilization metric you need to follow the following guide : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/install-and-configure-cloudwatch-agent-using-ec2-console.html#install-and-configure-cw-agent-procedure
Additional Configuration for EC2 Autoscaling Groups for Avg/Min/Max Group Size / Replicas
In order to be able to get information about average/minimum/maximum replicas you need to enable the Auto Scaling Group metrics collection.