# Baselime AWS Connector


The Baselime AWS Connector helps your team automatically:

  • ingest AWS Lambda logs from CloudWatch
  • ingest AWS CloudTrail logs for your infrastructure
  • ingest performace metrics from: [Coming soon]
    • AWS Lamda functions
    • DynamoDB tables
    • SQS queues
    • EventBridge buses
    • SNS topics
    • other serverless services

# Setup

The connector is an automated flow based on a CloudFormation template that can be defined using a simple wizard.

It can be done using the Baselime CLI or throught the web console.

# Using the CLI

To connect a cloud account to Baselime using the CLI, run the following command in your terminal

terminal
baselime environments setup --provider aws --account <account_numner> --region <region> --alias <alias>

Once you've followed the interactive steps, the CLI will generate a CloudFormation template for you to deploy on your AWS account. Deploy the temple on your AWS account. Once deployed, login in your newly connected environment from the CLI.

terminal
baselime auth login

The interactive output should list your newly connected environment.

Within minutes you should get telemetry data flowing through with the command

terminal
baselime events stream --follow

# Using the Web Console

Navigate to the Baselime web console and login.

Follow the steps on the homescreen to connect a new AWS Account. Baselime will generate a CloudFormation template for you to deploy on your AWS account.

Once the template is deployed on AWS, return to the Baselime web console and refresh the page. You should see the newly connected AWS environment in the list of connected environment.

Within minutes telemtry data from your AWS environment should start displaying in the events streams in the Baselime web console.

# Troubleshooting

If you encounter any issers or error when connecting your AWS environment, please don't hesitate to contact us, or join our Slack community where we are always available to support.

# CloudFormation Template

The CloudFormation template is open-source and available here.

Baselime AWS Integration Template
Description: This template creates a role and a bucket that can be used by Baselime

Parameters:
  ExternalParameter:
    Type: String
    Default: <BASELIME_WORKSPACE_ID>
    Description: External Parameter for securing the role
  Alias:
    Type: String
    Default: <BASELIME_ENVIRONMENT_ALIAS>
    Description: Alias for this environment

Resources:
  BaselimeEnvironmentRole:
    Type: AWS::IAM::Role
    DeletionPolicy: Retain
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Action:
              - sts:AssumeRole
            Principal:
              AWS:
                - <BASELIME_CUSTOMER_ACCOUNT>
            Sid: ""
          - Effect: Allow
            Action:
              - sts:AssumeRole
            Principal:
              AWS:
                - <BASELIME_ACCOUNT>
            Sid: ""
          - Effect: Allow
            Action:
              - sts:AssumeRole
            Principal:
              Service:
                - lambda.amazonaws.com
            Sid: ""
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/ReadOnlyAccess
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Path: "/"
  BaselimeEnvironmentPolicies:
    Type: AWS::IAM::Policy
    DeletionPolicy: Retain
    Properties:
      PolicyName: BaselimeEnvironment
      PolicyDocument:
        Statement:
          - Effect: Allow
            Action:
              - lambda:UpdateFunctionConfiguration
              - lambda:UpdateFunctionCode
              - lambda:CreateFunction
              - lambda:AddPermission
            Resource:
              - arn:aws:lambda:*:*:function:*
          - Effect: Allow
            Action:
              - lambda:UpdateFunctionCode
            Resource:
              - arn:aws:lambda:*:*:function:baselime-*
          - Effect: Allow
            Action:
              - ce:GetCostAndUsageWithResources
              - ce:GetCostAndUsage
            Resource:
              - "*"
          - Effect: Allow
            Action:
              - s3:*
            Resource:
              - !Sub |-
                arn:aws:s3:::${BaselimeS3Bucket}
              - !Sub |-
                arn:aws:s3:::${BaselimeS3Bucket}/*
          - Effect: Allow
            Action:
              - sns:Subscribe
              - sns:Publish
            Resource:
              - !Ref BaselimeSNSTopic
          - Effect: Allow
            Action:
              - iam:PassRole
            Resource:
              - !GetAtt
                - BaselimeEnvironmentRole
                - Arn
          - Effect: Allow
            Action:
              - logs:PutSubscriptionFilter
              - logs:DeleteSubscriptionFilter
              - logs:DescribeSubscriptionFilters
              - logs:CreateLogGroup
              - logs:PutRetentionPolicy
              - cloudwatch:PutMetricAlarm
              - cloudwatch:DeleteAlarms
              - cloudwatch:PutDashboard
              - cloudwatch:DeleteDashboards
              - cloudwatch:PutMetricData
              - cloudwatch:PutMetricStream
              - cloudwatch:DeleteMetricStream
              - cloudwatch:StartMetricStreams
              - cloudwatch:StopMetricStreams
            Resource:
              - "*"
      Roles:
       - !Ref BaselimeEnvironmentRole
  BaselimeS3Bucket:
    Type: 'AWS::S3::Bucket'
    DeletionPolicy: Retain
  BaselimeS3BucketPolicy:
    Type: "AWS::S3::BucketPolicy"
    Properties:
      Bucket:
        Ref: BaselimeS3Bucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Sid: "AWSCloudTrailAclCheck"
            Effect: "Allow"
            Principal:
              Service: "cloudtrail.amazonaws.com"
            Action: "s3:GetBucketAcl"
            Resource:
              !Sub |-
                arn:aws:s3:::${BaselimeS3Bucket}
          -
            Sid: "AWSCloudTrailWrite"
            Effect: "Allow"
            Principal:
              Service: "cloudtrail.amazonaws.com"
            Action: "s3:PutObject"
            Resource:
              !Sub |-
                arn:aws:s3:::${BaselimeS3Bucket}/AWSLogs/${AWS::AccountId}/*
            Condition:
              StringEquals:
                s3:x-amz-acl: "bucket-owner-full-control"
  BaselimeSNSTopic:
    Type: AWS::SNS::Topic
  BaselimeSNSTopicPolicy:
    Type: "AWS::SNS::TopicPolicy"
    Properties:
      Topics:
        - !Ref BaselimeSNSTopic
      PolicyDocument:
        Version: "2008-10-17"
        Statement:
          -
            Sid: "AWSCloudTrailSNSPolicy"
            Effect: "Allow"
            Principal:
              Service: "cloudtrail.amazonaws.com"
            Resource: "*"
            Action: "SNS:Publish"
          -
            Sid: "BaselimeRoleSNSPolicy"
            Effect: "Allow"
            Principal:
              AWS: !GetAtt
              - BaselimeEnvironmentRole
              - Arn
            Resource: "*"
            Action: "SNS:Publish"
  BaselimeCloudTrail:
    Type: AWS::CloudTrail::Trail
    DependsOn:
      - BaselimeSNSTopicPolicy
      - BaselimeS3BucketPolicy
    Properties:
        S3BucketName: !Ref BaselimeS3Bucket
        SnsTopicName: !GetAtt
                      - BaselimeSNSTopic
                      - TopicName
        IsLogging: true
        EnableLogFileValidation: true
        IncludeGlobalServiceEvents: true
  BaselimeReporter:
    Type: AWS::CloudFormation::CustomResource
    DependsOn:
      - BaselimeCloudTrail
      - BaselimeEnvironmentRole
      - BaselimeEnvironmentPolicies
    Properties:
      ServiceToken: <BASELIME_SERVICE_TOKEN>
      RoleArn: !GetAtt
              - BaselimeEnvironmentRole
              - Arn
      Region: !Ref AWS::Region
      BucketName: !Ref BaselimeS3Bucket
      TopicArn: !Ref BaselimeSNSTopic
      CloudTrailArn: !Ref BaselimeCloudTrail
      ExternalParameter: !Ref ExternalParameter
      Alias: !Ref Alias


Outputs:
  RoleArn:
    Value: !GetAtt
          - BaselimeEnvironmentRole
          - Arn
    Description: The ARN for the role Baselime can use
  BucketName:
    Value: !Ref BaselimeS3Bucket
    Description: The name of the bucket Baselime can use
  SNSTopic:
    Value: !Ref BaselimeSNSTopic
    Description: The ARN of the SNS topic Baselime can use