# AWS ## About the AWS Context Integration This context integration adds asset information retrieved from AWS as context labels in Netography Fusion. {% hint style="info" %} **☁️Cloud Context Enrichment: Add a Context Integration vs. Deploying Cloud Function** AWS, Azure, and GCP have 2 options for how to enrich asset context. **Option 1: Add a context integration in Fusion Portal** You give permission in your cloud account(s) for Netography to read asset meta-data from it, and then add a context integration for that cloud account in Fusion to retrieve that information. After configuring permissions in your cloud, the configuration and data gathering occurs from the Netography Fusion SaaS to your cloud accounts. You will need to add and configure 1 context integration in Fusion per AWS account, Azure subscription, or GCP project. **Option 2: Deploy a cloud function with Netography's Cloud onboarding automation via Terraform** You deploy the Netography cloud onboarding automation using Terraform, which configures all the permissions required and creates a cloud function that runs within your cloud on a scheduled basis. That function gathers all the asset meta-data locally within your cloud, and then uploads the data via the Netography Fusion API. Netography never has any permission to directly access and read the asset meta-data in your cloud in this option. You can deploy this automation one time for each AWS organization, Azure tenant, or GCP organization, making it a more easily scalable solution for larger environments. For more details on this option, access Netography's Terraform automation at our GitHub repo: . For access to the repo, email your GitHub ID to {% endhint %} ## AWS Configuration {% hint style="info" %} **⚖️Choosing between IAM Role and IAM User authentication** Netography supports 2 methods for authentication with AWS: 1. IAM Roles using a Custom Trust Policy created by Netography 2. IAM user via an Access Key ID & Secret Access Key Netography and AWS recommend using **IAM Role** authentication for a production deployment. For more details, see: [AWS > Documentation > AWS Identity and Access Management > User Guide > Security best practices in IAM > Require workloads to use temporary credentials with IAM roles to access AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-workloads-use-roles) {% endhint %} ### If you have already created an AWS IAM role You can use the same IAM role you previously configured for collecting VPC Flow Logs. If you already configured [Flow Collection](https://docs.netography.com/ingest-network-traffic-logs/flow-logs) for your AWS environment and used a permission policy that includes `AmazonEC2ReadOnlyAccess`, no additional AWS configuration is needed. Use the same`ARN`, and skip to the Netography Fusion Configuration section. If you have an existing AWS IAM Role but it does not have the permissions set or you want to verify the proper permissions, see the [Permission Policy](#permission-policy) section below. ### Creating AWS IAM Role (recommended authentication option) To use IAM role authentication for Netography Fusion, first you will go to the Netography Fusion Portal and gather the required fields, and then you will go to AWS and create the IAM role. #### Retrieve AWS Custom Trust Policy fields from the Netography Fusion Portal In the Netography Fusion Portal, go to **Account Settings** by clicking the gear icon in top-right corner, scroll down to the **AWS Custom Trust Policy** section, and retrieve the **Account ID**, **sts:ExternalID**, and **Trust Policy** values. | Field from Netography Fusion Account Settings | Description | | --------------------------------------------- | -------------------------------------------------- | | AWS Custom Trust Policy > **Account ID** | Netography AWS Account ID used for integration | | AWS Custom Trust Policy > **External ID** | Netography issued field used for AWS role creation | | AWS Custom Trust Policy > **Trust Policy** | Netography Trust Policy used for AWS role creation | #### Create a new AWS IAM Role In AWS, you will create a new IAM role that will delegate access to Netography using the fields you gathered in the previous step. In addition to those fields, you will need to assign the IAM Role a permission policy. **Permission Policy** | AWS Permissions Policy Required | | ------------------------------- | | `AmazonEC2ReadOnlyAccess` | The `AmazonEC2ReadOnlyAccess` permission policy required for only the AWS context integration is listed below. If you have an existing IAM role permission policy, add these statements to it to make it compatible with the AWS context integration (instructions for editing this policy are available at [AWS > Documentation > AWS Identity and Access Management > User Guide > Editing customer managed policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html#edit-managed-policy-console). {% tabs %} {% tab title="JSON" %} ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": "elasticloadbalancing:Describe*", "Resource": "*" }, { "Sid": "VisualEditor3", "Effect": "Allow", "Action": [ "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "cloudwatch:Describe*" ], "Resource": "*" }, { "Sid": "VisualEditor4", "Effect": "Allow", "Action": "autoscaling:Describe*", "Resource": "*" } ] } ``` {% endtab %} {% endtabs %} **How to create a new AWS IAM Role** For instructions on creating an IAM role in AWS using a custom trust policy, refer to [AWS > Documentation > AWS Identity and Access Management > User Guide > Creating a role using custom trust policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) For more information on configuring the permissions to the Account ID, refer to [AWS > Documentation > AWS Identity and Access Management > User Guide > How to use an external ID when granting access to your AWS resources to a third party](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html). **Copy the ARN for the newly created IAM Role** The ARN for the new IAM role you created will be needed in the next step when adding the AWS context integration to Netography Fusion. | IAM Role Field Required | Description | | ----------------------- | ----------------------------------------------------------------------------- | | **ARN** | The identifier for the IAM role you retrieve from AWS when creating the role. | ### AWS IAM user authentication (alternative authentication option) {% hint style="danger" %} **❗️Skip this section if you are using AWS IAM role authentication** AWS IAM user authentication with an Access Key ID and Access Secret is an alternative approach to using a AWS IAM role. If you are using the AWS IAM role, skip this entirely and go to the Netography Fusion Configuration next. {% endhint %} The instructions below assume that you have not already created an IAM user as part of Flow Collection setup. If you have already created that role and it includes the `AmazonEC2ReadOnlyAccess` permission, skip to the Netography Fusion Configuration section. You must have an IAM user with an already configured programmatic access key or create one to use IAM user authentication. * To create a new user, follow the [AWS official guidance](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for new IAM user creation. * To configure a programmatic access key for the IAM user, refer to the [management access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#access-keys_required-permissions) documentation. | Minimum Required Permissions | | ---------------------------- | | `AmazonEC2ReadOnlyAccess` | To configure the integration with this authentication method, the following AWS IAM user fields are required: | AWS Parameters | Description | | --------------- | ---------------------------------------------------------------- | | `Access Key ID` | Authentication field, available in AWS IAM console for IAM user | | `Access Secret` | Authentication secret, available in AWS IAM console for IAM user | ## Netography Fusion Configuration ### 1. Navigate to **Settings** -> **Context Integrations** -> **Add Integration** ![](/files/YcrCVFUiAYLslgU3MDvt) #### 2. Select **Amazon Web Services** ![](/files/BoVK0aAYxLXvOOisRlNG) #### 3. Configure the context integration a. Fill out the standard fields required for each context integration: | Field | Description | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `Name` | A unique name to identify this instance of the integration (e.g. `aws1`) | | `Update Interval` | How frequently to retrieve updated information from AWS in seconds | | `Auto Update` |

Enable to retrieve updated information automatically at the frequency set by the Update Interval
If disabled, the integration can be run manually from the list of configured integrations menu by selecting the ... next to the name of the integration and then selecting Run

| b. Enter the configuration parameters specific to AWS. | Field | Required | Description | Example | | ------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------- | | `Region` | | If you want to retrieve asset meta-data from only a specific region, you can specify it in this field. Leave this field blank to retrieve data from all regions. | | | `Tag/Label Matches` | | Tag/Label matches represent the names of tags you use within the cloud provide, i.e, a user might choose to tag all of their web servers with a tag `subsystem` that has a value of `web`. | | c. Enter the authentication information based on the authentication method you configured in AWS. #### If you are using AWS IAM role authentication, configure AWS ARN for role d. Select **Role** for the **Authentication Type** field, and then enter the **AWS ARN** for the IAM Role you created in the previous step (or during Flow Collection setup for AWS). ![](/files/boxsJWuaSV1JJEoXETgA) #### If you are using AWS user authentication, configure Access Key ID and Access Secret {% hint style="danger" %} **❗️Skip this section if you are using AWS IAM role authentication** {% endhint %} e. Select **Key/Secret** for the **Authentication Type** field, and then enter the **Access Key ID** and **Access Key Secret** fields from the AWS Configuration step (or from the Flow Collection setup for AWS). ![](/files/1jfZm0MAPtG1Yeh86IQR) f. Select **Create and Run** to save the integration. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fusion.vectra.ai/enrich-traffic-with-context/configure-context-integrations/aws.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.