Follow these steps to create a read-only user that Hava can use to visualize your AWS infrastructure. Before you start make sure you are logged in to the AWS console.

  1. From the main console screen click on Identity & Access Management.

    iam-step1.png
  2. From the IAM dashboard select the Users section and then click the Create New Users button.

    iam-step2.png
  3. Enter a unique username for your new user, make sure Generate an access key is checked, and then click the Create button.

    iam-step3.png
  4. You should be notified that your user has been created. You can copy the details from this screen or just click Download to save them.

    iam-step4.png
  5. Click your new user in the list and go to the Managed Policies header under Permissions. Click Attach Policy.

    iam-step5.png
  6. Scroll through the policy list until you find ReadOnlyAccess. Click the checkbox and then click Attach Policy.

    iam-step6.png
  7. Now head back to the Hava homepage and enter the credentials you downloaded earlier to get started!

    Hava-new-import-creds.png




Just enough access for Hava...

Creating the Hava Read-Only IAM user, that uses the standard AWS ReadOnlyAccess Policy will ensure that your user doesn't have enough priveleges to change anything in your environment. The Hava team recommends that you create a custom policy that limits Hava's access to the minimum access required to provide you with the visibility you've come to rely on.

Follow these steps to create a read-only user that Hava can use to visualize your AWS infrastructure. Before you start make sure you are logged in to the AWS console.

  1. From the main console screen click on Identity & Access Management.

    iam-step1.png
  2. From the IAM dashboard select the Users section and then click the Create New Users button.

    iam-step2.png
  3. Enter a unique username for your new user, make sure Generate an access key is checked, and then click the Create button.

    iam-step3.png
  4. You should be notified that your user has been created. You can copy the details from this screen or just click Download to save them.

    iam-step4.png
  5. Now that you've created your user, you will need to create the customer policy that grants Hava the security it requires at a minimum.From the IAM dashboard select the Policy section and then click the Create New Policy button.
    IAM-policy-selected.png
    Screen_Shot_2016-04-08_at_3.23.48_PM.png
  6. You will then need to select the Create Your Own Policy option.
    Screen_Shot_2016-04-08_at_3.26.09_PM.png
  7. You will need to provide the name of your policy such as "HAVA-RO-POLICY", a description of the policy such as "Just enough access to ensure Hava can work it's magic" and then enter in the custom policy seen here:

    Screen_Shot_2016-04-08_at_3.30.20_PM.png

    You can copy and paste the policy from here:

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Action": [
    "acm:DescribeCertificate",
    "acm:GetCertificate",
    "acm:ListCertificates",
    "appstream:Get*",
    "autoscaling:Describe*",
    "cloudformation:DescribeStackEvents",
    "cloudformation:DescribeStackResource",
    "cloudformation:DescribeStackResources",
    "cloudformation:DescribeStacks",
    "cloudformation:GetTemplate",
    "cloudformation:List*",
    "cloudfront:Get*",
    "cloudfront:List*",
    "cloudsearch:Describe*",
    "cloudsearch:List*",
    "cloudtrail:DescribeTrails",
    "cloudtrail:GetTrailStatus",
    "cloudwatch:Describe*",
    "cloudwatch:Get*",
    "cloudwatch:List*",
    "codecommit:BatchGetRepositories",
    "codecommit:Get*",
    "codecommit:GitPull",
    "codecommit:List*",
    "codedeploy:Batch*",
    "codedeploy:Get*",
    "codedeploy:List*",
    "config:Deliver*",
    "config:Describe*",
    "config:Get*",
    "datapipeline:DescribeObjects",
    "datapipeline:DescribePipelines",
    "datapipeline:EvaluateExpression",
    "datapipeline:GetPipelineDefinition",
    "datapipeline:ListPipelines",
    "datapipeline:QueryObjects",
    "datapipeline:ValidatePipelineDefinition",
    "directconnect:Describe*",
    "ds:Check*",
    "ds:Describe*",
    "ds:Get*",
    "ds:List*",
    "ds:Verify*",
    "dynamodb:DescribeTable",
    "dynamodb:ListTables",
    "ec2:Describe*",
    "ec2:GetConsoleOutput",
    "ecr:GetAuthorizationToken",
    "ecr:BatchCheckLayerAvailability",
    "ecr:GetDownloadUrlForLayer",
    "ecr:GetManifest",
    "ecr:DescribeRepositories",
    "ecr:ListImages",
    "ecr:BatchGetImage",
    "ecs:Describe*",
    "ecs:List*",
    "elasticache:Describe*",
    "elasticache:List*",
    "elasticbeanstalk:Check*",
    "elasticbeanstalk:Describe*",
    "elasticbeanstalk:List*",
    "elasticbeanstalk:RequestEnvironmentInfo",
    "elasticbeanstalk:RetrieveEnvironmentInfo",
    "elasticloadbalancing:Describe*",
    "elasticmapreduce:Describe*",
    "elasticmapreduce:List*",
    "elastictranscoder:List*",
    "elastictranscoder:Read*",
    "es:DescribeElasticsearchDomain",
    "es:DescribeElasticsearchDomains",
    "es:DescribeElasticsearchDomainConfig",
    "es:ListDomainNames",
    "es:ListTags",
    "es:ESHttpGet",
    "es:ESHttpHead",
    "events:DescribeRule",
    "events:ListRuleNamesByTarget",
    "events:ListRules",
    "events:ListTargetsByRule",
    "events:TestEventPattern",
    "firehose:Describe*",
    "firehose:List*",
    "glacier:ListVaults",
    "glacier:DescribeVault",
    "glacier:GetDataRetrievalPolicy",
    "glacier:GetVaultAccessPolicy",
    "glacier:GetVaultLock",
    "glacier:GetVaultNotifications",
    "glacier:ListJobs",
    "glacier:ListMultipartUploads",
    "glacier:ListParts",
    "glacier:ListTagsForVault",
    "glacier:DescribeJob",
    "glacier:GetJobOutput",
    "iam:GenerateCredentialReport",
    "iam:Get*",
    "iam:List*",
    "inspector:Describe*",
    "inspector:Get*",
    "inspector:List*",
    "inspector:LocalizeText",
    "inspector:PreviewAgentsForResourceGroup",
    "iot:Describe*",
    "iot:Get*",
    "iot:List*",
    "kinesis:Describe*",
    "kinesis:Get*",
    "kinesis:List*",
    "kms:Describe*",
    "kms:Get*",
    "kms:List*",
    "lambda:List*",
    "lambda:Get*",
    "logs:Describe*",
    "logs:Get*",
    "logs:TestMetricFilter",
    "machinelearning:Describe*",
    "machinelearning:Get*",
    "mobilehub:GetProject",
    "mobilehub:ListAvailableFeatures",
    "mobilehub:ListAvailableRegions",
    "mobilehub:ListProjects",
    "mobilehub:ValidateProject",
    "mobilehub:VerifyServiceRole",
    "opsworks:Describe*",
    "opsworks:Get*",
    "rds:Describe*",
    "rds:ListTagsForResource",
    "redshift:Describe*",
    "redshift:ViewQueriesInConsole",
    "route53:Get*",
    "route53:List*",
    "route53domains:CheckDomainAvailability",
    "route53domains:GetDomainDetail",
    "route53domains:GetOperationDetail",
    "route53domains:ListDomains",
    "route53domains:ListOperations",
    "route53domains:ListTagsForDomain",
    "s3:List*",
    "sdb:GetAttributes",
    "sdb:List*",
    "sdb:Select*",
    "ses:Get*",
    "ses:List*",
    "sns:Get*",
    "sns:List*",
    "sqs:GetQueueAttributes",
    "sqs:ListQueues",
    "sqs:ReceiveMessage",
    "storagegateway:Describe*",
    "storagegateway:List*",
    "swf:Count*",
    "swf:Describe*",
    "swf:Get*",
    "swf:List*",
    "tag:Get*",
    "trustedadvisor:Describe*",
    "waf:Get*",
    "waf:List*",
    "workspaces:Describe*"
    ],
    "Effect": "Allow",
    "Resource": "*"
    }
    ]
    }


  8. Once you have entered in all of the details and copy and pasted the policy contents into the Policy Document section, you can click Create Policy to complete the policy creation process.
  9. Click your new user in the list and go to the Managed Policies header under Permissions. Click Attach Policy.

    iam-step5.png
  10. Scroll through the policy list until you find custom policy HAVA-RO-POLICY. Click the checkbox and then click Attach Policy.

    Screen_Shot_2016-04-08_at_3.35.27_PM.png
  11. Now head back to the Hava homepage and enter the credentials you downloaded earlier to get started!

    Screen_Shot_2016-04-08_at_3.37.45_PM.png