NOTE
There are multiple versions of the AWS console and the order/terminology of following steps may be slightly different
Create a new role for CHAOSSEARCH in AWS
- Please log into your AWS console or create an AWS account if you have not yet done so
- Navigate to the Roles page of the IAM service (Services > Security, Identity & Compliance > IAM > Roles)
- Select Create role
AWS IAM Role Requirements
CHAOSSEARCH uses Amazon AWS IAM roles to allow you to delegate access to your S3 buckets to the CHAOSSEARCH service. Follow these steps to configure your Amazon AWS account.
Create role for another AWS account
- Select Another AWS account
- Enter the CHAOSSEARCH AWS account ID (515570774723) in the Account ID field
- Check Require External ID, Navigate to your CHAOSSEARCH account and click Settings under the gear icon in your account
- Select AWS Credentials, then Copy and Paste the External ID value into the Required External ID field
- Select Next: Permissions
CHAOSSEARCH S3 Bucket Access
In order for CHAOSSEARCH to read the bucket(s) you want to start indexing, we will need to list all of the S3 buckets. If you have any questions, please feel welcome to reach out to our Team!
---
AWSTemplateFormatVersion'2010-09-09'
DescriptionCHAOSSEARCH AWS Integration
Metadata
AWS::CloudFormation::Interface
ParameterGroups
Label
defaultCHAOSSEARCH Authentication
Parameters
CSAccountID
CSExternalID
ParameterLabels
CSAccountID
defaultWhat is your provided CHAOSSEARCH Account ID?
CSExternalID
defaultWhat is your provided CHAOSSEARCH External ID?
CSBucketName
defaultWhat bucket for CHAOSSEARCH access?
Parameters
CSAccountID
DescriptionThe provided CHAOSSEARCH Account ID
TypeString
Default515570774723
CSExternalID
DescriptionThe provided CHAOSSEARCH External ID
TypeString
CSBucketName
DescriptionThe desired CHAOSSEARCH S3 bucket name. lower-case names only
TypeString
Resources
CHAOSSEARCHRole
TypeAWSIAMRole
Properties
AssumeRolePolicyDocument
Version'2012-10-17'
Statement
EffectAllow
Principal
AWS
Fn::Join
''
- 'arn:aws:iam::'
RefCSAccountID
":root"
ActionstsAssumeRole
Condition
StringEquals
sts:ExternalId
RefCSExternalID
CHAOSSEARCHPolicy
TypeAWSIAMPolicy
Properties
PolicyNameCHAOSSEARCHPolicy
PolicyDocument
Version'2012-10-17'
Statement
EffectAllow
Action
s3:ListAllMyBuckets
s3:GetBucketLocation
Resource"*"
EffectAllow
Action
s3:List*
Resource
Fn::Join
''
- 'arn:aws:s3:::'
RefCSBucketName
"/*"
EffectAllow
Action
s3:Get*
s3:PutObjectTagging
Resource
Fn::Join
''
- 'arn:aws:s3:::'
RefCSBucketName
"/*"
EffectAllow
Action"*"
Resource
Fn::Join
''
- 'arn:aws:s3:::'
RefCSExternalID
Fn::Join
''
- 'arn:aws:s3:::'
RefCSExternalID
"/*"
Roles
RefCHAOSSEARCHRole
Outputs
RoleARN
DescriptionThe ARN of the new CHAOSSEARCH Role
Value
Fn::GetAtt
CHAOSSEARCHRole
Arn
S3Bucket
DescriptionThe name of the CHAOSSEARCH S3 bucket that was created
Value
RefCSBucketNameRead-only permissions - All Buckets
- Enter a name for the policy - for this example, we use “ChaosSearchReadOnly”
- Enter a brief description for the policy (optional)
- Select Create policy and close the tab
Read-only permissions - Specified Bucket (recommended)
- Select Create policy (opens in new tab) and then select the JSON tab to enter a custom policy
- In the editor, copy the following policy (be sure to replace EXTERNAL-ID)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:List*"
],
"Resource": "arn:aws:s3:::airtest-testdata"
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:PutObjectTagging"
],
"Resource": "arn:aws:s3:::airtest-testdata/*"
},
{
"Effect": "Allow",
"Action": "*",
"Resource": [
"arn:aws:s3:::cs-EXTERNAL-ID",
"arn:aws:s3:::cs-EXTERNAL-ID/*"
]
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:List*"
],
"Resource": "arn:aws:s3:::SOURCE_BUCKET"
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:PutObjectTagging"
],
"Resource": "arn:aws:s3:::SOURCE_BUCKET/some/path/prefix/*"
},
{
"Effect": "Allow",
"Action": "*",
"Resource": [
"arn:aws:s3:::cs-EXTERNAL-ID",
"arn:aws:s3:::cs-EXTERNAL-ID/*"
]
}
]
}What access does this JSON object provide?
The first statement is to provide CHAOSSEARCH access to the Get, List, and PutObjectTagging operations (Read-only access).
Note: "s3:PutObjectTagging" is optional - this is only required to enable object tagging in the CHAOSSEARCH UI.
The second statement is to provide a bucket for CHAOSSEARCH to write its metadata and statistics. The name of the bucket must be prefixed with a "cs-" plus your "External ID"
Attach the policy to the CHAOSSEARCH IAM role
- On the Create Role page, select Refresh to update the grid with the newly created custom policy
- Enter the custom policy name into policy type filter - for this example we use "ChaosSearchReadOnly"
- Check the custom policy and select Next: Review
If you choose to grant full access to CHAOSSEARCH, you can select one of the AWS predefined policies instead of creating a custom policy.
- Type “AmazonS3FullAccess” into policy type filter
- Check “AmazonS3Full Access” policy checkbox and select Next: Review
- Choose a name for the new role - for this example we use “ChaosSearchS3Role”
- Review the CHAOSSEARCH AWS account ID in Trusted entities for accuracy
- Review the S3 privileges in Policies for accuracy
- Select Create role
- From the IAM console Roles page, click on the newly created role name
- Copy the value in the Role ARN field
- Navigate back to the CHAOSSEARCH settings page
- Paste the Role ARN into the Role ARN field and click Update
You are all setup to begin indexing and analyzing your long-term log and event data!
Troubleshooting S3 Access
If you're getting 'Request Failed' when click into a bucket or object, please review this AWS doc