Rapticore Integrates with customer’s AWS environments using readonly IAM Roles added to customer AWS accounts.

📘

For more information on these roles and AWS integration, refer to our AWS integration reference.

Setup

To simplify setup, we provide CloudFormation templates both in JSON and YAML formats to facilitate IAM Role creation.

Setup involves:

1. Configuring AWS Accounts with readonly IAM Roles
2. Configuring Rapticore to integrate with those AWS Accounts

Necessary privileges in AWS

An IAM User or Role with privileges to create and update IAM roles in all target customer AWS accounts can complete the setup steps.

Rapticore information provided in your invitation email

Rapticore, at the time of account creation, will provide customers with two unique account attributes; both of these must be used without modification in the setup.

• RapticoreAccountId - Rapticore-operated AWS Account ID.
• RapticoreTenantId - Rapticore unique Tenant ID.

Rapticore privileges

You must have an Admin role to configure AWS integrations in Rapticore.

AWS Account Configuration

Option 1 - AWS Console Setup

1. Download the CloudFormation Template as a .yaml file
2. Log into your target account AWS Management Console with permissions to create IAM Roles
3. Go to the CloudFormation Service and click the "Create stack" button on the top right corner of the screen
4. Select "Template is Ready" and then Select "Upload a template file"
5. Choose the YAML file you downloaded and click “Next”
6. Enter a Friendly Name for the stack, e.g., Rapticore-cloud-extractor-role-stack
7. Enter RapticoreAccountId provided in your invitation email
8. Enter RapticoreTenantId provided in your invitation email
9. Click “Next” and add any tags you may desire
10. Click "Next" Review Details and select the acknowledgment checkbox once in agreement.
11. Click “Create stack” and review the progress
12. Once the stack is created, click the Outputs tab and copy, and save for later, the created IAM Role ARN

📘

You will want to keep track of the associated AWS Account the IAM Role was created in for a the Rapticore Configuration step.

Repeat the process for all the AWS Accounts you wish to integrate with Rapticore.

Option 2 - AWS CLI Setup

1. Configure your AWS CLI and profiles for the accounts you wish to integrate with Rapticore according to AWS Documention.
2. Clone Rapticore's aws-onboarding repository from Github

git clone [email protected]:rapticore/aws-onboarding.git && \
cd aws-onboarding

3. Set your AWS Profile and account attributes replacing <...> with appropriate values:

export RAPTICORE_ACCOUNT_ID=<RapticoreAccountId> && \
export RAPTICORE_TENANT_ID=<RapticoreTenantId> && \
export AWS_PROFILE=<PROFILE NAME>

4. Create the IAM Role CloudFormation Stack

aws cloudformation deploy \
  --profile $AWS_PROFILE \
  --region us-east-1 \
  --template-file ./RapticoreCrossAccountStack.json \
  --stack-name Rapticore-cloud-extractor-role-stack-$RAPTICORE_TENANT_ID \
  --parameter-overrides \
    RapticoreAccountId=$RAPTICORE_ACCOUNT_ID \
    RapticoreTenantId=$RAPTICORE_TENANT_ID \
  --tags Name=aws-discovery \
  --capabilities CAPABILITY_NAMED_IAM

4. Confirm the creation of the read-only IAM Role

aws cloudformation describe-stacks \
  --profile $AWS_PROFILE \
  --region us-east-1 \
  --stack-name Rapticore-cloud-extractor-role-stack-$RAPTICORE_TENANT_ID \
  --query "Stacks[*].Outputs[?OutputKey=='IAMRoleARN'].OutputValue" \
  --output text

5. Copy and save Role ARN

📘

You will want to keep track of the associated AWS Account the IAM Role was created in for a the Rapticore Configuration step.

Repeat the process for all AWS Accounts you wish to integrate with Rapticore.

Rapticore Configuration

1. Login to Rapticore as an admin user and navigate to the Manage > Integrations page and select the AWS integration.

Option 1 - Single Account Integration

2. Click New AWS Account

3. Enter a name of your choosing for your account and enter the IAM Role ARN associated with that AWS account and click Save.

Option 2 - Bulk Account Integration

2. Download the sample CSV bulk upload template

🚧

If you are using a Chrome browser, this file may download with a .txt extension. If it does, you must change it to a .csv extension to upload it in the next step.

📘

Please clear out sample data before entering your account-specific details.

3. Add the account names of your choosing and the the corresponding IAM Role ARNs, and upload the bulk template.

📘

Having configured AWS integration, auto-discovery of applications and resources will be scheduled. Once run, you will be able to view these records in Rapticore.

Decommissioning

Deleting an integrated AWS Account from Rapticore or deleting the IAM Role from the AWS account will stop Rapticore from monitoring that account.

🚧

Changing the Role Policy might adversely affect Rapticore data collection and operations.

📘

Customer Data Deletion

Data collected from the account will be archived and deleted by Rapticore after the retention period has expired.

Updating an existing IAM Role

Rapticore updates additional capabilities that might require customers to update their Rapticore IAM Roles created previously. To take advantage of these capabilities customers are requested to update their IAM roles using the steps below:

Step 1: Make a temporary directory and copy the updated policy JSON from the Rapticore Git repository.

mkdir rapticore_iam
cd rapticore_iam
wget https://raw.githubusercontent.com/rapticore/aws-onboarding/main/rapticore_extractor_addon.json

Step 2: Review the downloaded JSON and review for changes.

Step 3: Set your AWS Profile and Rapticore IAM Role Name replacing <...> with appropriate values:

export RAPTICORE_IAM_ROLE=<RapticoreIAMRoleName> 
export AWS_PROFILE=<PROFILE NAME>

Step 4: Update the Role using the was cli

aws iam put-role-policy /
--role-name $RAPTICORE_IAM_ROLE /
--policy-name RapticoreExtendedViewOnly /
--policy-document file://rapticore_extractor_addon.json 
--profile $AWS_PROFILE

Step 5: Repeat these steps for each AWS Account covered by Rapticore.