Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Overview

image-20240402-143714.png

The onboarding process, to setup our Logs Analysis service with an AWS ALB in the customer account, involves executing a CloudFormation Stack to be executed on the customer environment.

Requirements for CloudFormation Stack Execution

To execute this stack a role with enough permissions and the following trust relationship to the CloudFormation service is required to create the resources.

Create a role with the following trust policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudformation.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Attach the following permissions policy to the role

The role should be able to have the following permissions :

Service

Actions

IAM

ListRolePolicies, ListAttachedRolePolicies, GetRolePolicy, GetRole, CreateRole, PutRolePolicy.

Lambda

GetFunction, GetRuntimeManagementConfig, GetFunctionCodeSigningConfig, CreateFunction.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"iam:CreateRole",
				"iam:GetRole",
				"iam:GetRolePolicy",
				"iam:ListAttachedRolePolicies",
				"iam:ListRolePolicies",
				"iam:PutRolePolicy"
			],
			"Resource": "arn:aws:iam::${Account}:role/${RoleNameWithPath}"
		},
		{
			"Effect": "Allow",
			"Action": [
				"lambda:CreateFunction",
				"lambda:GetFunction",
				"lambda:GetFunctionCodeSigningConfig",
				"lambda:GetRuntimeManagementConfig"
			],
			"Resource": "arn:aws:lambda:${Region}:${Account}:function:${FunctionName}"
		}
	]
}

Resources created by the CloudFormation Stack

Logical ID

Type

Description

DTLogsAnalysisLambdaExecutionRole

IAM

Role to be assumed by the Lambda to execute the actions

DTLogsAnalysisLambdaFunction

Lambda

Lambda with Python code using boto3 to create resources necessary for logs to flow from the Loadbalancer to Data Theorem

InvokeLambdaFunction

Custom

Custom resource to invoke the Lambda with a Payload (i.e passing some params from the Stack such as ARN of the LB) to execute the logic

Lambda Execution Role Privileges (DTLogsAnalysisLambdaExecutionRole)

The execution role assigned to the Lambda, generated through CloudFormation, has the the below policy attached for necessary privileges:

Version: '2012-10-17'
Statement:
  - Effect: Allow
    Action:
      - 'logs:CreateLogGroup'
      - 'logs:CreateLogStream'
      - 'logs:PutLogEvents'
    Resource: 'arn:aws:logs:*:*:*'
  - Effect: Allow
    Action:
      - 'elasticloadbalancing:DescribeLoadBalancers'
      - 'elasticloadbalancing:ModifyLoadBalancerAttributes'
      - 'elasticloadbalancing:DescribeLoadBalancerAttributes'
      - 's3:*'
      - 'sns:CreateTopic'
      - 'sns:Subscribe'
    Resource: '*'

Resources created/modified by the Lambda (DTLogsAnalysisLambdaFunction)

The Lambda function, upon execution, may create or configure the following resources :

  • An S3 bucket for ALB raw log storage (if not already configured)

  • A bucket policy for read-only access by Data Theorem AWS account

  • An SNS topic and subscription for log event notifications to our Logs Analysis service

  • No labels