Amazon Web Services

Overview

Heeler supports broad visibility into Amazon Web Services and can be configured to onboard and stream inventory data from all accounts via AWS Organization or individually on an account-by-account basis. It is recommended to connect via AWS Organization to simplify onboarding and to ensure complete visibility as your cloud footprint grows.

Required Permissions for Setup

The following AWS permissions are required to successfully run the CloudFormation or Terraform template.

cloudformation:CreateStackSet
cloudformation:UpdateStackSet
cloudformation:DeleteStackSet
cloudformation:CreateStackInstances
cloudformation:DeleteStackInstances
cloudformation:DescribeStackSet
cloudformation:ListStackInstances
iam:CreateRole
iam:UpdateAssumeRolePolicy
iam:PutRolePolicy
iam:DeleteRolePolicy
iam:TagRole
iam:GetRole
iam:ListRoles
iam:CreatePolicy
iam:AttachRolePolicy
iam:DeletePolicy
iam:DetachRolePolicy
iam:GetPolicy
iam:GetPolicyVersion
iam:ListPolicies
iam:CreateServiceLinkedRole

You can confirm whether these permissions are in place by running this permission check script while signed in to your target AWS account:

3KB
heeler-aws-permission-check.sh

Background

For Organization setup, Heeler deploys a single CloudFormation template into the payer account. The template is configured to leverage CloudFormation StackSets to deploy the required resources to member accounts within the organization, including accounts that are added in the future. In those accounts, Heeler deploys IAM resources (roles and policies) whose permissions are locked down so that Heeler can only access metadata and configuration information about customer cloud footprints and never has access to your data. The template performs the following actions:

Payer Account

  • Create an IAM policy, Heeler, that denies visibility to the customer data plane. This includes actions such as s3:GetObject, dynamodb:GetItem and more.

  • Create an IAM policy, HeelerEKS, that allows EKS cluster API access configuration so Heeler can automatically harvest Kubernetes resources.

  • Create two roles heeler-management-ro and heeler-member. The first role is created with an inline policy that allows visibility into the payer account's AWS Organization configuration. The second role, heeler-member is configured with the newly created policies as well as the AWS-managed policy ReadOnlyAccessto allow visibility into the account. It also is configured with a trust policy that allows heeler-management-ro to assume it.

  • Creates a CloudFormation StackSet that performs the steps outlined below across all member accounts and accounts as they are added in the future.

Member Account

  • Create an IAM policy, Heeler, that denies visibility to the customer data plane. This includes actions such as s3:GetObject, dynamodb:GetItem and more.

  • Create an IAM policy, HeelerEKS, that allows EKS cluster API access configuration so Heeler can automatically harvest Kubernetes resources.

  • Create a single role, heeler-member, with the newly created policies as well as the AWS-managed policy ReadOnlyAccessto allow visibility into the account. It also is configured with a trust policy that allows heeler-management-ro to assume it.

Heeler Connection Setup

  1. Select the icon from the top navigation

  2. Navigate to the Connections tab

  3. Select Cloud Organizations

  4. Click Add Organization and select AWS

  5. Select Setup with CloudFormation

  1. If you haven't confirmed that you have the required permissions, now is a good time to do so. Also, you will need to have the Root ID (or Organizational Unit ID) of the target deployment when configuring the CloudFormation StackSet.

  2. Select Launch CloudFormation StackSet

  1. Choose your active session or sign into a new session. The session should be in the payer account.

a

  1. Confirm that the stack launches into the desired AWS account, that it is deploying the Heeler CFT, and that it has the Heeler-default Stack name.

  1. Provide or accept the default parameters:

    1. Organization Unit List: This should be the Root ID (format like r-1234) or other top-level Organization Unit (format like o-abc123def4)

    2. Account List (optional): Accounts provided here are excluded from the deployment

    3. Scope Change (optional): By default, accounts provided in the Accounts List are excluded. By changing this value from exclude to limit, the provided accounts are the only accounts included. If Accounts List is empty (the default), this value does not matter.

    4. Heeler Role Name (Required): Default value is heeler-member. Can be updated

    5. External ID (Recommended): Default value is auto-generated and recommended. Can be updated or deleted

    6. Role ARN provided by Heeler Security: Default value should not be changed unless instructed otherwise

  1. As this CloudFormation StackSet deploys IAM roles and policies, you must acknowledge their creation and then select Create stack

  1. No action required. You can monitor the creation of resources by viewing the Events tab. The deployment is complete when it says CREATE_COMPETE.

  1. Copy the Output value for ManagementReadOnlyRoleArn for use when configuring the connection in Heeler.

  1. Copy the Parameter values for ExternalID, HeelerSecurityRoleArn, and MemberRoleNamefor use when configuring the connection in Heeler. If there are values for AccountList or OrganizationUnitList, copy them too.

  1. Back in the Heeler modal, populate the values:

    1. Organization Name: a human-friendly name that identies the organization in Heeler

    2. Organization Role ARN: the ManagementReadOnlyRoleArn

    3. Organization Role External ID: the ExternalID

    4. Member Account Role Name: the MemberRoleName

    5. Member Role External ID (Optional): this property is deprecated and will be removed

    6. OU IDs to skip: the OrganizationUnitList values, if any

    7. Skip Listed Accounts: the AccountList values, if any

    8. Region Restrictions: Optional list of regions in which to limit harvesting. This configuration is helpful if resources are limited by Service Control Policies to specific regions. (This restriction is not configured in the CloudFormation StackSet, because it deploys IAM resources, which are global.)

    9. Select Done

  1. When added successfully, you will see a Healthy notification status

PreviousCloud SetupNextAWS Supported Services

Last updated

Was this helpful?