Setup inCloud Managed with AWS
inCloud Managed is one of our setup options, which install our platform's infrastructure in a cloud environment owned by your organization, allowing you to delegate its entire setup, update, and maintenance to groundcover.
Note: inCloud Managed is available exclusively to Enterprise users.
inCloud Managed requires to create an isolated account within your AWS organization, that will be managed by groundcover's control plane and will establish, configure, and maintain the infrastructure and workloads within the account. These include AWS VPC, S3, EKS, LB, etc.
To complete the installation of inCloud Managed (total estimated time: 1 hour) you will need to follow these steps, all of which are detailed in the guide that follows:
Step 0: Create a workspace
If you've previously set up a workspace with groundcover, skip this step
Follow the steps in the link below to signup and create a workspace in groundcover:
Step 1: Allocate an AWS account to groundcover
groundcover inCloud Managed can be deployed using one the following configurations:
Option A: Creating a new, dedicated sub-account
We recommend naming the account [groundcover-incloud] and placing the account in OU=Infrastructure/OU=Managed. For additional information please see Establishing your best practice AWS environment (external link to a page on the AWS website).
Option B: Use an existing AWS account
If you prefer using a single account approach, inCloud Managed can also be deployed into an existing account, running alongside existing production workloads in your existing AWS account. To limit access and prevent resource collusion, we implement a “scoping territory” approach using ABAC tags for access control and VPC subnets for network control.
Choose your telemetry delivery method
By default, groundcover inCloud Managed deploys as a SaaS solution using ZTNA public, allowing you to deliver telemetry data securely over the public internet.
Prefer private networking is supported with Private Link.
Step 2: Ask for your External ID
Users on an Enterprise plan (prerequisite for inCloud Managed) have access to a private support channel on Slack for their organization. Use that channel to let us know that you're ready to get started with the inCloud Managed setup and ask for your External ID. The groundcover team will share your External ID with you.
Step 3: Setup a cross-account IAM role
To grant our control-plane access to the account, we use AWS’s built-in access federation feature.
The following guide will walk you through the steps required to setup this access.
Option A: Create groundcover Role via CloudFormation
3.1 - Run groundcover CloudFormation
For quick integration, we recommend using our CloudFormation template to deploy the groundcover role inside the new account. Click here for the CloudFormation template.
Make sure to enter the external ID provided by groundcover.
Option B: Create groundcover Role Manually
3.1 - Create a Role
Log in as a privileged user to the AWS account chosen in Step 1.
Navigate to IAM -> Roles
Click “Create role”
3.2 - Select trusted entity
Trusted entity type: Select “AWS Account”
An AWS account: Check "Another AWS account"; Account ID: 991078109329
Options: Check "Require external ID" and enter your External ID (see Step 1)
Make sure “Require MFA” is unchecked
Click "Next"
In the following screen, do not attach any managed permissions
Click "Next"
3.3 - Name, review, and create
Fill in the following details:
Role name: Type
groundcover-managedDescription: Optional field, your can write any free text description that can be helpful for you and others to understand this purpose of this role in the future (e.g. “app.groundcover.com control plane access”)
Tags: Type
groundcover:access = read. You can also use specify additional workflow-oriented tags
Click "Create role"
3.4 - Trust relationships
Search for the newly created groundcover-managed role (or scroll down the list until you find it) and click on it.
Navigate to the "Trust relationships" screen.
Click "Edit trust policy"
Replace the statement with the following snippet:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::991078109329:role/control-plane"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<External ID: Enter your ID (shared with you by groundcover)>"
}
}
}
]
}Click "Update Policy"
3.5 - Inline Policy
Due to AWS inline policy character limits, when updating the policy version, update the existing inline policy, or delete and then create the new inline policy with the new version name
Navigate to "Permissions" tab.
Click "Add permissions" -> "Create inline policy"
Click the “JSON” tab and paste the following policy into the text box:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Access",
"Effect": "Allow",
"Resource": "*",
"Action": [
"sts:GetCallerIdentity",
"sts:SetSourceIdentity"
]
},
{
"Sid": "DriftReconcilerServiceRoles",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole",
"iam:GetServiceLinkedRoleDeletionStatus"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/*",
"arn:aws:iam::*:role/aws-service-role/autoscaling.amazonaws.com/*",
"arn:aws:iam::*:role/aws-service-role/spot.amazonaws.com/*",
"arn:aws:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/*",
"arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/*"
]
},
{
"Sid": "ConsoleAccess",
"Effect": "Allow",
"Resource": "*",
"Action": [
"elasticloadbalancing:Describe*",
"eks:List*"
]
},
{
"Sid": "CostController",
"Effect": "Allow",
"Resource": "*",
"Action": [
"aws-portal:ViewBilling",
"billing:Get*",
"billing:List*",
"ce:Describe*",
"ce:Get*",
"ce:List*",
"cur:Get*",
"cur:Describe*",
"cur:PutReportDefinition"
]
},
{
"Sid": "HealthController",
"Effect": "Allow",
"Resource": "*",
"Action": [
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"health:Describe*",
"logs:Describe*",
"logs:Filter*",
"logs:List*",
"logs:Start*",
"logs:Stop*",
"logs:Test*",
"servicequotas:Get*",
"servicequotas:List*",
"ec2messages:Get*",
"events:Describe*",
"events:List*",
"events:Test*",
"lambda:List*"
]
},
{
"Sid": "HealthControllerLogsGet",
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:*groundcover*"
],
"Action": [
"logs:Get*"
]
},
{
"Sid": "DriftReconciler",
"Effect": "Allow",
"Resource": "*",
"Action": [
"iam:ListPolicies",
"iam:ListRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListAttachedRolePolicies",
"ec2:Describe*",
"eks:Describe*"
]
},
{
"Sid": "DriftReconcilerGetRole",
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:role/*groundcover*",
"arn:aws:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/*"
],
"Action": [
"iam:GetRole"
]
},
{
"Sid": "ControlPlaneModifyUntagged",
"Effect": "Allow",
"Resource": "*",
"Action": [
"ec2:ReplaceRouteTableAssociation",
"ec2:DisassociateAddress",
"logs:CreateLogDelivery",
"logs:DeleteLogDelivery",
"vpce:AllowMultiRegion",
"ec2:RunInstances"
]
},
{
"Sid": "ControlPlaneCreateTagged",
"Effect": "Allow",
"Resource": "*",
"Action": [
"acm:RequestCertificate",
"ec2:AllocateAddress",
"ec2:Create*",
"ec2:Run*",
"eks:CreateCluster",
"eks:CreateNodegroup",
"eks:Tag*",
"logs:Create*",
"logs:Tag*",
"iam:CreateRole",
"iam:CreateOpenIDConnectProvider",
"iam:Tag*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/groundcover:access": "owner"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"groundcover:access"
]
}
}
},
{
"Sid": "ControlPlaneReadBygroundcoveraccess",
"Effect": "Allow",
"Resource": "*",
"Action": [
"ec2:Get*",
"iam:Get*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/groundcover:access": "read"
}
}
},
{
"Sid": "ControlPlaneModifyBygroundcoveraccess",
"Effect": "Allow",
"Resource": "*",
"Action": [
"acm:*",
"ec2:*",
"eks:*",
"logs:*",
"events:*",
"lambda:*",
"elasticloadbalancing:*",
"iam:AddClientIDToOpenIDConnectProvider",
"iam:Get*",
"iam:Delete*",
"iam:DetachRolePolicy",
"iam:Tag*",
"iam:Untag*",
"iam:Update*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/groundcover:access": "owner"
}
}
},
{
"Sid": "ControlPlaneModifyTaggedByeksclusername",
"Effect": "Allow",
"Resource": "*",
"Action": [
"ec2:*"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/eks:cluster-name": "groundcover*"
}
}
},
{
"Sid": "ControlPlaneModifyTaggedByawseksclusername",
"Effect": "Allow",
"Resource": "*",
"Action": [
"ec2:*"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/aws:eks:cluster-name": "groundcover*"
}
}
},
{
"Sid": "ControlPlaneModifyTaggedByKubernetesCluster",
"Effect": "Allow",
"Resource": "*",
"Action": [
"ec2:*"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/KubernetesCluster": "groundcover*"
}
}
},
{
"Sid": "ControlPlaneEKSRoleAttachPolicy",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy"
],
"Resource": "arn:aws:iam::*:role/groundcover*",
"Condition": {
"ArnEquals": {
"iam:PolicyARN": [
"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
"arn:aws:iam::aws:policy/AmazonEKSServicePolicy",
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
"arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy",
"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
"arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
]
},
"StringEquals": {
"aws:ResourceTag/groundcover:access": "owner"
}
}
},
{
"Sid": "ControlPlaneEKSPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/groundcover*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"eks.amazonaws.com",
"monitoring.rds.amazonaws.com",
"rds.amazonaws.com"
]
}
}
},
{
"Sid": "ControlPlaneEKSRoles",
"Effect": "Allow",
"Action": [
"iam:PutRolePolicy"
],
"Resource": [
"arn:aws:iam::*:role/groundcover*"
]
},
{
"Sid": "ControlPlaneS3",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::groundcover*"
]
},
{
"Sid": "ControlPlaneRDSTaggedResources",
"Effect": "Allow",
"Resource": "*",
"Action": [
"rds:*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/groundcover:access": "owner"
}
}
},
{
"Sid": "ControlPlaneRDSCreateTagged",
"Effect": "Allow",
"Resource": "*",
"Action": [
"rds:CreateDBCluster",
"rds:CreateDBInstance",
"rds:CreateDBSubnetGroup",
"rds:AddTagsToResource"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/groundcover:access": "owner"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"groundcover:access"
]
}
}
},
{
"Sid": "ControlPlaneRDSDescribe",
"Effect": "Allow",
"Resource": "*",
"Action": [
"rds:Describe*",
"rds:List*"
]
},
{
"Sid": "BillingAndKarpenterSQS",
"Effect": "Allow",
"Action": [
"sqs:UntagQueue",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags",
"sqs:TagQueue",
"sqs:DeleteQueue",
"sqs:CreateQueue",
"sqs:SetQueueAttributes"
],
"Resource": [
"arn:aws:sqs:*:*:groundcover*"
]
},
{
"Sid": "BillingIntegration",
"Effect": "Allow",
"Action": [
"bcm-data-exports:GetExport",
"bcm-data-exports:ListTagsForResource",
"bcm-data-exports:CreateExport",
"bcm-data-exports:TagResource",
"bcm-data-exports:DeleteExport",
"bcm-data-exports:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/groundcover:access": "owner"
}
}
},
{
"Sid": "ControlPlaneEC2TagOnCreate",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:CreateAction": [
"Create*"
]
},
"StringNotEquals": {
"ec2:CreateAction": [
"CreateTags"
]
}
}
},
{
"Sid": "BedrockAccess",
"Effect": "Allow",
"Resource": "*",
"Action": [
"bedrock:ListFoundationModelAgreementOffers",
"bedrock:CreateFoundationModelAgreement",
"bedrock:ListFoundationModels",
"bedrock:GetFoundationModel"
]
},
{
"Sid": "LambdaCreateUpdateAccess",
"Effect": "Allow",
"Resource": "*",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"lambda:PublishVersion",
"lambda:CreateAlias",
"lambda:UpdateAlias",
"lambda:CreateEventSourceMapping",
"lambda:UpdateEventSourceMapping",
"lambda:TagResource"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/groundcover:access": "owner"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"groundcover:access"
]
}
}
},
{
"Sid": "EventBridgeCreateAccess",
"Effect": "Allow",
"Resource": "*",
"Action": [
"events:PutRule",
"events:PutTargets",
"events:TagResource"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/groundcover:access": "owner"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"groundcover:access"
]
}
}
},
{
"Sid": "serviceQuotasControl",
"Effect": "Allow",
"Resource": "*",
"Action": [
"servicequotas:RequestServiceQuotaIncrease",
"servicequotas:List*",
"servicequotas:Get*"
]
}
]
}Click "Next"
Click “Review Policy”
Enter the following Policy name: inline-policy-2.4.12
Click “Create policy”
We create the inline policy to adhere to security best practices (external link to Wikipedia) by limiting access on IAM, EC2 and related services to the bare minimum required for control plane operations including: health monitoring, security patches, auto scaling and version updates.
Step 4: Share the ARN & region
Security of groundcover Control-Plane
groundcover Control-Plane is a secure reconciliation controller designed to manage enterprise inCloud infrastructure environments. It is compliant with ISO-27001 and SOC-2 standards.
The control plane can securely access your groundcover-incloud account by using a cross-account IAM role.
Binding Access
To establish the Trust Relationship, please share the following information with groundcover.
Go to IAM > Roles > groundcover-managed > Trust relationships
Verify that the
sts:ExternalIdis as was provided by the groundcover teamTake note of your ARN number, which you will need to share with the groundcover team using our shared Slack channel.
Example:
Step 5: Get installation values
After you share the ARN & Region with us, we will need to setup the backend. Once we do, we will share with you the configuration details required for you to complete Step 6 (below).
Step 6: Deploy our sensors
The final step is to deploy our sensors into the environment. In order to do so, follow this guide.
Last updated