Page Comparison

...

Rw ui steps macro

Rw step

Once the bucket has been created, you will need to set up the data feed into this S3 bucket via CloudTrail, so navigate here:

Rw step

Click Create trail and follow these steps:

Image Removed

Image Added

When setting up the trail in the screen, make sure to choose the S3 bucket you want CloudTrail to send data into accordingly. If you have an existing S3 bucket, choose that box and enter your S3 bucket name. Otherwise, create a new S3 bucket here.
A prefix is optional but highly recommended for easier setup of S3 event notifications to different SQS queues.
All other options on this page are optional but default settings do work, check with your infra team to figure out what they want to do.

In the next area, choose the log events you wish for CloudTrail to capture. At the very least, we recommend Management events to be enabled. Data events and Insight events are additional charges so check with your team about this. Data events can generate A LOT of data if your account are power users of S3, please check with your AWS team to see if these are worthwhile to track.

Finish up and create the trail. You can always come back to this and edit it in the future.

Rw step

Setup is complete and data should now be flowing into your S3 bucket.

...

Rw ui steps macro

Rw step

Access the Roles area in the IAM console and click Create role.

Rw step

Create a role with the scope Another AWS account and use Account ID:837131528613

Rw step

Add the policy you created in the previous steps (for example: devo-xaccount-cs-policy)

Rw step

Give this role a name that you will provide to Devo.

Rw step

Go to the newly created role and access Trust relationships → Edit trust relationship.

Rw step

Change the existing policy document to the following, which will only allow for our collector server role to access the policy.

Code Block
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::837131528613:role/devo-xaccount-cs-role" }, "Action": "sts:AssumeRole", "Condition": {} } ] }

Optionally, you may add an external ID (see more information here). Add in an external ID generated by customer and hand it to Devo as well.

Code Block

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::837131528613:role/devo-xaccount-cs-role"
      },
      "Action": "sts:AssumeRole",
      "Condition": {"StringEquals": {"sts:ExternalId": "ABCDEFGHIJKL0123"}} <-- Change this
    }
  ]
}

For a Devo developer to access your collector, we will need you to add another principal. This will allow us to debug your collector quickly. It will look something like this:

Code Block

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::476382791543:role/devo-xaccount-cc"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::837131528613:role/devo-xaccount-cs-role"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

Rw step

Click Update Trust Policy to finish.

Info

New role

If you’re deploying your collector using the Cloud collector app, you should use the following role instead of the one above:

arn:aws:iam::476382791543:role/devo-xaccount-cc

This role is for the legacy collector server and now is deprecated

arn:aws:iam::837131528614:role/devo-xaccount-cs-role

For more information, please contact us.

Information provided to Devo

...

Versions Compared

Old Version 1

New Version Current

Key

Information provided to Devo