All pages
Powered by GitBook
1 of 3

Setup inCloud Managed with AWS

inCloud Managed is one of our setup options, which install our platform's infrastructure in a cloud environment owned by your organization, allowing you to delegate its entire setup, update, and maintenance to groundcover.

Note: inCloud Managed is available exclusively to Enterprise users.

inCloud Managed requires to create an isolated account within your AWS organization, that will be managed by groundcover's control plane and will establish, configure, and maintain the infrastructure and workloads within the account. These include AWS VPC, S3, EKS, LB, etc.

To complete the installation of inCloud Managed (total estimated time: 1 hour) you will need to follow these steps, all of which are detailed in the guide that follows:

Step 1: Allocate an AWS account to groundcover

groundcover inCloud Managed can be deployed using one the following configurations:

In line with AWS’s recommended unit of containerization, the default and preferable option is to deploy in a dedicated AWS account. This acts as an identity, resources, quota and access management isolation boundary.

Option A: Creating a new, dedicated sub-account

Option B: Use an existing AWS account

If you prefer using a single account approach, inCloud Managed can also be deployed into an existing account, running alongside existing production workloads in your existing AWS account. To limit access and prevent resource collusion, we implement a “scoping territory” approach using ABAC tags for access control and VPC subnets for network control.

Choose your telemetry delivery method

By default, groundcover inCloud Managed deploys as a SaaS solution using ZTNA public, allowing you to deliver telemetry data securely over the public internet.

Prefer private networking is supported with Private Link.

Step 2: Ask for your External ID

Step 3: Setup a cross-account IAM role

The following guide will walk you through the steps required to setup this access.

Option A: Create groundcover Role via CloudFormation

3.1 - Run groundcover CloudFormation

Make sure to enter the external ID provided by groundcover.

Option B: Create groundcover Role Manually

3.1 - Create a Role

  2. Navigate to IAM -> Roles

  3. Click “Create role

3.2 - Select trusted entity

  1. Trusted entity type: Select “AWS Account

  2. An AWS account: Check "Another AWS account"; Account ID: 991078109329

  4. Make sure “Require MFA” is unchecked

  5. Click "Next"

  6. In the following screen, do not attach any managed permissions

  7. Click "Next"

Note: AWS can’t verify MFA login in cross-account operational mode. groundcover control-plane is enforcing strict security principals, including MFA.

3.3 - Name, review, and create

Fill in the following details:

  • Role name: Type groundcover-managed

  • Description: Optional field, your can write any free text description that can be helpful for you and others to understand this purpose of this role in the future (e.g. “app.groundcover.com control plane access”)

  • Tags: Type groundcover:access = read. You can also use specify additional workflow-oriented tags

Click "Create role"

3.4 - Trust relationships

Search for the newly created groundcover-managed role (or scroll down the list until you find it) and click on it.

Navigate to the "Trust relationships" screen.

Click "Edit trust policy"

Replace the statement with the following snippet:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::991078109329:role/control-plane"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<External ID: Enter your ID (shared with you by groundcover)>"
        }
      }
    }
  ]
}

Click "Update Policy"

3.5 - Inline Policy

Navigate to "Permissions" tab.

Click "Add permissions" -> "Create inline policy"

Click the “JSON” tab and paste the following policy into the text box:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Access",
			"Effect": "Allow",
			"Resource": "*",
			"Action": [
				"sts:GetCallerIdentity",
				"sts:SetSourceIdentity"
			]
		},
		{
			"Sid": "ConsoleAccess",
			"Effect": "Allow",
			"Resource": "*",
			"Action": [
				"elasticloadbalancing:Describe*",
				"eks:List*"
			]
		},
		{
			"Sid": "CostController",
			"Effect": "Allow",
			"Resource": "*",
			"Action": [
				"aws-portal:ViewBilling",
				"billing:Get*",
				"billing:List*",
				"ce:Describe*",
				"ce:Get*",
				"ce:List*",
				"cur:Get*",
				"cur:Describe*",
				"cur:PutReportDefinition"
			]
		},
		{
			"Sid": "HealthController",
			"Effect": "Allow",
			"Resource": "*",
			"Action": [
				"cloudwatch:Describe*",
				"cloudwatch:Get*",
				"cloudwatch:List*",
				"health:Describe*",
				"logs:Describe*",
				"logs:Filter*",
				"logs:List*",
				"logs:Start*",
				"logs:Stop*",
				"logs:Test*",
				"servicequotas:Get*",
				"servicequotas:List*",
				"ec2messages:Get*",
				"events:Describe*",
				"events:List*",
				"events:Test*"
			]
		},
		{
			"Sid": "HealthControllerLogsGet",
			"Effect": "Allow",
			"Resource": [
				"arn:aws:logs:*:*:log-group:*groundcover*"
			],
			"Action": [
				"logs:Get*"
			]
		},
		{
			"Sid": "DriftReconciler",
			"Effect": "Allow",
			"Resource": "*",
			"Action": [
				"iam:ListPolicies",
				"iam:ListRolePolicies",
				"iam:ListInstanceProfilesForRole",
				"iam:ListAttachedRolePolicies",
				"ec2:Describe*",
				"eks:Describe*"
			]
		},
		{
			"Sid": "DriftReconcilerServiceRoles",
			"Effect": "Allow",
			"Action": [
				"iam:CreateServiceLinkedRole",
				"iam:DeleteServiceLinkedRole",
				"iam:GetServiceLinkedRoleDeletionStatus"
			],
			"Resource": [
				"arn:aws:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/*",
				"arn:aws:iam::*:role/aws-service-role/autoscaling.amazonaws.com/*",
				"arn:aws:iam::*:role/aws-service-role/spot.amazonaws.com/*",
				"arn:aws:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/*"
			]
		},
		{
			"Sid": "DriftReconcilerGetRole",
			"Effect": "Allow",
			"Action": [
				"iam:GetRole"
			],
			"Resource": [
				"arn:aws:iam::*:role/*groundcover*",
				"arn:aws:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/*"
			]
		},
		{
			"Sid": "ControlPlaneEC2TagOnCreate",
			"Effect": "Allow",
			"Action": [
				"ec2:CreateTags"
			],
			"Resource": "*",
			"Condition": {
				"StringLike": {
					"ec2:CreateAction": [
						"Create*"
					]
				},
				"StringNotEquals": {
					"ec2:CreateAction": [
						"CreateTags"
					]
				}
			}
		},
		{
			"Sid": "ControlPlaneModifyUntagged",
			"Effect": "Allow",
			"Resource": "*",
			"Action": [
				"ec2:ReplaceRouteTableAssociation",
				"ec2:DisassociateAddress",
				"logs:CreateLogDelivery",
				"logs:DeleteLogDelivery",
				"vpce:AllowMultiRegion"
			]
		},
		{
			"Sid": "ControlPlaneCreateTagged",
			"Effect": "Allow",
			"Resource": "*",
			"Action": [
				"acm:RequestCertificate",
				"ec2:AllocateAddress",
				"ec2:Create*",
				"ec2:Run*",
				"eks:CreateCluster",
				"eks:Tag*",
				"logs:Create*",
				"logs:Tag*",
				"iam:CreateRole",
				"iam:CreateOpenIDConnectProvider",
				"iam:Tag*"
			],
			"Condition": {
				"StringEquals": {
					"aws:RequestTag/groundcover:access": "owner"
				},
				"ForAnyValue:StringEquals": {
					"aws:TagKeys": [
						"groundcover:access"
					]
				}
			}
		},
		{
			"Sid": "ControlPlaneReadBygroundcoveraccess",
			"Effect": "Allow",
			"Resource": "*",
			"Action": [
				"ec2:Get*",
				"iam:Get*"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceTag/groundcover:access": "read"
				}
			}
		},
		{
			"Sid": "ControlPlaneModifyBygroundcoveraccess",
			"Effect": "Allow",
			"Resource": "*",
			"Action": [
				"acm:*",
				"ec2:*",
				"eks:*",
				"logs:*",
				"elasticloadbalancing:*",
				"iam:AddClientIDToOpenIDConnectProvider",
				"iam:Get*",
				"iam:Delete*",
				"iam:DetachRolePolicy",
				"iam:Tag*",
				"iam:Untag*",
				"iam:Update*"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceTag/groundcover:access": "owner"
				}
			}
		},
		{
			"Sid": "ControlPlaneModifyTaggedByeksclusername",
			"Effect": "Allow",
			"Resource": "*",
			"Action": [
				"ec2:*"
			],
			"Condition": {
				"StringLike": {
					"aws:ResourceTag/eks:cluster-name": "groundcover*"
				}
			}
		},
		{
			"Sid": "ControlPlaneModifyTaggedByawseksclusername",
			"Effect": "Allow",
			"Resource": "*",
			"Action": [
				"ec2:*"
			],
			"Condition": {
				"StringLike": {
					"aws:ResourceTag/aws:eks:cluster-name": "groundcover*"
				}
			}
		},
		{
			"Sid": "ControlPlaneModifyTaggedByKubernetesCluster",
			"Effect": "Allow",
			"Resource": "*",
			"Action": [
				"ec2:*"
			],
			"Condition": {
				"StringLike": {
					"aws:ResourceTag/KubernetesCluster": "groundcover*"
				}
			}
		},
		{
			"Sid": "ControlPlaneEKSRoleAttachPolicy",
			"Effect": "Allow",
			"Action": [
				"iam:AttachRolePolicy"
			],
			"Resource": "arn:aws:iam::*:role/groundcover*",
			"Condition": {
				"ArnEquals": {
					"iam:PolicyARN": [
						"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
						"arn:aws:iam::aws:policy/AmazonEKSServicePolicy",
						"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
						"arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy",
						"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
						"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
					]
				},
				"StringEquals": {
					"aws:ResourceTag/groundcover:access": "owner"
				}
			}
		},
		{
			"Sid": "ControlPlaneEKSPassRole",
			"Effect": "Allow",
			"Action": "iam:PassRole",
			"Resource": "arn:aws:iam::*:role/groundcover*",
			"Condition": {
				"StringEquals": {
					"iam:PassedToService": [
						"eks.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "ControlPlaneEKSRoles",
			"Effect": "Allow",
			"Action": [
				"iam:PutRolePolicy"
			],
			"Resource": [
				"arn:aws:iam::*:role/groundcover*"
			]
		},
		{
			"Sid": "ControlPlaneS3",
			"Effect": "Allow",
			"Action": "s3:*",
			"Resource": [
				"arn:aws:s3:::groundcover*"
			]
		},
		{
			"Sid": "BillingIntegrationSQS",
			"Effect": "Allow",
			"Action": [
				"sqs:UntagQueue",
				"sqs:GetQueueAttributes",
				"sqs:ListQueueTags",
				"sqs:TagQueue",
				"sqs:DeleteQueue",
				"sqs:CreateQueue",
				"sqs:SetQueueAttributes"
			],
			"Resource": [
				"arn:aws:sqs:*:*:groundcover*"
			]
		},
		{
			"Sid": "BillingIntegration",
			"Effect": "Allow",
			"Action": [
				"bcm-data-exports:GetExport",
				"bcm-data-exports:ListTagsForResource",
				"bcm-data-exports:CreateExport",
				"bcm-data-exports:TagResource",
				"bcm-data-exports:DeleteExport",
				"bcm-data-exports:UntagResource"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceTag/groundcover:access": "owner"
				}
			}
		}
	]
}

Click "Next"

Click “Review Policy

Enter the following Policy name: inline-policy-2.4.6

Click “Create policy

We create the inline policy to adhere to security best practices (external link to Wikipedia) by limiting access on IAM, EC2 and related services to the bare minimum required for control plane operations including: health monitoring, security patches, auto scaling and version updates.

Step 4: Share the ARN & region

Security of groundcover Control-Plane

groundcover Control-Plane is a secure reconciliation controller designed to manage enterprise inCloud infrastructure environments. It is compliant with ISO-27001 and SOC-2 standards.

The control plane can securely access your groundcover-incloud account by using a cross-account IAM role.

Setting up groundcover inCloud does not require access to your production data or workloads, nor does it grant it such access.

Binding Access

To establish the Trust Relationship, please share the following information with groundcover.

  1. Go to IAM > Roles > groundcover-managed > Trust relationships

  2. Verify that the sts:ExternalId is as was provided by the groundcover team

  3. Take note of your ARN number, which you will need to share with the groundcover team using our shared Slack channel.

Example:

Step 5: Get installation values

After you share the ARN & Region with us, we will need to setup the backend. Once we do, we will share with you the configuration details required for you to complete Step 6 (below).

Step 6: Deploy our sensors

The final step is to deploy our sensors into the environment. In order to do so, follow this guide.

AWS PrivateLink Setup

groundcover's inCloud comes with VPC service endpoint (PrivateLink) built in. The PrivateLink endpoint let you ingest data through private network and reduce data transfer costs.

Prerequisites

  • Get the VPC service endpoint name value provided by groundcover during inCloud installation.

  • Cross-region Ingestion: To keep cloud cost low as possible, PrivateLink connection is enabled only on the backend region by default. To allow cross-region endpoint send the require region to groundcover team.

Setup PrivateLink connection

  1. Make sure DNS resolution is enabled on the VPC.

  2. Create Security group for the VPC endpoint that allow port 443 from your workloads ( K8s nodes / EC2s).

  3. Create VPC endpoint.

    1. Choose the service endpoint name provided by groundcover.

    2. (Optional) If the endpoint created on different region then inCloud backend, click on cross region and choose the backend's region

    3. Enable DNS

  4. Choose the required subnets for the VPC endpoint.

  5. Choose the security group created in step 1 for the VPC endpoint

  6. Create the VPC endpoint

Troubleshooting

Open shell on the monitored workload on the same VPC

Use nslookup to determine if DNS configured correctly, if the endpoint returns IPs that are not from your VPC CIDRs, double check the DNS configuration

  • nslookup <groundcover backend endpoint>

Use netcat to test the security groups configured correctly, if you get timeout to the VPC endpoint double check the inboud rules on the VPC endpoint and the outbound rule on the workload security groups

  • nc -vz <groundcover backend endpoint> 443

EKS add-on

groundcover's EKS add-on is the easiest way to deploy the groundcover eBPF sensor on your EKS cluster, and connect it directly to your inCloud Managed observability backend.

Enable Add-on

Namespace

Create groundcover namespace on your EKS cluster

kubectl create ns groundcover

API Key Secret

Create groundcover API-key secret on your EKS cluster

# Install the groundcover CLI
sh -c "$(curl -fsSL <https://groundcover.com/install.sh>)"

# Login to your groundcover account
groundcover auth login

# Fetch your api key
groundcover auth print-api-key

# Create secret
API_KEY=<paste-api-key>
kubectl create secret generic api-key \
    -n groundcover \
    --from-literal API_KEY="${API_KEY}"

Configuration Values

Create the following agent-values.yaml file and fill in the required values accordingly.

global:
    ingress:
        site: <incloud-site>

If you don't know what your inCloud site is, get support on Slack.

Create Add-on

Run the following command to enable the groundcover agent add-on for your Amazon EKS cluster

aws eks create-addon \
    --region <region> \
    --cluster-name <cluster-name> \
    --addon-name groundcover_agent \
    --configuration-values 'file://agent-values.yaml'

Disable Add-on

Run the following command to disable the groundcover agent add-on for your Amazon EKS cluster.

aws eks delete-addon \
    --region <region> \
    --cluster-name <cluster-name> \
    --addon-name groundcover_agent