Getting Started with AWS

Connecting your AWS accounts to hava.

When you log into Hava for the first time, you will be presented with the opportunity to import some demo environments and also jump right in to connecting to your own AWS, Azure or GCP accounts :

The first step in creating accurate AWS infrastructure diagrams with Hava is to connect Hava to your AWS account.

We strongly advise creating a Cross Account Role to allow access to your AWS environment. Hava is built on AWS and this method is considered AWS best practice.

You may also create a new IAM user with Read Only Permissions. Either way, there can be no doubt from an infrastructure integrity and security perspective that Hava cannot change or update anything in your environment and is limited to reading the data it needs to visualise your AWS environment.

You may also create a Minimum Access Read Only IAM User with customisable permissions if you wish to exclude access to any components of your AWS environment.

How to create a Cross Account Role

From the Hava Environments screen - select "Add Environments" :

In a separate browser tab - log in to your AWS Console. Navigate back to Hava then :

Select the Amazon Tab.

Select "Cross Account Role"

Click on the "Jump to AWS Console and create read only account role" link. This will open up your AWS console in the Create Role dialogue with the fields pre-filled :

Ensure the Account ID and External ID match the dialogue window in Hava.

Ensure "Require MFA" remains unchecked

Click "Next: Permissions" and "Create Policy" :

Select the JSON tab

Paste in the following JSON code

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"acm:DescribeCertificate",
"acm:GetCertificate",
"acm:ListCertificates",
"apigateway:GET",
"apigateway:HEAD",
"apigateway:OPTIONS",
"appstream:Get*",
"autoscaling:Describe*",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplate",
"cloudformation:List*",
"cloudfront:Get*",
"cloudfront:List*",
"cloudsearch:Describe*",
"cloudsearch:List*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"codecommit:BatchGetRepositories",
"codecommit:Get*",
"codecommit:GitPull",
"codecommit:List*",
"codedeploy:Batch*",
"codedeploy:Get*",
"codedeploy:List*",
"config:Deliver*",
"config:Describe*",
"config:Get*",
"datapipeline:DescribeObjects",
"datapipeline:DescribePipelines",
"datapipeline:EvaluateExpression",
"datapipeline:GetPipelineDefinition",
"datapipeline:ListPipelines",
"datapipeline:QueryObjects",
"datapipeline:ValidatePipelineDefinition",
"directconnect:Describe*",
"ds:Check*",
"ds:Describe*",
"ds:Get*",
"ds:List*",
"ds:Verify*",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:Describe*",
"ec2:GetConsoleOutput",
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetManifest",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:BatchGetImage",
"ecs:Describe*",
"ecs:List*",
"elasticache:Describe*",
"elasticache:List*",
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeTags",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:List*",
"elastictranscoder:List*",
"elastictranscoder:Read*",
"es:DescribeElasticsearchDomain",
"es:DescribeElasticsearchDomains",
"es:DescribeElasticsearchDomainConfig",
"es:ListDomainNames",
"es:ListTags",
"es:ESHttpGet",
"es:ESHttpHead",
"events:DescribeRule",
"events:ListRuleNamesByTarget",
"events:ListRules",
"events:ListTargetsByRule",
"events:TestEventPattern",
"firehose:Describe*",
"firehose:List*",
"glacier:ListVaults",
"glacier:DescribeVault",
"glacier:GetDataRetrievalPolicy",
"glacier:GetVaultAccessPolicy",
"glacier:GetVaultLock",
"glacier:GetVaultNotifications",
"glacier:ListJobs",
"glacier:ListMultipartUploads",
"glacier:ListParts",
"glacier:ListTagsForVault",
"glacier:DescribeJob",
"glacier:GetJobOutput",
"iam:GenerateCredentialReport",
"iam:Get*",
"iam:List*",
"inspector:Describe*",
"inspector:Get*",
"inspector:List*",
"inspector:LocalizeText",
"inspector:PreviewAgentsForResourceGroup",
"iot:Describe*",
"iot:Get*",
"iot:List*",
"kinesis:Describe*",
"kinesis:Get*",
"kinesis:List*",
"kms:Describe*",
"kms:Get*",
"kms:List*",
"lambda:List*",
"lambda:Get*",
"logs:Describe*",
"logs:Get*",
"logs:TestMetricFilter",
"machinelearning:Describe*",
"machinelearning:Get*",
"mobilehub:GetProject",
"mobilehub:ListAvailableFeatures",
"mobilehub:ListAvailableRegions",
"mobilehub:ListProjects",
"mobilehub:ValidateProject",
"mobilehub:VerifyServiceRole",
"opsworks:Describe*",
"opsworks:Get*",
"rds:Describe*",
"rds:ListTagsForResource",
"redshift:Describe*",
"redshift:ViewQueriesInConsole",
"route53:Get*",
"route53:List*",
"route53domains:CheckDomainAvailability",
"route53domains:GetDomainDetail",
"route53domains:GetOperationDetail",
"route53domains:ListDomains",
"route53domains:ListOperations",
"route53domains:ListTagsForDomain",
"s3:GetAccelerateConfiguration",
"s3:GetAnalyticsConfiguration",
"s3:GetBucket*",
"s3:GetInventoryConfiguration",
"s3:GetIpConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetReplicationConfiguration",
"s3:List*",
"sdb:GetAttributes",
"sdb:List*",
"sdb:Select*",
"ses:Get*",
"ses:List*",
"sns:Get*",
"sns:List*",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"sqs:ReceiveMessage",
"storagegateway:Describe*",
"storagegateway:List*",
"swf:Count*",
"swf:Describe*",
"swf:Get*",
"swf:List*",
"tag:Get*",
"trustedadvisor:Describe*",
"waf:Get*",
"waf:List*",
"waf-regional:Get*",
"waf-regional:List*",
"workspaces:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}

Note : the list of resources Hava requests access to ensures the most detailed diagrams and logging of environment changes, which is an incredibly powerful tool to quickly resolve environment changes that may have caused unforeseen issues in your production environment.

You can of course remove any access you do not feel comfortable with, bearing in mind, that may detract from the detailed analysis of your AWS environment both now and when new features are released.

Then click "Review Policy" & Name the new policy

Click "Create Policy" and the new policy will be created.

This process happened in a separate browser window, so return to the window where you were creating the new cross account role :

Press the refresh button & filter for the name you gave the new policy :

Select "Next:Tags" - you can skip this

Select "Next: Review" :

Click "Create Role" then select the new role from the list displayed.

Copy the Role ARN

Paste the Role ARN into the Hava dialogue box, add an optional name and click "Import"

Hava will connect to your environment and pull back the resources and relationships between them and build a complete visualisation of your environment.

From this point on Hava will sync with your AWS environment every hour and keep track of any structural changes from a VPS level down.

How to create a Read Only IAM User

Using a cross account role is AWS best practice and the preferred method to enable Hava to build your environment diagrams and log changes. If you prefer to set up access via a key pair, then follow these instructions.

Log in to your AWS console & open the Services menu.

Select IAM from the Security, Identity & Compliance options :

Select Users :

Click "Add User" :

Enter a memorable User Name and set the access type to "Programmatic Access"

Click "Next Permissions" to move to the set permissions dialogue.

Select "Attach existing policies directly"

Scroll through the policies : locate and select "ReadOnlyAccess" :

Click Next to advance to the "Add tags" dialogue. Skip this step.

Click "Next : Review" to advance to the review screen :

Click "Create User" :

You will get a screen confirming successful creation of the new user and an Access Key ID and Secret Access Key credentials. You can write these down, however to ensure accuracy we advise downloading the credentials.csv file and cutting & pasting the user credentials from there.

You now have the necessary user and credentials to connect Hava to your AWS environment.

Open the Hava Environments workspace and select Add Environments :

Enter the Access Key and Secret Key from the previous step and click "Import" :

Hava will now import your environment components, construct the diagrams and start logging changes as they happen.

How to Create a Minimum Access IAM User

Creating the Hava Read-Only IAM user, that uses the standard AWS ReadOnlyAccess Policy will ensure that your user doesn't have enough privileges to change anything in your environment. If you feel that the default policy from AWS allows too much access you can create a custom policy to limit it to just what we need.

While we recommend the default Read-Only policy to account for future updates to our supported services you can follow these steps to create a minimum access read-only user that Hava can use to visualize your AWS infrastructure. Before you start make sure you are logged in to the AWS console.

  1. From the main console screen click on Identity & Access Management.iam-step1.png

  2. From the IAM dashboard select the Users section and then click the Create New Users button.iam-step2.png

  3. Enter a unique username for your new user, make sure Generate an access key is checked, and then click the Create button.iam-step3.png

  4. You should be notified that your user has been created. You can copy the details from this screen or just click Download to save them.iam-step4.png

  5. Now that you've created your user, you will need to create the customer policy that grants Hava the security it requires at a minimum.From the IAM dashboard select the Policy section and then click the Create New Policy button. IAM-policy-selected.png Screen_Shot_2016-04-08_at_3.23.48_PM.png

  6. You will then need to select the Create Your Own Policy option. Screen_Shot_2016-04-08_at_3.26.09_PM.png

  7. You will need to provide the name of your policy such as "HAVA-RO-POLICY", a description of the policy such as "Just enough access to ensure Hava can work it's magic" and then enter in the custom policy seen here: Screen_Shot_2016-04-08_at_3.30.20_PM.png You can copy and paste the policy from here:

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Action": [
    "acm:DescribeCertificate",
    "acm:GetCertificate",
    "acm:ListCertificates",
    "apigateway:GET",
    "apigateway:HEAD",
    "apigateway:OPTIONS",
    "appstream:Get*",
    "autoscaling:Describe*",
    "cloudformation:DescribeStackEvents",
    "cloudformation:DescribeStackResource",
    "cloudformation:DescribeStackResources",
    "cloudformation:DescribeStacks",
    "cloudformation:GetTemplate",
    "cloudformation:List*",
    "cloudfront:Get*",
    "cloudfront:List*",
    "cloudsearch:Describe*",
    "cloudsearch:List*",
    "cloudtrail:DescribeTrails",
    "cloudtrail:GetTrailStatus",
    "cloudwatch:Describe*",
    "cloudwatch:Get*",
    "cloudwatch:List*",
    "codecommit:BatchGetRepositories",
    "codecommit:Get*",
    "codecommit:GitPull",
    "codecommit:List*",
    "codedeploy:Batch*",
    "codedeploy:Get*",
    "codedeploy:List*",
    "config:Deliver*",
    "config:Describe*",
    "config:Get*",
    "datapipeline:DescribeObjects",
    "datapipeline:DescribePipelines",
    "datapipeline:EvaluateExpression",
    "datapipeline:GetPipelineDefinition",
    "datapipeline:ListPipelines",
    "datapipeline:QueryObjects",
    "datapipeline:ValidatePipelineDefinition",
    "directconnect:Describe*",
    "ds:Check*",
    "ds:Describe*",
    "ds:Get*",
    "ds:List*",
    "ds:Verify*",
    "dynamodb:DescribeTable",
    "dynamodb:ListTables",
    "ec2:Describe*",
    "ec2:GetConsoleOutput",
    "ecr:GetAuthorizationToken",
    "ecr:BatchCheckLayerAvailability",
    "ecr:GetDownloadUrlForLayer",
    "ecr:GetManifest",
    "ecr:DescribeRepositories",
    "ecr:ListImages",
    "ecr:BatchGetImage",
    "ecs:Describe*",
    "ecs:List*",
    "elasticache:Describe*",
    "elasticache:List*",
    "elasticbeanstalk:Check*",
    "elasticbeanstalk:Describe*",
    "elasticbeanstalk:List*",
    "elasticbeanstalk:RequestEnvironmentInfo",
    "elasticbeanstalk:RetrieveEnvironmentInfo",
    "elasticfilesystem:DescribeMountTargets",
    "elasticfilesystem:DescribeTags",
    "elasticfilesystem:DescribeFileSystems",
    "elasticfilesystem:DescribeMountTargetSecurityGroups",
    "elasticloadbalancing:Describe*",
    "elasticmapreduce:Describe*",
    "elasticmapreduce:List*",
    "elastictranscoder:List*",
    "elastictranscoder:Read*",
    "es:DescribeElasticsearchDomain",
    "es:DescribeElasticsearchDomains",
    "es:DescribeElasticsearchDomainConfig",
    "es:ListDomainNames",
    "es:ListTags",
    "es:ESHttpGet",
    "es:ESHttpHead",
    "events:DescribeRule",
    "events:ListRuleNamesByTarget",
    "events:ListRules",
    "events:ListTargetsByRule",
    "events:TestEventPattern",
    "firehose:Describe*",
    "firehose:List*",
    "glacier:ListVaults",
    "glacier:DescribeVault",
    "glacier:GetDataRetrievalPolicy",
    "glacier:GetVaultAccessPolicy",
    "glacier:GetVaultLock",
    "glacier:GetVaultNotifications",
    "glacier:ListJobs",
    "glacier:ListMultipartUploads",
    "glacier:ListParts",
    "glacier:ListTagsForVault",
    "glacier:DescribeJob",
    "glacier:GetJobOutput",
    "iam:GenerateCredentialReport",
    "iam:Get*",
    "iam:List*",
    "inspector:Describe*",
    "inspector:Get*",
    "inspector:List*",
    "inspector:LocalizeText",
    "inspector:PreviewAgentsForResourceGroup",
    "iot:Describe*",
    "iot:Get*",
    "iot:List*",
    "kinesis:Describe*",
    "kinesis:Get*",
    "kinesis:List*",
    "kms:Describe*",
    "kms:Get*",
    "kms:List*",
    "lambda:List*",
    "lambda:Get*",
    "logs:Describe*",
    "logs:Get*",
    "logs:TestMetricFilter",
    "machinelearning:Describe*",
    "machinelearning:Get*",
    "mobilehub:GetProject",
    "mobilehub:ListAvailableFeatures",
    "mobilehub:ListAvailableRegions",
    "mobilehub:ListProjects",
    "mobilehub:ValidateProject",
    "mobilehub:VerifyServiceRole",
    "opsworks:Describe*",
    "opsworks:Get*",
    "rds:Describe*",
    "rds:ListTagsForResource",
    "redshift:Describe*",
    "redshift:ViewQueriesInConsole",
    "route53:Get*",
    "route53:List*",
    "route53domains:CheckDomainAvailability",
    "route53domains:GetDomainDetail",
    "route53domains:GetOperationDetail",
    "route53domains:ListDomains",
    "route53domains:ListOperations",
    "route53domains:ListTagsForDomain",
    "s3:GetAccelerateConfiguration",
    "s3:GetAnalyticsConfiguration",
    "s3:GetBucket*",
    "s3:GetInventoryConfiguration",
    "s3:GetIpConfiguration",
    "s3:GetLifecycleConfiguration",
    "s3:GetMetricsConfiguration",
    "s3:GetReplicationConfiguration",
    "s3:List*",
    "sdb:GetAttributes",
    "sdb:List*",
    "sdb:Select*",
    "ses:Get*",
    "ses:List*",
    "sns:Get*",
    "sns:List*",
    "sqs:GetQueueAttributes",
    "sqs:ListQueues",
    "sqs:ReceiveMessage",
    "storagegateway:Describe*",
    "storagegateway:List*",
    "swf:Count*",
    "swf:Describe*",
    "swf:Get*",
    "swf:List*",
    "tag:Get*",
    "trustedadvisor:Describe*",
    "waf:Get*",
    "waf:List*",
    "waf-regional:Get*",
    "waf-regional:List*",
    "workspaces:Describe*"
    ],
    "Effect": "Allow",
    "Resource": "*"
    }
    ]
    }
  8. Once you have entered in all of the details and copy and pasted the policy contents into the Policy Document section, you can click Create Policy to complete the policy creation process.

  9. Click your new user in the list and go to the Managed Policies header under Permissions. Click Attach Policy.iam-step5.png

  10. Scroll through the policy list until you find custom policy HAVA-RO-POLICY. Click the checkbox and then click Attach Policy.Screen_Shot_2016-04-08_at_3.35.27_PM.png

  11. Now head back to the Hava homepage and enter the credentials you downloaded earlier to get started!Screen_Shot_2016-04-08_at_3.37.45_PM.png