4.0

MSK portal

Secure AWS installation 

For secure integration with Amazon Web Services, AWS IAM role delegation is used. To learn more about role delegation, refer to the AWS IAM Best Practices guide .

IAM Role delegation

A role in your AWS account will specify what permissions the IAM user is allowed to temporarily assume to complete the installation.

The diagram below shows how the delegation of permissions using an IAM role works:

Role Delegation

External ID

An external ID will allow Lenses to assume the installation role and assert the circumstances in which it is operating. It also provides a way for you (the account owner) to permit the role to be assumed only under specific circumstances.

AWS Secrets Manager

The information for the Role and the External ID are stored securely in AWS Secrets Manager following the AWS compliance standards .

Setup Role Delegation 

Start at https://portal.lenses.io/register?version=msk

1) Click on Launch CloudFormation in AWS

CloudFormation Role

2) Login to the AWS console.

3) On the CloudFormation page, create a new stack. Change the role name to match your organizations conventions.

CloudFormation Role Name

4) Update the Lenses.io integration tile with the IAM role name and account ID used to create the CloudFormation stack. You can copy from CloudFormation outputs.

Lenses.io AWS Integration

Security summary

The following diagram depicts how Lenses will securely use that external ID only when acting on your behalf.

External ID

And this is how a unique ExternalID specifying the trust policy looks like this:

  {
    "Version": "2020-09-09",
    "Statement": {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Principal": {"AWS": "Lenses.io AWS Account ID"},
      "Condition": {"StringEquals": {"sts:ExternalId": "Your unique external id" }}
    }
  }