AWS account connection
By default, marbot receives events from your AWS accounts and other 3rd parties. The Monitoring Setup Assistant helps you to configure your AWS accounts to send relevant events to marbot. But we never have access to perform the setup for you. In other words, you push data to marbot. Most often, the pushed information contains all we need to display relevant alerts and notifications in Slack or Microsoft Teams.
But sometimes, we could create a richer experience with additional data that we pull from your AWS account. If you wish, marbot can:
- Enrich AWS account IDs with alias names
- Enrich CloudWatch Alarms with metric graphs
- Add approve and reject buttons to CodePipeline approval requests
To pull data from your AWS account, marbot needs secure and limited access to your AWS account. As the following figure shows, you can connect your AWS account with marbot right from an alert or notification.
The Open AWS button opens the AWS CloudFormation UI in your browser to create a new CloudFormation stack. The stack deploys an IAM role with IAM policies to grant marbot the needed permissions. You can review the permissions and the template and turn features off (e.g., turn CodePipeline approvals off).
You can delete the CloudFormation stack at any time to revoke access.
The AWS account connection is bound to an endpoint (Slack or Microsoft Teams channel). This is for security reasons. All members of a Slack channel / Microsoft Teams team have access to AWS account connection. If you send events from the same AWS account to multiple endpoints, you are asked to connect your AWS account in each channel.