Skip to main content

How to Collect AWS Resource Data

The Amazon Web Services (AWS) collector is configured within the Fix Inventory Worker configuration via the config command in Fix Inventory Shell.

Prerequisites​

This guide assumes that you have already installed Fix Inventory.

Directions​

1. Enable the AWS Collector​

  1. Open the Fix Inventory Worker configuration via the config command in Fix Inventory Shell:

    > config edit fix.worker
  2. Add aws to the list of collectors by modifying the configuration as follows:

    fixworker:
    ...
    # List of collectors to run
    collector:
    - 'aws'
    ...
    ...

2. Authenticate with AWS​

Fix Inventory supports the authentication mechanisms described in the Boto3 SDK documentation. You can authenticate with AWS via an instance profile, an access key, or profiles. These credentials can be defined in the Fix Inventory Worker configuration or as environment variables.

  1. Configure an instance profile.

  2. Open the Fix Inventory Worker configuration via the config command in Fix Inventory Shell:

    > config edit fix.worker
  3. Add the contents of your credentials file to the fixworker section of the configuration as follows:

    Fix Inventory Worker configuration
    fixworker:
    ...
    write_files_to_home_dir:
    - path: ~/.aws/credentials
    content: |
    [default]
    region = us-west-2

    role_arn = arn:aws:iam::235059640852:role/Fix Inventory
    external_id = a5eMybsyGIowimdZqpZWxxxxxxxxxxxx
    credential_source = Ec2InstanceMetadata
    ...
    note

    If you do not wish to save the contents of your credentials file to Fix Inventory's database, you can alternatively mount the ~/.aws directory to the fixworker container.

    info

    Since Fix Inventory is running on your local machine, it can access the credentials file directly at ~/.aws/credentials.

  4. Modify the aws section of the configuration as follows, making sure that aws.access_key_id and aws.secret_access_key are set to null:

    Fix Inventory Worker configuration
    fixworker:
    ...
    ...
    aws:
    # AWS Access Key ID (null to load from env - recommended)
    access_key_id: null
    # AWS Secret Access Key (null to load from env - recommended)
    secret_access_key: null
    ...

3. Authorize Fix Inventory Access to AWS​

See How to Roll Out Fix Inventory AWS Permissions with CloudFormation for a step-by-step guide on how to roll out Fix Inventory permissions organization-wide.

info

If you prefer to deploy the role yourself, the S3 URL of the template to create the FixInventoryAccess role is https://fixinventorypublic.s3.amazonaws.com/cf/fixinventory-role.template.

4. Trigger Resource Collection​

  1. By default, Fix Inventory performs resource collection each hour. To immediately trigger a collect run, use the workflow run command in Fix Inventory Shell:

    > workflow run collect
  2. Once the collect run completes, you can view a summary of collected AWS resources using the following search:

    > search is(aws_resource) | count kind