AWS GovCloud and SQS Collectors

Requirements

FedRAMP customers who access Devo through devogov.us should send data from their AWS GovCloud partition account to Devo using the SQS collector with cross account roles.

To send data from any non-GovCloud partition to devogov.us, use access key authentication.

GovCloud configuration must be applied to every policy and configuration file.

Field	GovCloud value	Non-GovCloud value

Field	GovCloud value	Non-GovCloud value
Partition	`aws-us-gov`	aws
Devo’s AWS account	`210253767148`	837131528613
Devo’s Role	`arn:aws-us-gov:iam::210253767148:role/devo-xaccount-cc`	arn:aws:iam::476382791543:role/devo-xaccount-cc

The aws_base_account_role line must be included in the configuration of GovCloud SQS collectors. It may be omitted in other SQS collectors.

Example Collector Configuration

{
  "inputs": {
    "sqs_collector": {
      "base_url": "https://sqs.us-gov-west-1.amazonaws.com/012345678901/examplesqs",
      "credentials": {
        "aws_base_account_role": "arn:aws-us-gov:iam::210253767148:role/devo-xaccount-cc",
        "aws_cross_account_role": "arn:aws-us-gov:iam::012345678901:role/examplesqs",
        "aws_external_id": "child@parent.collector.devogov.us"
      },
      "id": "12345",
      "region": "us-gov-west-1",
      "services": {
        "aws_sqs_waf": {}
      }
    }
  }
}