Getting Started

The AWS chart catalog scraper that:

• Scrapes AWS Resources and detects changes in the resource definition
• Ingests changes from CloudTrail
• Ingests cost data from AWS Cost & Usage Reporting
• Links AWS EKS resources to the corresponding Kubernetes resources

Prerequisites

• IAM Role for scraping AWS API's
• Mission Control configured to use Pod Identity/IRSA or an AWS access key

For Cost & Usage Reporting

• Cost and Usage Reports are configured with an Athena table
• The AWSQuicksightAthenaAccess policy or similar is attached to config-db IAM role

Pod Identity

1. Configure the config-db-sa service account with a AWS IAM Pod Identity / Role
2. Install the mission-control-aws chart

Helm

helm install mission-control-aws flanksource/mission-control-aws \
 -n mission-control --wait 

Flux

apiVersion:  helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: mission-control-aws
  namespace: mission-control
spec:
  chart:
    spec:
      chart: mission-control-aws
      sourceRef:
        kind: HelmRepository
        name: flanksource
        namespace: mission-control
      interval: 1m
  values:

values.yaml

• accessKey:
  • value: string
  • valueFrom:
    • configMapKeyRef:
      • key: string
      • name: string
    • helmRef:
      • key: string
      • name: string
    • secretKeyRef:
      • key: string
      • name: string
    • serviceAccount: string
• assumeRole: - Name of an IAM role to assume
• cloudtrail:

  Import and correlate cloudtrail events with AWS resources

  • exclude[]:

    list of events to to exclude
    - list of events to to exclude
  • maxAge: (default: "7d") - Maximum lookback age when querying cloudtrail
  - Import and correlate cloudtrail events with AWS resources
• compliance: (default: "true") - Import AWS Config Rule failures as insights
• connection: string
• costReporting:

  Scrape cost reports and match them with catalog items

  • database: string
  • enabled: boolean
  • region: string
  • s3BucketPath: string
  • table: string
  - Scrape cost reports and match them with catalog items
• endpoint: - Custom AWS endpoint e.g. for testing with LocalStack
• excludeResources[]:
• global:

  Global values are values that can be accessed from any chart or subchart by exactly the same name.
  - Global values are values that can be accessed from any chart or subchart by exactly the same name.
• includeResources[]:
• labels:
  - yaml-language-server: $schema=values.schema.json
• region[]:

  AWS regions to pull from
  - AWS regions to pull from
• scraper:
  • name: string (default: "aws")
• secretKey:
  • value: string
  • valueFrom:
    • configMapKeyRef:
      • key: string
      • name: string
    • helmRef:
      • key: string
      • name: string
    • secretKeyRef:
      • key: string
      • name: string
    • serviceAccount: string
• skipTLSVerify: (default: "false") - Skip TLS verification
• topology:
  • name: string (default: "aws")
• transform:
  • changes:
    • exclude[]:
    • mapping[]:
  • relationship[]:

Access Keys

1. Create a new connection for an AWS Access Key
2. Install the mission-control-aws chart

Helm

helm install mission-control-aws flanksource/mission-control-aws \
 --set connection=connection://mission-control/aws \
 -n mission-control --wait 

Flux

apiVersion:  helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: mission-control-aws
  namespace: mission-control
spec:
  chart:
    spec:
      chart: mission-control-aws
      sourceRef:
        kind: HelmRepository
        name: flanksource
        namespace: mission-control
      interval: 1m
  values:
    connection: connection://mission-control/aws

values.yaml

• accessKey:
  • value: string
  • valueFrom:
    • configMapKeyRef:
      • key: string
      • name: string
    • helmRef:
      • key: string
      • name: string
    • secretKeyRef:
      • key: string
      • name: string
    • serviceAccount: string
• assumeRole: - Name of an IAM role to assume
• cloudtrail:

  Import and correlate cloudtrail events with AWS resources

  • exclude[]:

    list of events to to exclude
    - list of events to to exclude
  • maxAge: (default: "7d") - Maximum lookback age when querying cloudtrail
  - Import and correlate cloudtrail events with AWS resources
• compliance: (default: "true") - Import AWS Config Rule failures as insights
• connection: string
• costReporting:

  Scrape cost reports and match them with catalog items

  • database: string
  • enabled: boolean
  • region: string
  • s3BucketPath: string
  • table: string
  - Scrape cost reports and match them with catalog items
• endpoint: - Custom AWS endpoint e.g. for testing with LocalStack
• excludeResources[]:
• global:

  Global values are values that can be accessed from any chart or subchart by exactly the same name.
  - Global values are values that can be accessed from any chart or subchart by exactly the same name.
• includeResources[]:
• labels:
  - yaml-language-server: $schema=values.schema.json
• region[]:

  AWS regions to pull from
  - AWS regions to pull from
• scraper:
  • name: string (default: "aws")
• secretKey:
  • value: string
  • valueFrom:
    • configMapKeyRef:
      • key: string
      • name: string
    • helmRef:
      • key: string
      • name: string
    • secretKeyRef:
      • key: string
      • name: string
    • serviceAccount: string
• skipTLSVerify: (default: "false") - Skip TLS verification
• topology:
  • name: string (default: "aws")
• transform:
  • changes:
    • exclude[]:
    • mapping[]:
  • relationship[]:

When you go to the catalog now, you can now see all the AWS Resources

Next Steps

AWS Cloudformation

relationship

AWS Cloudwatch Alarms

Aggregrate Alarms

health-check

AWS Config

Check for AWS resources matching a query

health-check

AWS Config Rules

Check for non-compliant AWS resources

health-check

ScrapeConfig

CRD