Last updated
Last updated
The Amazon Web Services (AWS) for Cloud Insights integrations can be created and managed via two methods: the AWS Console and the AWS Command Line Interface (CLI). For steps within the AWS Console, and to understand more of the context around these integrations, see . For steps to create the integrations by the CLI only, see below.
For inventory monitoring:
Create IAM (Identity and Access Management) policies and roles.
For flow logs monitoring:
Create IAM policies and roles.
Create an S3 (Simple Storage Service) bucket from which to send traffic flows.
Configure VPC (Virtual Private Cloud) flow logs.
Create an SNS (Simple Notification Service) topic and apply a policy.
Configure S3 bucket notifications to send events to the SNS topic.
Before running the commands in this guide, ensure you meet the following prerequisites.
Have the AWS CLI installed on your system (see ).
Your AWS CLI must be configured with appropriate IAM credentials.
You can configure the credentials using the aws configure command:
You will be prompted to enter your AWS Access Key ID, Secret Access Key, default region, and output format. The AWS keys must correspond to an IAM user that has the necessary permissions to perform the actions in this guide. For inventory monitoring permissions, see step 6 of . For flow logs monitoring, see step 3 of .
For the inventory monitoring integration:
ACCOUNT_ID – Can be obtained from the AWS console or from the STS service: type aws sts get-caller-identity --query "Account" --output text
into the CLI.
For the flow logs monitoring integration:
ACCOUNT_ID – Can be obtained from the AWS console or from the STS service: type aws sts get-caller-identity --query "Account" --output text
into the CLI.
AWS_REGION – The AWS region where the resources will be created.
VPC_ID – The ID of the VPC from which flow logs will be created.
SNS_TOPIC_NAME – The name of the SNS topic to be created.
The following steps create:
An IAM permission policy that allows ThousandEyes read access to your AWS resources.
An IAM role with a trust policy that allows ThousandEyes to assume the role to execute read actions and build an inventory.
Note: You will need to be logged into your ThousandEyes account to retrieve certain information while you enter commands into the CLI.
In the ThousandEyes platform, go to the Integrations screen.
Click + New Integration in the top right.
In the Add New Integration side panel that opens, select Amazon Web Services.
The resulting < Add AWS Integration screen defaults to showing the fields required for the “Test Recommendations” service.
Select “Inventory Monitoring” from the ThousandEyes Supported Services dropdown.
Give your integration a unique name. Duplicate names are not permitted.
Open and copy the script within the Permission Policy dropdown. An example is given below.
Note: The permission policy shown below is for illustration purposes only. Your permission policy may be different, and that is the one you must copy.
Paste the script into your terminal.
Type in your preferred --policy-name
as required, and hit Enter.
Back in the ThousandEyes platform, open and copy the script in the Trust Policy dropdown. An example is given below.
Note: The trust policy shown below is for illustration purposes only. Your trust policy will show a different External ID, so your trust policy is the one you must copy.
Paste the script into your terminal.
Type in your preferred --role-name
and --description
as required, and hit Enter.
Copy the role ARN from the response for use in step 14, for example:
In the ThousandEyes platform, paste the IAM role ARN from step 12 into the Account Resource Name (ARN) field.
Click Test.
Note: The Test function only validates the trust relationship between AWS and ThousandEyes; it does not validate the permission policy.
If testing was successful, click Save.
The following steps create:
An S3 bucket in your specified region, if not already done so.
An IAM permission policy to allow ThousandEyes read access to your AWS S3 resources.
An IAM role with a trust policy that allows ThousandEyes to assume the role to execute read actions and build an inventory.
An IAM policy to attach traffic flow permissions to the IAM role.
VPC flow logs for the specified VPC ID, with logs stored in a central S3 bucket, if not already done so.
An SNS topic, and a policy applied to it, if not already done so.
Configuration of the S3 bucket to send notifications to the SNS topic when objects are created.
Use the LocationConstraint parameter only if your preferred region is not the default us-east-1 region. The command errors if you use the LocationConstraint parameter and your region is the default; the command also errors if the LocationConstraint parameter is missing and your region is not the default.
Copy the permission policy and save it as "te_cloud_insights_allow-s3-bucket_flow_logs.json".
Note: The permission policy shown below is for illustration purposes only. Your permission policy may be different, and that is the one you must copy.
Back in the ThousandEyes platform, open the Trust Policy dropdown. Copy the trust policy and save it as "iam_role_trust_policy.json".
Note: The trust policy shown below is for illustration purposes only. Your trust policy will show a different External ID, and that is the one you must copy.
In your terminal, type the following command to create the IAM role with the trust policy attached.
Copy or make a note of the role ARN from within the output for use within step 9.
Create the S3 read access policy for flow logs, using the permission policy saved in step 3.
Attach the S3 read access policy to the IAM role created in step 6.
Back in the ThousandEyes platform, paste or type the role ARN you copied/noted in step 6 into the Account Resource Name (ARN) field.
Copy or make a note of the SNS topic ARN for use within step 17.
Copy the following SNS topic policy and save as "sns_topic_policy.json".
Create the SNS_TOPIC_POLICY variable, to be used in the next step, and replace the placeholders in the SNS topic policy with the relevant variables.
Apply the SNS topic policy to the SNS topic. You will need the SNS_TOPIC_POLICY variable you just created and the SNS_TOPIC_ARN variable you created in step 11.
Create the S3_NOTIFICATION_CONFIGURATION variable, using the SNS_TOPIC_ARN variable you created in step 11. You will use this in the next step.
Back in the ThousandEyes platform, paste the SNS Topic ARN from step 11 into the Simple Notification Service (SNS) Topics ARNs field.
Click Test.
Note: The Test function only validates the trust relationship between AWS and ThousandEyes; it does not validate the permission policy.
If testing was successful, click Save.
In your various AWS consoles (VPC, S3, SNS), you can look to verify that:
Ensure the following environment variables are set (see for more information about setting environment variables) for more information about setting environment variables.
EXTERNAL_ID – A unique ID for external integrations which you can retrieve from the ThousandEyes-generated trust policy (see steps 1-5 and 10 of ) to find the trust policy screen on the ThousandEyes platform).
EXTERNAL_ID – A unique ID for external integrations which you can retrieve from the ThousandEyes-generated Trust Policy (see steps 1-5 and 9 of to find the trust policy screen on the ThousandEyes platform).
S3_BUCKET_NAME – The name of the S3 bucket to be created (see ).
Attach the policy to the role. You will need the ACCOUNT_ID environment variable you created at .
If not already created, in your terminal type the following command to create an S3 bucket in your specified AWS region. You will need the S3_BUCKET_NAME environment variable, and potentially the AWS_REGION environment variable, which you created in .
Follow steps 1-6 of , substituting "Flow Logs Monitoring" for "Inventory Monitoring" in step 4.
In your terminal, replace all bucket names in the file with the bucket variable you created in by running:
If not already created, in your terminal type the following command to create VPC flow logs for the specified VPC ID (see ). The logs are stored in an S3 bucket, and various log parameters are specified, including the log format and aggregation interval. See for more information.
If not already created, type the following command to create an SNS topic. You will need the SNS_TOPIC_NAME and AWS_REGION environment variables you created in . The command incorporates the creation of the SNS_TOPIC_ARN variable, to be used in steps 12, 14, and 15.
Apply the S3 bucket notification configuration to your S3 bucket. You will need the S3_BUCKET_NAME environment variable you created in and the S3_NOTIFICATION_CONFIGURATION variable you just created.
Your flow log record is being recorded in your VPC (see ).
Your relevant S3 bucket is receiving the records (see )
Your S3 bucket is sending object-created events to the SNS topic (see ).
A ThousandEyes user is subscribed to the SNS topic (see ).
If you use AWS CloudTrail, you can further track your events with the following commands using AWS Athena (see ). Type or paste the following query into your terminal.