AWS

Requirements

For each AWS Account you'd like to enroll

Name
Description

Teleskope Role

Create an IAM role for Teleskope to assume using Terraform or on the AWS Console

Create a Teleskope Role using Terraform

Variable
Description
Example

origin_aws_account_id

(Required) AWS Account ID where Teleskope is deployed that the Teleskope team will provide you with

"012345678912"

##################################################################
# The role Teleskope will assume from the origin AWS account. #
##################################################################

resource "aws_iam_role" "teleskope" {
  name               = "TeleskopeRole"
  path               = "/system/"
  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
}

data "aws_iam_policy_document" "assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::{origin_aws_account_id}:root"]
    }
  }
}

resource "aws_iam_role_policy" "account_policy" {
  role       = aws_iam_role.teleskope.id
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeRegions",
        "ec2:DescribeSecurityGroups"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}

Create a Teleskope Role using the AWS Console

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/

  2. In the navigation pane of the console, choose Roles and then choose Create role

  3. Choose Custom Trust Policy as the Trusted Entity Type

  4. Replace the custom trust policy with:

    {    
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::{origin_aws_account_id}:root"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

  5. Create a custom inline policy with:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeRegions",
        "ec2:DescribeSecurityGroups"
      ],
      "Resource": "*"
    }
  ]
}

Enrollment

In Teleskope, enroll the AWS account:

  1. Provide the AWS Account ID

  2. Provide a name for your AWS Account

  3. Provide the previously created role name exactly as it appears

If an IAM Role Path is used (as in this example), it must be supplied in the UI:

system/TeleskopeRole
PreviousData ElementsNextAthena

Last updated

Was this helpful?