LogoLogo
HomePricingSelf-hosted docsAPI docsLogin
  • Home
  • Login to hava
  • Developer
  • Getting Started
    • Quickstart
      • Create New Account
      • Import Demo Data
      • Creating Environments
      • Exporting Diagrams
  • AWS Marketplace
  • Using Hava
    • Providers & Sources
    • Environments
      • Creating Environments
      • Filtering Environments
  • Importing Data
    • Demo Data
    • AWS
      • Getting Started with AWS
        • Cross Account Role
        • Read Only IAM User
        • Minimum Access IAM User
      • AWS Supported Resources
      • AWS Views
        • Infrastructure
        • Security
        • Container - ECS
        • List
    • Azure
      • Getting Started with Azure
        • Powershell
        • Azure Portal
      • Azure Supported Resources
      • Azure Views
        • Infrastructure
        • Azure Security View
        • List
    • Google Cloud
      • Getting Started with GCP
        • Service Account
        • Import Multiple Projects
        • Enabling APIs
      • GCP Supported Resources
      • GCP Views
        • Infrastructure
        • List
    • Kubernetes
      • Getting Started with Kubernetes
        • Read Only Kubeconfig
        • Automatic Import of Managed Kubernetes
          • AWS EKS Cluster Configuration
        • Converting certificate files to certificate data fields
      • Kubernetes Supported Resources
      • Kubernetes Views
        • Container
        • List
    • Import Errors
  • Discover
    • Importing
    • Searching
      • Search Overview
      • Search Syntax
        • VPC Search
        • Wildcard Search
        • Tag Search
        • Deep Search
      • Search Examples
        • Discover Resources From Regions
        • Create a multiple VPC diagram
        • Defining Custom Environments
    • Versioning
      • Tracking Changes in Cloud Architecture
    • Manual Sync
  • Diagram
    • Listing Environments
      • Filtering Environments
      • Favouriting Environments
    • Viewing Environments
      • Diagram Controls
      • Diagram Layout
      • Switch Between Views
      • Diagram Canvas Resource Filters
    • Draw Custom Connections
  • Diagnose
    • Architectural Monitoring Alerts
    • Attributes
    • Cost Estimation
    • Diff View - Comparing Diagrams
    • Infrastructure
      • View Route Tables
      • View ACLs
      • View Security Groups
    • Reports
      • AWS Compliance Reports
  • Document
    • Environment Notes
    • Embed
    • Exporting Diagrams
    • Edit
      • Draw.io
  • Collaboration
    • Teams
    • Inviting Users
    • Disabling users
    • SSO/SAML
      • Overview
      • Azure AD - SAML Setup
      • Azure AD - OIDC Setup
      • Okta - SAML Setup
      • Okta - OIDC Setup
      • Trouble Shooting SSO
    • Project folders
  • Integrations
    • AWS Control Tower
    • CLI
    • Confluence Cloud
    • GitHub
    • Terraform
  • API
    • API Docs
  • Account & Billing
    • Types Of Hava Accounts
    • Change Subscription
    • Switch to AWS marketplace
    • Change Password
    • MFA
    • Download Invoice
    • Cancel Account
    • Account Audit Log
  • Quick Look
    • Quick AWS Overview
    • Security Overview
    • Customize the Hava Dashboard
Powered by GitBook
On this page
  • Setting up and Connecting Your AWS Account
  • How to create a Cross Account Role
  • Create you IAM policy
  • Setup cross account role
  • Video walkthrough
  • Troubleshooting

Was this helpful?

  1. Importing Data
  2. AWS
  3. Getting Started with AWS

Cross Account Role

PreviousGetting Started with AWSNextRead Only IAM User

Last updated 7 months ago

Was this helpful?

Setting up and Connecting Your AWS Account

Connecting your AWS account is quick and should take about 10 minutes if you have the required permissions. While we strive to keep our documentation current, AWS may occasionally update their process or UI. If you notice any discrepancies, please contact us at support[at]hava.io.

Prefer a video walkthrough? You can watch it .


How to create a Cross Account Role

From the Hava Environments screen - select "Add Environments" :


Create you IAM policy

Log in to your AWS Console

In a separate browser tab - log in to your AWS Console.

  1. Navigate to IAM > Policies to create a new policy that your Hava Cross-Account role can use

  2. Click "Create Policy"

  3. Select the JSON tab

Paste the following JSON code (click > to expand)
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "acm:DescribeCertificate",
        "acm:GetCertificate",
        "acm:ListCertificates",
        "apigateway:GET",
        "appstream:Get*",
        "appsync:GetApiCache",
        "appsync:ListApiKeys",
        "appsync:ListDataSources",
        "appsync:ListDomainNames",
        "appsync:ListFunctions",
        "appsync:ListGraphqlApis",
        "appsync:ListResolvers",
        "appsync:ListSourceApiAssociations",
        "appsync:ListTagsForResource",
        "appsync:ListTypes",
        "autoscaling:Describe*",
        "cloudformation:List*",
        "cloudfront:Get*",
        "cloudfront:List*",
        "cloudsearch:Describe*",
        "cloudsearch:List*",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrailStatus",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "codecommit:BatchGetRepositories",
        "codecommit:Get*",
        "codecommit:GitPull",
        "codecommit:List*",
        "codedeploy:Batch*",
        "codedeploy:Get*",
        "codedeploy:List*",
        "config:Deliver*",
        "config:Describe*",
        "config:Get*",
        "datapipeline:DescribeObjects",
        "datapipeline:DescribePipelines",
        "datapipeline:EvaluateExpression",
        "datapipeline:GetPipelineDefinition",
        "datapipeline:ListPipelines",
        "datapipeline:QueryObjects",
        "datapipeline:ValidatePipelineDefinition",
        "directconnect:Describe*",
        "ds:Check*",
        "ds:Describe*",
        "ds:Get*",
        "ds:List*",
        "ds:Verify*",
        "dynamodb:DescribeGlobalTable",
        "dynamodb:DescribeTable",
        "dynamodb:ListGlobalTables",
        "dynamodb:ListTables",
        "dynamodb:ListTagsOfResource",
        "ec2:Describe*",
        "ec2:GetConsoleOutput",
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:DescribeRepositories",
        "ecr:GetDownloadUrlForLayer",
        "ecr:ListImages",
        "ecs:Describe*",
        "ecs:List*",
        "eks:Describe*",
        "eks:List*",
        "elasticache:Describe*",
        "elasticache:List*",
        "elasticbeanstalk:Check*",
        "elasticbeanstalk:Describe*",
        "elasticbeanstalk:List*",
        "elasticbeanstalk:RequestEnvironmentInfo",
        "elasticbeanstalk:RetrieveEnvironmentInfo",
        "elasticfilesystem:DescribeFileSystems",
        "elasticfilesystem:DescribeMountTargetSecurityGroups",
        "elasticfilesystem:DescribeMountTargets",
        "elasticfilesystem:DescribeTags",
        "elasticloadbalancing:Describe*",
        "elasticmapreduce:Describe*",
        "elasticmapreduce:List*",
        "elastictranscoder:List*",
        "elastictranscoder:Read*",
        "es:DescribeDomain",
        "es:DescribeDomainNodes",
        "es:DescribeDomains",
        "es:DescribeElasticsearchDomain",
        "es:DescribeElasticsearchDomainConfig",
        "es:DescribeElasticsearchDomains",
        "es:DescribeReservedElasticsearchInstances",
        "es:DescribeVpcEndpoints",
        "es:ESHttpGet",
        "es:ESHttpHead",
        "es:ListDomainNames",
        "es:ListTags",
        "es:ListVpcEndpointAccess",
        "es:ListVpcEndpoints",
        "es:ListVpcEndpointsForDomain",
        "events:DescribeApiDestination",
        "events:DescribeArchive",
        "events:DescribeConnection",
        "events:DescribeEndpoint",
        "events:DescribeEventBus",
        "events:DescribeEventSource",
        "events:DescribePartnerEventSource",
        "events:DescribeReplay",
        "events:DescribeRule",
        "events:ListApiDestinations",
        "events:ListArchives",
        "events:ListConnections",
        "events:ListEndpoints",
        "events:ListEventBuses",
        "events:ListEventSources",
        "events:ListPartnerEventSourceAccounts",
        "events:ListPartnerEventSources",
        "events:ListReplays",
        "events:ListRuleNamesByTarget",
        "events:ListRules",
        "events:ListTagsForResource",
        "events:ListTargetsByRule",
        "events:TestEventPattern",
        "firehose:DescribeDeliveryStream",
        "firehose:ListDeliveryStreams",
        "firehose:ListTagsForDeliveryStream",
        "glacier:DescribeJob",
        "glacier:DescribeVault",
        "glacier:GetDataRetrievalPolicy",
        "glacier:GetJobOutput",
        "glacier:GetVaultAccessPolicy",
        "glacier:GetVaultLock",
        "glacier:GetVaultNotifications",
        "glacier:ListJobs",
        "glacier:ListMultipartUploads",
        "glacier:ListParts",
        "glacier:ListTagsForVault",
        "glacier:ListVaults",
        "iam:GenerateCredentialReport",
        "iam:Get*",
        "iam:List*",
        "inspector:Describe*",
        "inspector:Get*",
        "inspector:List*",
        "iot:Describe*",
        "iot:Get*",
        "iot:List*",
        "kafka:DescribeCluster",
        "kafka:DescribeClusterV2",
        "kafka:DescribeVpcConnection",
        "kafka:ListClientVpcConnections",
        "kafka:ListClusters",
        "kafka:ListClustersV2",
        "kafka:ListNodes",
        "kafka:ListTagsForResource",
        "kafka:ListVpcConnections",
        "kinesis:Describe*",
        "kinesis:DescribeStream",
        "kinesis:DescribeStreamConsumer",
        "kinesis:DescribeStreamSummary",
        "kinesis:ListShards",
        "kinesis:ListStreamConsumers",
        "kinesis:ListStreams",
        "kinesis:ListTagsForStream",
        "kms:Describe*",
        "kms:Get*",
        "kms:List*",
        "lambda:Get*",
        "lambda:List*",
        "logs:Describe*",
        "logs:Get*",
        "logs:TestMetricFilter",
        "machinelearning:Describe*",
        "machinelearning:Get*",
        "opsworks:Describe*",
        "opsworks:Get*",
        "organizations:ListAccounts",
        "rds:Describe*",
        "rds:ListTagsForResource",
        "redshift:Describe*",
        "redshift:ViewQueriesInConsole",
        "route53:Get*",
        "route53:List*",
        "route53domains:CheckDomainAvailability",
        "route53domains:GetDomainDetail",
        "route53domains:GetOperationDetail",
        "route53domains:ListDomains",
        "route53domains:ListOperations",
        "route53domains:ListTagsForDomain",
        "s3:GetAccelerateConfiguration",
        "s3:GetAnalyticsConfiguration",
        "s3:GetBucket*",
        "s3:GetInventoryConfiguration",
        "s3:GetLifecycleConfiguration",
        "s3:GetMetricsConfiguration",
        "s3:GetReplicationConfiguration",
        "s3:List*",
        "sdb:GetAttributes",
        "sdb:List*",
        "sdb:Select*",
        "ses:Get*",
        "ses:List*",
        "sns:Get*",
        "sns:List*",
        "sqs:GetQueueAttributes",
        "sqs:ListQueues",
        "sqs:ReceiveMessage",
        "storagegateway:Describe*",
        "storagegateway:List*",
        "swf:Count*",
        "swf:Describe*",
        "swf:Get*",
        "swf:List*",
        "tag:Get*",
        "trustedadvisor:Describe*",
        "waf-regional:Get*",
        "waf-regional:List*",
        "waf:Get*",
        "waf:List*",
        "wafv2:GetWebACL",
        "wafv2:ListResourcesForWebACL",
        "wafv2:ListTagsForResource",
        "wafv2:ListWebACLs",
        "workspaces:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Note : The resources Hava requests access to allow for the most detailed diagrams of your AWS environment. You can remove any permissions you’re not comfortable with, but this may reduce the accuracy of the analysis, both now and as new features and resources are released.

  1. Then click "Review Policy" & "Name" the new policy.

  1. Click "Create Policy" and the new policy will be created.


Setup cross account role

After setting up your IAM user in AWS, the next step is to configure your cross-account role.

  1. Return to Hava and select the Amazon Data Source.

  2. Ensure the "Cross Account Role" tab is selected.

  3. Click the "Auto Config" button. This will open the Create Role dialog in your AWS Console with the fields pre-filled.

It’s important to verify the following:

  • Ensure the "Account ID" and "External ID" match the dialogue window in Hava.

  • Ensure "Require MFA" remains unchecked

  1. Click on Select trusted entity > AWS account

  1. 3rd party to perform actions in this account.

    1. Confirm the "Account ID" from Hava

    2. Check "Require external ID"

    3. Confirm the "External ID" from Hava

    4. Uncheck "Require MFA"

  1. Attach permissions policies

    1. "Filter policies" In the search box enter in the name you gave the new Hava policy, you may need to click the "Refresh" button, once found click on the select checkbox.

    2. Select "Next:Tags" - (you can skip this)

    3. Select "Next: Review"

  2. Copy the "Role ARN"

  1. Return to the Hava tab in your browser.

    1. Paste the Role ARN into the Hava dialogue box

    2. (Optional) Add a friendly name for your source; if left blank, Hava will use your AWS account name.

    3. Click "Import"

Video walkthrough

For further assistance, watch the video below on setting up and connecting your AWS account using a cross-account role.

Troubleshooting

Request limit exceeded for (resource)

You can increase these limits in the AWS console, or restrict access to this service in your policy if it's not required.

You can learn more here at AWS:

Failed to authenticate

Please verify that you’ve entered the correct ARN and placed it in the correct input field as outlined in steps 7 and 8.

Failed to create EKS source

This error typically indicates a private cluster. Currently, we only support public clusters.

We’re working on supporting private clusters and hope to offer this feature soon.

Elastic beanstalk:

Step Function:

AWS Elastic Beanstalk endpoints and quotas
AWS Step Functions endpoints and quotas
here