In this article, you will understand step by step how to easily integrate Scytale with any available AWS service
Permissions
We use the AWS managed policy known as Security Audit. This policy focuses on security configurations that are relevant to the audit and only grants read access for metadata.
Additionally, a few custom permissions to this role to cover more automation necessary for the data we collect:
- You can find the list of permissions for Security Audit
- cloudtrail:ListTrails
- backup:ListBackupPlans
- backup:GetBackupPlan
- backup:ListBackupSelections
- backup:GetBackupSelection
There is no need to manually create any policy with permissions. It will be automatically created for you using the CloudFormation link below.
Create a new connection
Within the Scytale web app:
-
In Scytale, go to 'Integrations'.
- Find the relevant AWS service and click "Connect"
- You will see the following configuration wizard:
Your Account ID and External ID will be filled it already.
To finish the setup you will need to fill in 3 fields:
- Role ARN - The detailed steps of configuring a role and retrieving the role ARN are covered in the following section.
- Select Regions - Select the AWS regions relevant to your integration.
- Connection name - Connection names are used to differentiate between multiple connections in case you up set multiple connections to the same integration. Connection names are automatically titled "Connection 1", "Connection 2" etc, but can be customized to make them easier to identify, for example: scytale-production-env.
Once you have filled in all these fields, select 'Connect'.
Setting permissions and retrieving the role ARN
AWS has a built-in tool called CloudFormation which we will use to set up the required permissions.
If you already set up a connection to any AWS service in Scytale using CloudFormation, you are already done - just paste the same role ARN in every AWS service you wish to connect to.
If you have multiple AWS accounts, note that ARNs are unique per account
Creating a stack for the first time takes less than 5 minutes.
The creation process consists of the following steps:
- Create stack
- Specify stack details
- Configure stack options
- Review
1. Create stack
The following smart link will open your AWS CloudFormation with a predefined stack template we created, it includes all the permissions required for a successful Scytale integration:
CloudFormation link (👈 click me)
Note that to connect AWS Organizations integration, you should create the CloudFormation from the master account.
2. Specify stack details
Fill in your external id by copying it from the connection wizard you opened in the beginning of this tutorial and click next in the AWS CloudFormation page.
3. Configure stack options
In the configuration stack options, click next without making any changes.
4. Review
- Confirm the info panel “I acknowledge that AWS CloudFomation might create IAM resources with custom names”
- Click “Submit”
- The stack is added to the list of stacks in status “CREATE_IN_PROGRESS”
- When the create is successful, the status should change to “UPDATE_COMPLETE”
- It creates a role with all the required permissions for Scytale AWS integrations
4. Retrieving the role ARN
To finish the setup on the Scytale web app, you will need to retrieve the role ARN you created in the previous step.
You can find the relevant role ARN in the AWS access management screen using this link: https://console.aws.amazon.com/iamv2/home#/roles/details/Scytale_ReadOnly?section=permissions
5. Finishing the setup
- Return to the Scytale integration connection wizard.
- Paste the Role ARN value.
- Click connect
Congrats, you are done! 🎉
If you used our predefined stack template, you can use the same role ARN to connect all other AWS services to Scytale.