All Collections
Integrations
AWS Integration (beta)
AWS Integration (beta)

Learn how to set up a connection(s) and import your AWS data into Ardoq by following this step-by-step guide.

Nicholas Boyd avatar
Written by Nicholas Boyd
Updated over a week ago

Amazon Web Services (AWS) is a robust cloud computing platform that offers a range of services such as computing power, database storage, and content delivery, among others. AWS can be integrated with Ardoq to enhance the capabilities of enterprise architecture management. This integration enables you to sync AWS assets and configurations into your Ardoq environment and to visualize, analyze, and optimize the IT landscape.

Set up the integration

  1. Navigate to Import & Integrations.

2. Click the AWS (beta) card.

3. When in the integration, navigate to Connections and create a new connection.

  • Connection name: The name of the connection you’re setting up. This will show in the ‘connections’ tab on the homepage for the integration.

  • Authentication type:

    • Role Based: Authenticate with AWS IAM role - please read more here

    • Access key: Authenticate with AWS IAM user credentials - please read more here

    • Please note: With either of the above methods of authentication, we recommend you to restrict the access only to the AWS Resources you would use with Ardoq with an IAM policy. Please read this example.

Once you have created a successful connection, navigate to create new imports on the AWS integration homepage.

Select data

  1. Select the connections you would like to create the import with.

  2. Select the regions of your infrastructure. New to this version of the integration is that only the geographic locations of your infrastructure will show in the drop-down.

Optional step: Next up is filtering Virtual Private Cloud(s) (VPCs). All VPCs connected to the connection and regions you set up will show in the drop-down.

Configure data

Start off with defining if the table rows contain components or references, and follow with choosing the target workspace to import the data to.

Review Import

When reviewing the import you’ve set up, you can see how many components have been created, number of fields and if any errors have popped up.

Remember to save the configuration if you would like to build off of what you have set up. You can find your saved configurations in the configurations tab on the AWS integration home page.

Import & Schedule

You can set up a scheduled import and choose to have automatic imports on a daily or weekly basis. On this page you get an overview of the table that will be imported and to which workspace. Now that all is done, open the workspace and start visualizing your data.

Technical Documentation

Below you can read more technical documentation about AWS and Ardoq, making sure that you set everything up correctly.

How to authenticate with AWS IAM user credentials

To authenticate with IAM user credentials, you’ll need to provide the IAM Access Key and IAM Secret Access Key with Ardoq by selecting the Access Key radio button and filling in the relevant fields.

Refer to AWS guide on how to manage the access keys for an IAM user.

How to authenticate with AWS IAM role

Authenticating with an AWS IAM role does not require sharing your AWS credentials with Ardoq. Thus it's considered to be a safer approach with more control over the access to your AWS data. In brief, this authentication method allows a specific Ardoq's AWS Role to make AWS API calls on behalf of your AWS role.

To set up the role-based authentication you will need to select the Role-based radio button and fill in the Role ARN text field. The Role ARN is your AWS role identifier that you have setup for integration with Ardoq. Amazon has detailed documentation describing the process of creating a role.

Role ARN: Refers to the AWS IAM role that needs to be created in your AWS account. If there are multiple AWS accounts that need to be connected to Ardoq, for each AWS account, an IAM role needs to be created.

External ID: This is an additional security measure that we use in order to address the so-called "Confused Deputy Problem". It's an Amazon recommended way of making sure that our users cannot request data that does not belong to them. We generate this External ID for you but you will need it when you're setting up a trust policy for the AWS role you are planning to use for the integration with Ardoq.

Ardoq Role ARN: This is the role that Ardoq will use in order to assume your role. You need this information when you create and attach a trust policy for your role.

Trust Relationship Configs

After the role is created, a trust policy must be set up allowing Ardoq to use the role for getting data in. You can learn more about the trust policy from this blog post from AWS.

This is a JSON example of a trust policy that you will need to set up in your AWS:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "ArdoqRole",

"Effect": "Allow",

"Principal": {

"AWS": "<Ardoq-Role-ARN-goes-here>"

},

"Action": "sts:AssumeRole",

"Condition": {

"StringEquals": {

"sts:ExternalId": "<External-ID-goes-here>"

}

}

}

]

Policy Configs

An example of how your policy config would look like:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "ArdoqViewOnlyAccessStatement",

"Effect": "Allow",

"Action": [

"ec2:DescribeRegions",

"ec2:DescribeVpcs",

"ec2:DescribeAvailabilityZones",

"ec2:DescribeSecurityGroups",

"ec2:DescribeInstances"

],

"Resource": "*",

"Condition": { "StringLike": { "aws:RequestedRegion": "eu-central-1" } }

}

]

}

Please note: The Condition sections of the configuration limits Ardoq's access only to the specific AWS regions. We recommend using the similar condition to list only the regions you want the integration to work with. Of course, you don't have to use the exact same configuration, so feel free to extend it however you need or create your own from scratch.

The example policy has pros and cons that you should be aware of.

✅ Pros:

  • it is very specific about what Ardoq's role is allowed to do on behalf of your AWS role

  • it is restricted to read-only calls

  • it is restricted to only specific AWS regions

⛔ Cons:

Due to the specificity of the configuration when Ardoq adds more AWS resources and actions to the integration service you will need to update the related policy config in order to get access to the new features. (However it will not break your existing AWS integration with Ardoq even if you decide not to update the policy).

To authenticate with IAM user credentials, you’ll need to provide the IAM Access Key and IAM Secret Access Key with Ardoq by selecting the Access Key radio button and filling in the relevant fields.

Authenticating with an AWS IAM role does not require sharing your AWS credentials with Ardoq. Thus it's considered to be a safer approach with more control over the access to your AWS data. In brief, this authentication method allows a specific Ardoq's AWS Role to make AWS API calls on behalf of your AWS role.

To set up the role-based authentication you will need to select the Role-based radio button and fill in the Role ARN text field. The Role ARN is your AWS role identifier that you have setup for integration with Ardoq. Amazon has detailed documentation describing the process of creating a role.

Related Articles
Azure Integration
Alibaba Cloud Integration
Integration Example: Amazon S3
Integration Example: AWS Lambda
AWS Integration
Did this answer your question?