AWS Prerequisites

Amazon Web Services (AWS) is a secure cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow.

NOTE

There are multiple versions of the AWS console and the order/terminology of following steps may be slightly different

Create a new role for CHAOSSEARCH in AWS

  1. Please log into your AWS console or create an AWS account if you have not yet done so
  2. Navigate to the Roles page of the IAM service (Services > Security, Identity & Compliance > IAM > Roles)
  3. Select Create role

AWS IAM Role Requirements

CHAOSSEARCH uses Amazon AWS IAM roles to allow you to delegate access to your S3 buckets to the CHAOSSEARCH service. Follow these steps to configure your Amazon AWS account.

Create role for another AWS account

  1. Select Another AWS account
  2. Enter the CHAOSSEARCH AWS account ID (515570774723) in the Account ID field
  1. Check Require External ID, Navigate to your CHAOSSEARCH account and click Settings under the gear icon in your account
  2. Select AWS Credentials, then Copy and Paste the External ID value into the Required External ID field
  3. Select Next: Permissions

IAM Role Policy Permissions

CHAOSSEARCH S3 Bucket Access

In order for CHAOSSEARCH to read the bucket(s) you want to start indexing, we will need to list all of the S3 buckets. If you have any questions, please feel welcome to reach out to our Team!

CloudFormation Template

---
AWSTemplateFormatVersion: '2010-09-09'
Description: CHAOSSEARCH AWS Integration
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: CHAOSSEARCH Authentication
      Parameters:
      - CSAccountID
      - CSExternalID
    ParameterLabels:
      CSAccountID:
        default: What is your provided CHAOSSEARCH Account ID?
      CSExternalID:
        default: What is your provided CHAOSSEARCH External ID?
      CSBucketName:
        default: What bucket for CHAOSSEARCH access?
Parameters:
  CSAccountID:
    Description: The provided CHAOSSEARCH Account ID
    Type: String
    Default: 515570774723
  CSExternalID:
    Description: The provided CHAOSSEARCH External ID
    Type: String
  CSBucketName:
    Description: The desired CHAOSSEARCH S3 bucket name. lower-case names only
    Type: String
Resources:
  CHAOSSEARCHRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            AWS:
              Fn::Join:
              - ''
              - - 'arn:aws:iam::'
                - Ref: CSAccountID
                - ":root"
          Action: sts:AssumeRole
          Condition:
            StringEquals:
              sts:ExternalId:
                Ref: CSExternalID
  CHAOSSEARCHPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: CHAOSSEARCHPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action:
          - s3:ListAllMyBuckets
          - s3:GetBucketLocation
          Resource: "*"
        - Effect: Allow
          Action:
          - s3:List*
          Resource:
          - Fn::Join:
            - ''
            - - 'arn:aws:s3:::'
              - Ref: CSBucketName
              - "/*"
        - Effect: Allow
          Action:
          - s3:Get*
          - s3:PutObjectTagging
          Resource:
          - Fn::Join:
            - ''
            - - 'arn:aws:s3:::'
              - Ref: CSBucketName
              - "/*"
        - Effect: Allow
          Action: "*"
          Resource:
          - Fn::Join:
            - ''
            - - 'arn:aws:s3:::'
              - Ref: CSExternalID
          - Fn::Join:
            - ''
            - - 'arn:aws:s3:::'
              - Ref: CSExternalID
              - "/*"
      Roles:
      - Ref: CHAOSSEARCHRole
Outputs:
  RoleARN:
    Description: The ARN of the new CHAOSSEARCH Role
    Value:
      Fn::GetAtt:
      - CHAOSSEARCHRole
      - Arn
  S3Bucket:
    Description: The name of the CHAOSSEARCH S3 bucket that was created
    Value:
      Ref: CSBucketName

Read-only permissions - All Buckets

  1. Enter a name for the policy - for this example, we use “ChaosSearchReadOnly”
  2. Enter a brief description for the policy (optional)
  3. Select Create policy and close the tab

Read-only permissions - Specified Bucket (recommended)

  1. Select Create policy (opens in new tab) and then select the JSON tab to enter a custom policy
  2. In the editor, copy the following policy (be sure to replace EXTERNAL-ID)
{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Allow",
           "Action": [
               "s3:ListAllMyBuckets",
               "s3:GetBucketLocation"
           ],
           "Resource": "*"
       },
       {
           "Effect": "Allow",
           "Action": [
               "s3:List*"
           ],
           "Resource": "arn:aws:s3:::airtest-testdata"
       },
       {
           "Effect": "Allow",
           "Action": [
               "s3:Get*",
               "s3:PutObjectTagging"
           ],
           "Resource": "arn:aws:s3:::airtest-testdata/*"
       },
       {
           "Effect": "Allow",
           "Action": "*",
           "Resource": [
               "arn:aws:s3:::cs-EXTERNAL-ID",
               "arn:aws:s3:::cs-EXTERNAL-ID/*"
           ]
       }
   ]
}
  1. Click Review policy.

Read-only permissions - Prefix specific

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:List*"
            ],
            "Resource": "arn:aws:s3:::SOURCE_BUCKET"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:PutObjectTagging"
            ],
            "Resource": "arn:aws:s3:::SOURCE_BUCKET/some/path/prefix/*"
        },
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::cs-EXTERNAL-ID",
                "arn:aws:s3:::cs-EXTERNAL-ID/*"
            ]
        }
    ]
}

What access does this JSON object provide?

The first statement is to provide CHAOSSEARCH access to the Get, List, and PutObjectTagging operations (Read-only access).

Note: "s3:PutObjectTagging" is optional - this is only required to enable object tagging in the CHAOSSEARCH UI.

The second statement is to provide a bucket for CHAOSSEARCH to write its metadata and statistics. The name of the bucket must be prefixed with a "cs-" plus your "External ID"

Attach the policy to the CHAOSSEARCH IAM role

  • On the Create Role page, select Refresh to update the grid with the newly created custom policy
  • Enter the custom policy name into policy type filter - for this example we use "ChaosSearchReadOnly"
  • Check the custom policy and select Next: Review

Full access permissions

If you choose to grant full access to CHAOSSEARCH, you can select one of the AWS predefined policies instead of creating a custom policy.

  • Type “AmazonS3FullAccess” into policy type filter
  • Check “AmazonS3Full Access” policy checkbox and select Next: Review

Name and review role

  • Choose a name for the new role - for this example we use “ChaosSearchS3Role”
  • Review the CHAOSSEARCH AWS account ID in Trusted entities for accuracy
  • Review the S3 privileges in Policies for accuracy
  • Select Create role

Communicate Role ARN to CHAOSSEARCH

  • From the IAM console Roles page, click on the newly created role name
  • Copy the value in the Role ARN field
  • Navigate back to the CHAOSSEARCH settings page
  • Paste the Role ARN into the Role ARN field and click Update

You are all setup to begin indexing and analyzing your long-term log and event data!

Troubleshooting S3 Access

If you're getting 'Request Failed' when click into a bucket or object, please review this AWS doc

AWS Prerequisites


Amazon Web Services (AWS) is a secure cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow.

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.