-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs update for aws compute scanner (#268)
- Loading branch information
1 parent
0283ca6
commit eb2d005
Showing
2 changed files
with
61 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| # Compute Scanner | ||
|
|
||
| The AWS Compute Scanner is a tool that scans AWS accounts for new instances and | ||
| creates resources for them automatically. | ||
|
|
||
| Currently, the AWS compute scanner supports importing the following resources: | ||
|
|
||
| - Amazon Elastic Kubernetes Service Clusters (EKS) | ||
|
|
||
| ## Managed AWS Compute Scanner | ||
|
|
||
| The managed AWS Compute Scanner is built into the Ctrlplane solution. Each | ||
| workspace will be assigned an AWS IAM role when the managed provider is enabled. | ||
| You must provide this IAM role with the required permissions to access the | ||
| resources in the AWS accounts that you want it to scan. | ||
|
|
||
| After the integration is enabled, you can add a new provider, select the Managed | ||
| Provider, and add all the roles you would like it to assume to scan the | ||
| resources available to those roles. Once you hit submit, you may need to wait a | ||
| few minutes while it scans and imports all compute resources. | ||
|
|
||
| ## Role Requirements | ||
|
|
||
| The Managed AWS Compute Scanner role can be gotten from the provider settings | ||
| under `AWS Role` or from the workspace settings integration page after being | ||
| enabled. | ||
|
|
||
| The role that you want assumed in your account must have the following | ||
| permissions policy: | ||
|
|
||
| ```json | ||
| { | ||
| "Version": "2012-10-17", | ||
| "Statement": [ | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": ["eks:*", "ec2:*"], | ||
| "Resource": "*" | ||
| } | ||
| ] | ||
| } | ||
| ``` | ||
|
|
||
| The role also requires a trust policy that allows the | ||
| `arn:aws:iam::<account-id>:role/ctrlplane-<workspace>` role to assume it. | ||
|
|
||
| ```json | ||
| { | ||
| "Version": "2012-10-17", | ||
| "Statement": [ | ||
| { | ||
| "Effect": "Allow", | ||
| "Principal": { | ||
| "AWS": "arn:aws:iam::<account-id>:role/ctrlplane-<workspace>" | ||
| }, | ||
| "Action": "sts:AssumeRole" | ||
| } | ||
| ] | ||
| } | ||
| ``` |