One of the benefits of F5 Distributed Cloud App Infrastructure Protection (AIP) is the ability to integrate with an Amazon Web Service (AWS) profile. Through this integration, you can see exactly which instances are protected and which are not. When you activate an AWS profile, Distributed Cloud AIP runs an initial traversal of the environment to establish a baseline. Distributed Cloud AIP then continually scans for any instance creation or termination so the Distributed Cloud AIP console always reflects the current state of your infrastructure.
The process involves an exchange of information between Distributed Cloud AIP and AWS. Distributed Cloud AIP utilizes “read-only” access role, scoped to EC2, that is completely under your control.
If you want to integrate with more than one Amazon Web Service account, please see AWS Integrations Overview.
- Administrator access to your Amazon Web Service (AWS) account
- Access to the Distributed Cloud AIP Console
Use side-by-side browser windows – one for AWS and one for Distributed Cloud AIP – to complete these instructions.
- Log into the AWS console as an administrator.
- Search for IAM in the Search bar and open the Identity and Access Management (IAM) page.
- In the left navigation pane, click Roles. The Roles page displays.
- Click the Create role button. The Create role page displays.
The Distributed Cloud AIP AWS profile includes a unique account ID and external ID. These IDs link the Distributed Cloud AIP AWS profile to the AWS configuration.
You will complete the Distributed Cloud AIP AWS Profile after completing the creation of the AWS Identity and Access Management (IAM) role.
- Log into Distributed Cloud AIP.
- In the left navigation pane, click Settings. The Settings page displays.
Click the Integrations tab. The Integrations page displays.
- In the AWS Integrations section, click the + Add Integration button. The Add AWS Integration dialog opens.
Do not close this dialog until the AWS integration is complete. The External ID uniquely generates each time you add an AWS profile and must match the value entered during the AWS integration. If you click the close button, then a confirmation message displays in which you must acknowledge the close.
The Distributed Cloud AIP AWS profile authenticates in AWS using the Identity and Access Management (IAM) role you create in this procedure.
- On the AWS Create role page you opened in the first section, in the Trusted entity type section, select AWS account.
- In the An AWS account section, select the Another AWS account radio button
- In the Account ID field, copy and paste the Account ID value from the Distributed Cloud AIP Add AWS Integration dialog you opened in Distributed Cloud AIP in the previous section.
- Under Options, select the Require external ID checkbox.
- In the External ID field, copy and paste the External ID from the Distributed Cloud AIP Add AWS Integration dialog.
- Click the Next button. The Add permissions page displays.
- Select the AmazonEC2ReadOnlyAccess checkbox.
- Click the Next button. The Add tags (optional) page displays.
- Click the Next button. The Name, review, and create page displays.
- In the Role name field, type a role name. This is the name of the IAM role the Distributed Cloud AIP AWS Account will use to authenticate in AWS.
- Optionally, enter a description in the Description field.
- You do not need to enter any information in the Add permissions section.
- Click the Create role button. The new IAM role creates. The Roles page displays.
- Select the role you created from the role list. The role's Summary page opens.
- Copy the role ARN.
Completing the Distributed Cloud AIP AWS Profile allows Distributed Cloud AIP to authenticate in AWS using the Distributed Cloud AIP-specific AWS IAM role.
- Go to the Distributed Cloud AIP + Add AWS Integration dialog from which you copied the account ID and external ID.
- Paste the role ARN you copied from AWS in the previous section into the Role ARN field.
- Optionally, in the Description field, type a description of the Distributed Cloud AIP AWS role.
- In the EC2 Correlation section, from the Regions drop-down menu, select the region(s) in which your organization has an EC2 presence. Click the Select All Regions button to add all regions.
- Click the Add AWS Integration button. The + Add AWS Integration dialog closes. The Integrations page displays. The new AWS profile displays in the AWS Integrations table. A clock icon displays in the EC2 Correlation Status column, indicating the profile is authenticating with AWS. This process may take several minutes.
Go to the Distributed Cloud AIP Settings tab > Integrations tab > AWS Integrations table. In the row for the AWS profile, the EC2 correlation status displays a green checkmark to confirm that Distributed Cloud AIP successfully authenticated in AWS using the IAM role created for AWS.
You can view additional information about your EC2 instances in the Servers tab. For more information, see Servers Feature Overview.