Cloud Services
      Back to home
      1. Help Center
      2. Integrations
      3. Cloud Services

      AWS EC2 - User Guide

      In this article, you will understand step by step how to easily integrate the Scytale platform with AWS EC2

      AWS EC2 integration collects information about your security groups that control traffic in each VPC, ensuring that no unauthorized inbound traffic is allowed through the security groups. The integration collects only necessary configuration information that is needed for controls related to cloud security.

      Permissions:

      All the permissions that are required for the integration with AWS RDS are read-only permissions and do not allow Scytale to perform any actions within your AWS account.

      • ec2:DescribeRegions
      • ec2:DescribeSecurityGroups
      • ec2:DescribeVolumes
      • ec2:DescribeInstances
      • ec2:DescribeNetworkInterfaces
      • ec2:DescribeVpcs

      How to connect to the AWS EC2 integration?


      Log in to the Scytale web app

      • Click on the "Integrations" menu screen to the left
      • Click on the "Connect" button under the AWS EC2 icon

      There are two methods to connect to AWS EC2:

      💡The first method is recommended and as default, it will show up in the connection,
      but if you prefer the second method, you can switch between them by clicking on the switch button. 

      1. Connect with IAM role - the main actions in AWS IAM:
        Create a policy with permissions for the integration, and then create the assumed role. 
      2. Connect with Access keys - the main actions in AWS IAM:
        Create a policy with permissions for the integration, and then create a user assigned to it. At the end of creating the user, you provide the access key and secret key.

      💡In the connection screen, you can change the connection method by clicking on the switch button. 

      • Connection Name (relevant for both methods) - is used to differentiate between your connections. For instance, if you manage multiple AWS accounts or would like to connect multiple times to the integration. It's automatically titled (Connection 1,2,3 etc), but you can change it to a custom name to make it easier to identify.
        For example: scytale-production-env.

      The First Method: Connect with IAM Role

      Step 1: Create a policy in AWS IAM Console

      • Go to the AWS Console

      • In the top search, write IAM and select it in services

      • On the left sidebar, go to "Access Management" and select "Policies"

      • In the top-right corner, click on Create Policy

      • In the Create Policy screen, follow the instructions below:
        • Service - select EC2
        • Actions - Enable the following permissions:
          • DescribeRegions
          • DescribeSecurityGroups
          • DescribeVolumes

      • Resources - Leave it as "The action you chose support all resources".

      • Request conditions - Leave as is.

      • Click on Next

      • On the Review policy page, please fill in the following fields:

        • Name the policy: scytale-aws-ec2

        • Description: you can write your own description here

        • Click on Create policy

       

      Step 2: Create an IAM role 

      • On the left menu in the IAM service,  select Roles.

      • In the top right corner, click on create role.
      • In the trusted entity type - select AWS account. 
      • Then, enable "Another AWS account"
        • The Account ID should be copied from the connection in Scytale.
      • Under options, enable "Require external ID (Best practice when a third party will assume this role)"
        • The External ID should be copied from the connection in Scytale.
      • Please don't enable the require MFA.
      • Click on "Next"






      • In the Add permissions step, find the policy you created in the previous step.
      • Enable this policy. 
      • Click on "Next"
      • Then, add the role name and review the policy and role details. 
      • Click on "Create role" if all the details are correct. 

      • Click "View role" in the success notification at the top of the screen.

      • Copy the ARN from Summary and paste it into Scytale's Role ARN field. 

      • Click on Connect in Scytale after pasting the Role ARN. 

      The Second Method: Connect with Access keys


      Step 1: Create a policy in AWS IAM Console

      • Go to the AWS Console
      • In the top search, write IAM and select it in services

      • On the left sidebar, go to "Access Management" and select "Policies"

      • In the top-right corner, click on Create Policy

      • In the Create Policy screen, follow the instructions below:

        • Service - select EC2

        • Actions - Enable the following permissions:

          • DescribeRegions

          • DescribeSecurityGroups

          • DescribeVolumes

      • Resources - Leave it as "The action you chose support all resources".

      • Request conditions - Leave as is.

      • Click on Next

      • On the Review policy page, please fill in the following fields:

        • Name the policy: scytale-aws-ec2

        • Description: you can write your own description here

        • Click on Create policy

      Step 2: Create a user and generate an Access key

      • On the left sidebar in AWS console, go to "Access Management" and select "Users"

      • In the top right corner, click on Add users

      • In the user name field, please enter the following: scytale-ec2

      • For the "Select AWS credential type" option - tick the "Access key - Programmatic access" box

      • Click on Next

      • In the Set permissions screen, select the option: Attach existing policies directly

      • Search for, and select the policy that you created - scytale-aws-ec2

      • Click on Next

      • Copy the Access key ID and the Secret access key (as you'll need these details to connect the integration)

       
      • In Scytale, click Connect on to AWS EC2.
      • Click the button to switch to the Access keys method and then paste the keys.