AWS

set up a secure, temporary access iam role in your aws account so resolve can read required metrics, logs, and events for troubleshooting—without storing long lived credentials this role is global and can be used across multiple aws regions you choose to allow private vpc / self hosted? if your cloudwatch logs are in a private vpc that resolve cannot reach directly, you can use the docid\ jolozirvi5srwjpbh1yms to securely proxy queries see the docid\ hkgxc8ulyvnfido1levlz section below in resolve, create an aws integration log in to https //app0 resolve ai/ open the https //app0 resolve ai/integrations/aws/connect click add connection click view instructions to see a short guide with custom instructions for your account in aws, create a new iam role in your aws account, create a new iam role resolve access role set the trust relationship target account (from resolve ui) external id specify an id of your choosing attach required policies securityaudit https //docs aws amazon com/aws managed policy/latest/reference/securityaudit htmlcloudwatchreadonlyaccess https //docs aws amazon com/aws managed policy/latest/reference/cloudwatchreadonlyaccess htmlamazonrdsreadonlyaccess https //docs aws amazon com/aws managed policy/latest/reference/amazonrdsreadonlyaccess htmliamreadonlyaccess https //docs aws amazon com/aws managed policy/latest/reference/iamreadonlyaccess html copy the role arn from the iam console on the role's detail page and external id set in the trust relationship, and paste them into the resolve ui in resolve, configure the integration name the connection, ex "production aws" specify one or more target region(s) enter the external id the role arn was set in the step above the external id used to securely assume the iam role cloudwatch log group allow list lets you define a restricted list of cloudwatch log group names that resolve can query sample trust policy { "version" "2012 10 17", "statement" \[ { "effect" "allow", "principal" { "aws" "arn\ aws\ iam 590183716134\ root" }, "action" "sts\ assumerole", "condition" { "stringequals" { "sts\ externalid" "\<id>" } } } ] } athena sql queries (optional) resolve can query data using aws athena — useful for investigating cloudtrail audit logs, vpc flow logs, alb access logs, and other operational data stored in s3 aws does not offer a read only athena managed policy you need to create a custom inline policy on the iam role used by resolve 1\ add athena permissions on the same iam role created above ( resolve access role ), add a custom inline policy with the following json { "version" "2012 10 17", "statement" \[ { "sid" "athenaqueryaccess", "effect" "allow", "action" \[ "athena\ startqueryexecution", "athena\ getqueryexecution", "athena\ getqueryresults", "athena\ stopqueryexecution", "athena\ listdatabases", "athena\ listdatacatalogs", "athena\ listtablemetadata", "athena\ listworkgroups", "athena\ getworkgroup" ], "resource" " " }, { "sid" "gluereadonly", "effect" "allow", "action" \[ "glue\ getdatabase", "glue\ getdatabases", "glue\ gettable", "glue\ gettables", "glue\ getpartitions" ], "resource" " " }, { "sid" "athenaqueryresultsaccess", "effect" "allow", "action" \[ "s3\ getbucketlocation", "s3\ getobject", "s3\ listbucket", "s3\ putobject", "s3\ listmultipartuploadparts", "s3\ abortmultipartupload", "s3\ listbucketmultipartuploads" ], "resource" \[ "arn\ aws\ s3 aws athena query results ", "arn\ aws\ s3 aws athena query results / " ] } ] } about these permissions athena actions allow resolve to run read only sql queries and discover databases/tables resolve enforces that only select , show , describe , and explain queries are executed glue read only actions are required because athena uses the aws glue data catalog to store table metadata s3 write access ( putobject ) is scoped to the athena query results bucket only — athena must write query output to s3 if your results bucket uses a different naming pattern, adjust the resource arn accordingly 2\ configure your athena workgroup your athena workgroup must have a default query results s3 location configured without this, queries will fail in the aws console, go to amazon athena > workgroups select your workgroup (typically primary ) click edit and set the query result location (e g , s3 //aws athena query results account id region/ ) save 3\ safety guardrails resolve enforces several safety measures for athena queries read only sql only — only select , show , describe , and explain queries are permitted ddl/dml ( create , drop , insert , etc ) is blocked 60 second timeout — queries running longer than 60 seconds are automatically cancelled 100 gb data scan limit — queries scanning more than 100 gb of data are automatically cancelled to prevent unexpected costs 1,000 row result limit — query results are capped at 1,000 rows connect via satellite if your aws resources are in a private vpc that resolve cannot reach directly, use the docid\ jolozirvi5srwjpbh1yms to securely proxy cloudwatch queries prerequisite the resolve satellite should already be installed in your environment see docid\ jolozirvi5srwjpbh1yms for installation instructions 1\ create kubernetes secret create a kubernetes secret containing your aws credentials with cloudwatch read access secret creation apiversion v1 kind secret type opaque metadata name cloudwatch resolve credentials stringdata accesskeyid "\<your aws access key id>" secretaccesskey "\<your aws secret access key>" apply the secret apply secret kubectl apply f cloudwatch resolve credentials yml 2\ update values file add the cloudwatch integration to your resolve values yaml resolve values yaml integrations cloudwatchonprem type cloudwatch create true secretname "cloudwatch resolve credentials" connection region us east 1 # your aws region loggroupname "/aws/lambda/my function" # optional specific log group 3\ apply changes update the satellite with the new configuration helm upgrade install resolve satellite \\ oci //registry 1 docker io/resolveaihq/satellite chart \\ \ values resolve values yaml 4\ verify integration open the https //app0 resolve ai/integrations/aws page in resolve to verify the connection