Faddom can monitor traffic on your Amazon AWS environment.
To do so you need to select the AWS region and VPC you want to monitor.
Creating an IAM User
To enable discovery of AWS, you need to create a user for Faddom with the required permissions. Faddom requires read only access to your AWS environment. Once the IAM user is created, you will need to create Access Key and Secret Key for it. See AWS Account and Access Keys
You can use the following JSON policy which contains the minimum required permissions to define the IAM policy for the user:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FaddomAWSDiscoveryPermissions",
"Effect": "Allow",
"Action": [
"ce:GetDimensionValues",
"ce:GetCostAndUsage",
"ec2:DescribeVolumes",
"ec2:DescribeInstances",
"ec2:DescribeVpcs",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeFlowLogs",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTasks",
"ecs:DescribeClusters",
"ecs:DescribeServices",
"ecs:ListClusters",
"ecs:ListServices",
"ecs:ListTasks",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"pricing:GetProducts",
"rds:DescribeDBInstances",
"elasticloadbalancing:DescribeTags",
"cloudwatch:ListMetrics",
"s3:ListAllMyBuckets"
],
"Resource": "*"
}
]
}
For help on creating IAM users, see the AWS documentation here.
For help on creating IAM policies from json files, see the AWS documentation here.
AWS VPC Logs
Faddom can use the VPC Flow Logs feature of AWS to map your cloud environment, which are used in place of NetFlow and sFlow for on-prem. In order to read the flow logs they need to be published to an S3 bucket to which Faddom has access. The permissions needed are s3:ListBucket and s3:GetObjects. You need to use the AWS Default Format and ensure the log files are in text format. For further information see the the AWS documentation
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FaddomS3Permissions",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::[FLOW_LOGS_BUCKET]/*",
"arn:aws:s3:::[FLOW_LOGS_BUCKET]"
]
}
]
}
* Note: replace {FLOW_LOGS_BUCKET} with the bucket name to which flow logs are stored
Connecting Faddom to AWS
Once you have an access key for the user, enter it in the credentials
Once inserted, you will then be able to click on SET CREDENTIALS
AWS Region
Here you will be able to select the Region you wish to map and the list of VPCs will be inserted. You can add as many VPCs as you wish. If you wish to add Map Multiple Regions and Accounts you will need to repeat the above process with the same credentials.
.
Map Multiple Regions and Accounts
If you wish to map multiple regions within the same account or multiple accounts, you will need to enter the credentials each time.
If it is for multiple regions for one account you can use the same credentials (providing IAM user has permissions to desired regions).
For multiple accounts, you will need to create an IAM user for each account and repeat the process.
To add additional credentials you click on the '+' icon and the drop down displays 'New AWS Credentials'. This changes when you enter a Display Name.
AWS VPC Logs
Faddom can use the VPC Flow Logs feature of AWS to map your cloud environment, which are used in place of NetFlow and sFlow for on-prem. In order to read the flow logs they need to be published to an S3 bucket to which Faddom has access. The permissions needed are s3:ListBucket and s3:GetObjects. You need to use the AWS Default Format and ensure the log files are in text format For further information see the the AWS documentation
Logging IP traffic using VPC Flow Logs
Publish flow logs to Amazon S3
Collating Flow Logs Into One Data Source
If you have multiple accounts, you can set up the flow logs to be stored in a single S3 bucket on one of the accounts. This can then be setup on Faddom to read all the flow logs stored in the S3 bucket. In this case, Faddom only requires the credentials of the account hosting the S3 bucket.
Default Credentials
These are the credentials of the server Faddom is deployed on. This is useful when Faddom is deployed in AWS as it will default to the IAM role and credentials assigned to the EC2 instance.