Guides

Amazon Web Services (AWS) Integrations

Suggest Edits

Amazon Web Services (AWS)

Fluency directly integrates with various services provided by AWS, such as Simple Storage Service (S3), Lambda, Kinesis, and GuardDuty. Additionally, Fluency can make use these direct integrations (use-cases) to support other AWS Services, such as CloudTrail, and CloudWatch.

For more detailed information regarding AWS usage, refer to the vendor's documentation.

Official AWS Documentation:

https://aws.amazon.com/documentation/

AWS Services Supported by Fluency

The following AWS Services are supported directly:

  • Amazon Simple Storage Service (S3 Bucket)
    • AWS S3 Bucket w/ SQS Notification (by default)
  • Amazon Kinesis (Stream)
    • Kinesis Data Firehose
  • Amazon GuardDuty
  • AWS Lambda
  • Other API Integrations

The following AWS services are supported indirectly, via applications or use-cases of one or more Service(s) listed above:

  • AWS CloudTrail
  • Amazon CloudWatch
    • CloudWatch Logs
    • CloudWatch Metrics (Monitoring)
  • Amazon Security Lake

Many of the above integrations can be simplified/automated via AWS CloudFormation scripts. CloudFormation greatly simplifies deployment, and is the suggested integration procedure, for most services and use-cases.

While the scripts are free to use, keep in mind that AWS CloudFormation is a paid service, and you will incur a charge from AWS for using it.

Securely Connecting to AWS

Fluency supports three (3) methods of securely connecting to your AWS Account(s) and Resources.

AWS IAM User

This method uses an IAM user’s access key and secret to connect. The user is created / setup only once per AWS account. Permissions to access additional resources in the same account are appended to this role after role creation. Fluency provides CloudFormation scripts to simplify this process.

Amazon EC2 Instance Role

As the Fluency instance is hosted on Amazon EC2, it can make use of the the EC2 Instance Role concept to securely connect to other AWS Resources and/or Accounts.

A Fluency instance has an EC2 Instance Role assigned by default. In order to use this role to access your AWS Resources, the AssumeRole API is used to allow this Role to securely connect with your resources without the need to pass around IAM credentials.

An IAM Policy w/ External ID will explicitly define the Fluency Instance Role's scope of access to your account. At any time, you may remove the integration and/or intermediary resources to revoke access.

See: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html.

The instance role is created / setup only once per AWS account. Permissions to access additional resources in the same account are appended to this role after role creation. Fluency provides CloudFormation scripts to simplify this process.

Please note that Instance Role is not available for multi-tenant or shared Fluency deployments. (Please use either the IAM User method, or use Access Key/Secrets directly.)

Access Keys / Secrets

Note: Recommended for existing integrations already in-place, or for migration from other tools/services.

For this method, each integration and account will have it's own sets of Keys/Secrets, further complicating access control and management.

Updated 3 months ago