Page tree
Skip to end of metadata
Go to start of metadata

Amazon Web Services (AWS) is a cloud service provided by Amazon.com. AWS enables you to have virtualized computing platforms accessible through the internet. It is divided into a number of regions around the world. You access and configure all of your services, using the AWS Management Console

Node changes in Technology Knowledge Update TKU 2019-Dec-1

TKU December 2019 enhances the model for Cloud Regions and Cloud Services to be segregated by account. If you discover more than one AWS Account, more than one Azure Subscription or more than one GCP Project, all the data from Cloud Region through to individual nodes within services will be clearly separated, where before it was intermingled.

As a result, the keys of all CloudRegion and CloudService nodes, and many contained nodes will change, even if you only discover a single account. If you synchronize to a CMDB, the identities of the corresponding CIs will also change.

The existing nodes are not deleted automatically with the application of the TKU. To remove the old nodes from the BMC Discovery model, you can delete the patterns that were deactivated by the new patterns in the TKU. However, the old CIs in the CMDB will not be deleted automatically. The simplest way to remove them is to perform a resynchronization.

Discovering Amazon Web Services

This section describes the settings and procedures required to discover services running in AWS. It contains the following sections:

Time synchronization

Time Synchronization

You must ensure that your appliance time is synchronized using NTP. If you do not use NTP, you must ensure that the time is no further than five minutes from the time AWS is using. AWS uses timestamped authentication and any discrepancy will result in authentication failures.

Services and regulatory domains discovered

The following regulatory domains can be discovered:

You need to set up separate appropriate credentials for the AWS public cloud and the AWS GovCloud (US).

BMC Discovery enables you to discover your cloud services running in AWS. The following set of AWS services can be discovered with the latest product content update:


More detailed information on discovery of AWS services is contained in the following Configipedia pages:

Create a credential

To perform discovery on AWS, you must provide an access key (credential) with which BMC Discovery can access the AWS cloud. You create the access key using the AWS Identity and Access Management (IAM) console. You then add the cloud discovery credential, using the access key created in the IAM console, to BMC Discovery. 

Create an Access Key in the IAM console

  1. Use the IAM console to create a new IAM user for discovery. You can use the root account, though this is not recommended by Amazon. The new user only needs 'Programmatic access'.
  2. Grant the discovery user the following permission:
    • ReadOnlyAccess
      (This simplifies and replaces the previously documented individual permissions.)
  3. From the discovery user account, create an access key. The access keys are used to make secure queries to the AWS APIs.
  4. Copy the Access Key ID and the Secret access key. You can also download the Access Key ID and Access Secret Key as a csv file and then import it when you create a cloud credential in BMC Discovery.

    If you lose the secret access key, you cannot retrieve it from the IAM console, you must create a new access key and use the new key in the BMC Discovery cloud credential. You should keep a note of the secret access key until you have successfully tested the cloud credential.

Create a cloud credential in BMC Discovery 

Create the cloud credential in the same way as any other credential. The cloud credential uses the Access keys/IDs/passwords as the equivalent of a username and password combination.

  1. From the BMC Discovery Device Credentials page, click Add and select Cloud Provider from the drop-down list.
    The Add Credential page is displayed.
  2. Click the 'plus icon' next to Credential Types to see the available Cloud Providers. Select Amazon Web Services from the drop-down list.
  3. Add the usual credential information:
    • Label
    • Description
  4. Add the information in the additional fields for AWS:
    1. Access Key ID
      The AWS IAM console enables you to download the Access Key ID and Access Secret Key as a csv file. You can import the csv files downloaded from the IAM console, reducing scope for cut and paste errors when creating AWS credentials in BMC Discovery. To upload a csv file containing the Key ID and Secret, click Upload CSV, select the file, and click Open.
    2. Secret Access Key
    3. CyberArk–If the CyberArk integration is enabled, do not enter a key ID and secret, rather enter a CyberArk search string in this field to extract a CyberArk credential. An example search string is:
      Object=Cloud Service-AWSAccessKeys-ABCDEFGABC1ABCDE3AB
      See Integrating with CyberArk Enterprise Password Vault for more information on the integration.
    4. Assume Roles (ARNs): (Optional) Use the Amazon Resource Name (ARN) only if you want to apply role-based authentication for a user, application, or service. You must have defined the role earlier in AWS Identify and Access Management (IAM). For information on defining roles, see Creating IAM roles
      Example for a single role: arn:aws:iam::123456789012:role/Discovery
      To enable role-switching (multiple roles), enter each role as a new-line separated list. For more information on AWS roles and role-switching, see the following section, AWS roles and role-switching

      Note

      If you do not specify the ARN, you will discover AWS resources associated with the Access Key ID credentials. 

  5. Optionally, specify a proxy to use to access. To use a proxy you must specify the following:
    • Hostname
    • Port
    • Username (only for authenticating proxies)
    • Password (only for authenticating proxies)
  6. Click Apply to save the credential.

AWS roles and role-switching

A username is uniquely associated with only one person and has a predefined set of permissions. An Amazon Web Services (AWS) role, however, has a set of permissions associated with it to access specific AWS resources or for making AWS service requests. A role is not uniquely identified with one person but is temporarily assumed by any user who needs to use the role permissions for a session. You can specify multiple roles for a single AWS credential.

A role temporarily sets aside the permissions associated with the username and grants access to trusted entities, such as a user, an application, or a service to explore your AWS resources. For example, you might assign a role to a third party that needs to perform an audit of your resources.

You may assign any number of AWS roles to a user, but the user can only act as one role when making requests to AWS services.

You must create roles  in AWS Identify and Access Management (IAM) but to assign these roles for role-based discovery of AWS resources, use the Add Credential screen in BMC Helix Discovery Outpost. You can switch roles for a user, application, or service, depending on the type of discovery required. Role-switching enables you to use multiple roles for a single credential or scan. However, if you do not specify the ARN (Amazon Resource Name), you will discover AWS resources associated with the Access Key ID credentials. 

Note

A user cannot simultaneously exercise user and role permissions granted to them. When a user switches to a role, the user temporarily gives up the permissions associated with their user credentials and only uses the permissions assigned to the role. When the user exits the role, the user permissions are automatically restored.

Test the credential 

Time synchronization is essential

You must ensure that your appliance time is synchronized using NTP. If you do not use NTP, you must ensure that the time is no further than five minutes from the time AWS is using. AWS uses timestamped authentication and any discrepancy will result in authentication failures.

Once you have created the credential, you should test it to ensure that it works.

  1. From the credentials page, click Devices.

  2. Filter the list to show cloud credentials.
  3. Click Actions for the AWS cloud credential you added, and then click Test.
  4. The default region is US EAST (N. Virginia). All valid AWS public cloud credentials should work with this region. However, you may choose a local region. You need to use separate appropriate credentials for the AWS public cloud and the AWS GovCloud it is AWS GovCloud (US).
  5. Click Test.
    The screen below shows a successful test.

If the credential test was unsuccessful, click on the 'Failure' status to see the details. Ensure that you copied the secret access key correctly. Also, you should ensure that the appliance time is no further than five minutes of the time AWS is using. See Time setting for more information.

The BMC Discovery appliance must be able to access AWS using https (port 443).

Time setting

Time synchronization is essential

You must ensure that your appliance time is synchronized using NTP. If you do not use NTP, you must ensure that the time is no further than five minutes from the time AWS is using. AWS uses timestamped authentication and any discrepancy will result in authentication failures.


Run a cloud scan

To perform cloud discovery, from the Discovery Status page, use the Add New run control.

  1. Click Add New run.
    The Add a Cloud Run dialog is displayed.
  2. Enter a Label for the cloud discovery run.
  3. To add a scheduled cloud run, select Scheduled and fill in the scheduling information as with normal scheduled discovery runs.
  4. Select Cloud.
  5. Select the provider from the drop-down list. Select Amazon Web Services
  6. Select the appropriate cloud credential. If none are available, you must add one.
  7. Select the region to scan, for example, for Amazon Web Services, US East (N. Virginia). You can also select all regions by clicking the All button.
  8. Click OK.

Examine results

Once you have scanned, you can examine the results. The screen below shows a discovered VM running in AWS.

Scan the hosts running the VMs in the cloud

Perform a normal scan on the hosts running the VMs discovered in the cloud scan. Use the Unscanned Cloud Hosts report on the Cloud Overview dashboard to find these.

Scanning the hosts assumes that the appliance or proxy has network access to hosts running in the cloud, for example, using a VPN.

Public IP addresses do not respond to ICMP pings. You must disable "Ping before scanning", otherwise all scans are dropped reporting no response.

Database discovery

You can discover all supported databases in AWS. At the time of release of BMC Discovery 11.3, the following are supported:

  • MySQL
  • Amazon Aurora (MySQL and PostgreSQL)
  • MariaDB
  • PostgreSQL
  • Oracle
  • Microsoft SQL Server.

The following information is required to discover databases in AWS:

  • Endpoint – you can identify the database endpoint using the RDS Dashboard in the AWS Management Console. The endpoint is of the form:
    test-rds.xyxyxyxy.us-east-1.amazonaws.com:3306
    To scan the endpoint, you must be able to resolve it to an IP address.
  • Security groups
    • If the endpoint is publicly accessible, you still must set up a security group with a rule to allow access from the IP address from which BMC Discovery connects.
    • If the database is not publicly accessible, discovery must be running in AWS. You must set up security to allow access from the Virtual Private Cloud (VPC) in which BMC Discovery is running, and be part of a security group with a rule to allow access from the IP address from which BMC Discovery connects.

      In AWS, all security groups prevent access by default, you must enable access ports in a security group before any access is allowed.

    • To summarize, you must configure security groups which enable the BMC Discovery appliance to access the database. This is entirely dependent on the manner in which you have configured your AWS cloud services.

  • Incoming connections – you must permit incoming connections with a rule for an IP address or set of IP addresses. For example, to permit access to a MySQL database, from a single IP address, you would add a rule with the following parameters:
    • Type - MySQL/Aurora
    • Protocol - TCP
    • Port Range - 3306
    • Source - 77.168.1.100/32

Then the database can be discovered as any MySQL database in your estate.

AWS discovery patterns

The AWS discovery patterns are available on the Manage > Knowledge page. They are located in the Pattern modules list, under Cloud > Amazon Web Services.

AWS tags discovery

Information about tags is described here.

Event Driven Discovery with AWS Lambda

You can also use event driven discovery with AWS using a Lambda function. An example function archive can be downloaded from Manage > Discovery Tools. The archive contains a Python Lambda function which you can upload into AWS Lambda. To use the function, you must provide a Python 3.x runtime, and the handler must be set to lambda_function.process_event.

The Lambda function receives events from AWS and uses the BMC Discovery REST API to create an ExternalEvent node. The ExternalEvent node contains all the details of the AWS event and can be used to trigger a custom pattern. See Using external events for more details.

The Lambda function is configured using environment variables.

NameRequiredDefaultDetails
BMC_DISCOVERY_INSTANCEYes
The IP address or hostname of the BMC Discovery instance. This must be reachable from the AWS region, that is, an instance running in the same AWS VPC.
BMC_DISCOVERY_TOKENYes
The REST API authentication token. See Authentication and permissions in the REST API for more details.
BMC_DISCOVERY_API_PROTOCOLNohttpsThe REST API protocol to use. Defaults to https but http can also be used.
BMC_DISCOVERY_EVENT_SOURCENoawsThe value to use for the "source" attribute of the ExternalEvent node
BMC_DISCOVERY_EVENT_TYPENoawsThe value to use for the "type" attribute of the ExternalEvent node


1 Comment

  1.