Integration Guides

AWS Resource Explorer Integration

12min

Purpose

AWS Cloud Asset Inventory is the functionality inside the AWS Explorer portal that provides visibility across your cloud resources.



Getting Started

Prerequisites

The following section describes the prerequisites that must be met to utilize the SHI One AWS Asset Integration.

Setup AWS Explorer

To set up AWS Explorer to pull information from all regions within a single region, you’ll need to configure your AWS SDK or CLI settings and potentially use programmatic access to retrieve resources from all regions. AWS Explorer, part of the AWS Toolkit in IDEs like Visual Studio, is typically configured for a single region at a time. However, pulling information across regions can be achieved by adjusting your approach:

Step-by-Step Instructions

  1. Install AWS Toolkit for Your IDE (e.g., Visual Studio)
    • Make sure you have installed the AWS Toolkit in your IDE. This will include AWS Explorer, which allows you to interact with your AWS services.
  2. Configure AWS Credentials
    • Configure your AWS credentials to allow access to the necessary regions. You can do this via the AWS CLI, SDK, or within the AWS Toolkit itself.
    • Example of configuring credentials via the AWS CLI:
      • aws configure
    • Enter your Access Key, Secret Key, Default Region (can be any), and Output format.
  3. Modify AWS Config File
    1. To access multiple regions from your local machine, you can configure the ~/.aws/config file to list multiple profiles, each targeting a different region.
    2. Example of ~/.aws/config:
      • [Default]region = us-west-1
      • [profile us-west-2] region = us-west-2
      • [profile eu-west-1] region = eu-west-1
  4. Use AWS SDK or CLI to Query All Regions:
    • AWS Explorer does not inherently pull data from all regions at once, so you will need to use either the AWS CLI, SDK, or write a script to loop through all regions.
    • To retrieve data from all regions, you can query the DescribeRegions API to dynamically pull a list of available regions, and then loop through them to collect information.
      • aws ec2 describe-regions --query "Regions[].RegionName" --output text
    • Use the result to iterate over regions, fetching the necessary data from each.
  5. Automate Multi-Region Resource Fetching with a Script:
    • Here’s a basic Python example using boto3 (AWS SDK for Python) to list all EC2 instances across all regions:
      • import boto3 # Get a list of all available regions ec2 = boto3.client('ec2') regions = [region['RegionName'] for region in ec2.describe_regions()['Regions']] # Iterate over each region to fetch information for region in regions: print(f"Region: {region}") ec2 = boto3.client('ec2', region_name=region) instances = ec2.describe_instances() for reservation in instances['Reservations']: for instance in reservation['Instances']: print(f"Instance ID: {instance['InstanceId']} in {region}")
  6. Query Specific Resources:
    • AWS Explorer in IDEs like Visual Studio can be limited to a specific region at a time. However, by using scripts or automation, you can aggregate data from multiple regions. Depending on the service you need (e.g., EC2, S3, etc.), adapt the query accordingly.
  7. Visualize Data in Your IDE:
    • After collecting data programmatically, if you want to visualize it within your IDE, consider exporting the results to a file or displaying them within the IDE's console.
  8. Important Notes:
    • Cost Considerations: Be mindful of potential costs when pulling data from multiple regions. Some services charge based on the number of API requests or the regions accessed.
    • Permissions: Ensure your IAM role or user has the necessary permissions to access the services across all regions you’re targeting.
    • Performance: Pulling data from all regions may take time, especially for services with many resources. Consider limiting your queries to specific regions if necessary.

By configuring your environment with the above steps, you'll be able to gather information across AWS regions, even though AWS Explorer typically limits you to a single region at a time.

Retrieve the Amazon Resource Name and External Id

To connect to Amazon Resource Explorer (ARE) and get the Amazon Resource Name (ARN) and External ID, follow these steps:

  1. Create an IAM Role for Access
    1. Sign in to the AWS Management Console and open the IAM console.
    2. Create a New Role:
      • Go to Roles in the left-hand navigation pane.
      • Click Create role.
      • Choose AWS service as the trusted entity type and select Resource Explorer as the service that will use this role. Click Next: Permissions.
    3. Attach Permissions:
      • Attach the required permissions policies for Resource Explorer. For basic operations, you might attach policies like AmazonResourceExplorerReadOnlyAccess or create a custom policy if specific permissions are needed.
      • Click Next: Tags (optional) to add tags if needed.
      • Click Next: Review.
    4. Review and Create:
      • Give the role a name (e.g., ResourceExplorerRole).
      • Review the role details and click Create role.
  2. Obtain the Amazon Resource Name (ARN)
    1. Find the Role ARN:
      • Go back to the Roles section in the IAM console.
      • Search for the role you created (e.g., ResourceExplorerRole).
      • Click on the role name to view its details.
      • Copy the Role ARN from the summary section. It will look something like: arn:aws:iam::123456789012:role/ResourceExplorerRole.
  3. Create and Get External ID
    1. The External ID is a unique identifier used to provide a way to securely pass a unique identifier to the role's trust policy.
    2. Generate a Unique External ID:
      • Decide on a unique External ID. It could be a randomly generated string or a meaningful identifier depending on your use case. For example, you can use a UUID generator or create a custom string.
    3. Configure the Role's Trust Policy:
      1. Edit the trust policy of the IAM role you created to include the External ID.
      2. Go to the Trust relationships tab for the role.
      3. Click Edit trust relationship.
      4. Update the policy to include the External ID in the Condition section. Example policy:
        • { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "resource-explorer.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "your-unique-external-id" } } } ] }
        • Replace "your-unique-external-id" with the External ID you generated. Click Update Trust Policy.
      5. Use the ARN and External ID to Connect to Resource Explorer
        • When configuring Amazon Resource Explorer or related services that require these credentials:
          • Role ARN: Use the ARN you obtained from the IAM console.
          • External ID: Use the unique External ID you created.

Note: If you already purchase AWS from SHI, you can help ensure these prerequisites are met by submitting a Service Request to “Enable AWS Organizations”



SHI One Integration

Overview

Once SHI One AWS Resource Explorer is enabled, aggregated findings from AWS Resource Explorer will be visible from within SHI One. Our AWS Resource Explorer integration will show your AWS Cloud Assets in the Asset Inventory.

Enable SHI One Integration

Configure the SHI One Integration

  1. Log into SHI One (https://one.shi.com)
  2. On the lefthand sidebar, navigate to Settings -> Integrations
  3. Click the three dots in the upper right corner of the AWS Recommendations box
    • If you don’t see AWS Resource Explorer, first confirm that you have an AWS contract visible under Services -> Contracts as you may not yet be fully onboarded to SHI One
    • Alternatively, submit a support request via Support Center -> Submit Request
  4. Click Add New
  5. Populate the form with the RoleARN and External ID from the previous steps
  6. Click Test
  7. Click Save
  8. Repeat steps 3-7 until all have been added
  9. Verify that the slider on the right of the AWS Recommendations box is orange/activated
  10. Click the AWS Resource Explorer box and verify that each slider is orange/activated

Note that it takes AWS up to 24 hours to start sending data to SHI One.

Pricing

SHI collects data daily from the AWS Explorer APIs. There is no cost for querying the AWS Explorer API.

Troubleshooting

If the integration doesn't show up on the integrations page or you are unable to enable it:

  1. Submit a Support Request as this could potentially be a site-wide issue

If you have enabled the integration and your data doesn't show up:

  1. Verify that it has been at least 24 hours as collection occurs daily
  2. Verify that you have deployed a role with the correct permissions as documented
  3. Re-enter your information from your Payer Account (ARN and External ID) on the integrations
    • The External ID must be the same across all accounts in your organization
  4. Validate that the requisite configuration as documented has been met

If you are missing Trusted Advisor data in certain accounts:

  1. Make sure each account targeted for Trusted Advisor has at least Business Support
  2. Verify that you have deployed a role with the correct permissions in each account targeted for data collection as documented

If you are reporting Cost Explorer data for only one account:

  1. Re-enter your information from your Payer Account (ARN and External ID) on the integrations page, which can be found where you launched the CloudFormation template for the role
    • All Resource Explorer Information is queried directly from the Payer Account

Note: If you encounter an issue not addressed within this section, please submit a Support Request via Support Center -> Submit Request

Updated 21 Aug 2024
Doc contributor
Doc contributor
Doc contributor
Doc contributor
Did this page help you?
PREVIOUS
Azure Security and Compliance
NEXT
AWS Recommendations
Docs powered by Archbee