AWS Connections

AWS connections enable Firetiger to access your AWS resources using IAM role assumption (STS AssumeRole). This provides secure, temporary credentials without sharing long-term access keys.

Recommended: Create and manage connections via the web UI at https://ui.{deployment}.firetigerapi.com/settings/connections

Setup Overview

Setting up an AWS connection involves two steps:

  1. Deploy CloudFormation Stack - Creates an IAM role in your AWS account that Firetiger can assume
  2. Create Connection - Enter the Role ARN and External ID from the CloudFormation outputs

Step 1: Deploy CloudFormation Stack

Option A: AWS Console (One-Click)

  1. Navigate to Settings > Connections in the Firetiger UI
  2. Click New Connection and select AWS
  3. Select your AWS region
  4. Click Launch Stack in AWS Console
  5. Review the stack parameters and click Create stack
  6. Wait for the stack to complete (typically 2-3 minutes)

Option B: AWS CLI 

aws cloudformation create-stack \
  --stack-name firetiger-cloudwatch-logs \
  --template-url https://firetiger-public.s3.us-west-2.amazonaws.com/ingest/aws/cloudwatch/logs/ingest-and-iam-onboarding.yaml \
  --parameters \
    "ParameterKey=FiretigerEndpoint,ParameterValue=https://ingest.{deployment}.firetigerapi.com" \
    "ParameterKey=FiretigerUsername,ParameterValue={your-username}" \
    "ParameterKey=FiretigerPassword,ParameterValue={your-password}" \
  --capabilities CAPABILITY_NAMED_IAM \
  --region us-east-1

Replace {deployment}, {your-username}, and {your-password} with your Firetiger deployment details.

Step 2: Get CloudFormation Outputs

After the stack completes, retrieve the outputs:

AWS Console:

  1. Go to CloudFormation > Stacks > firetiger-cloudwatch-logs
  2. Click the Outputs tab
  3. Copy the values for FiretigerRoleArn and FiretigerExternalId

AWS CLI:

aws cloudformation describe-stacks \
  --stack-name firetiger-cloudwatch-logs \
  --query 'Stacks[0].Outputs' \
  --output table

Step 3: Create the Connection

  1. In the Firetiger UI, enter the Role ARN from the CloudFormation outputs
  2. Enter the External ID from the CloudFormation outputs
  3. Select the AWS Region where your resources are located
  4. Click Create Connection

Connection Fields

Field Required Description
display_name Yes Human-readable name (e.g., “Production AWS”)
description Yes Description of what this connection accesses
role_arn Yes IAM Role ARN to assume (e.g., arn:aws:iam::123456789012:role/firetiger-access)
external_id No External ID for additional security (recommended)
region Yes AWS region (default: us-east-1)
session_duration_seconds No How long credentials are valid (900-43200, default: 3600)

What the CloudFormation Stack Creates

The stack deploys:

Resource Purpose
Lambda Function Processes CloudWatch logs and forwards to Firetiger
IAM Role (Lambda) Allows Lambda to read CloudWatch logs
IAM Role (Firetiger) Cross-account role that Firetiger assumes
Subscription Filters Automatically subscribes to matching log groups
CloudWatch Log Group Stores Lambda function logs

IAM Role Permissions

The IAM role created for Firetiger has read-only access:

{
  "Effect": "Allow",
  "Action": [
    "logs:DescribeLogGroups",
    "logs:DescribeLogStreams",
    "logs:GetLogEvents",
    "logs:FilterLogEvents"
  ],
  "Resource": "*"
}

Security

External ID

The External ID prevents the confused deputy problem. When configured:

  • Only requests with the matching External ID can assume the role
  • The CloudFormation stack generates a unique External ID automatically
  • Always use the External ID provided in the stack outputs

Credential Rotation

Firetiger automatically:

  • Requests new STS credentials before expiration
  • Caches credentials with a 5-minute expiry buffer
  • Uses unique session names for CloudTrail auditing

Verification

After creating the connection, Firetiger automatically verifies it by:

  1. Calling STS AssumeRole with your Role ARN and External ID
  2. Making a test API call (sts:GetCallerIdentity)
  3. Confirming the assumed role identity

If verification fails, check:

  • The Role ARN is correct and the role exists
  • The External ID matches exactly
  • The role’s trust policy allows Firetiger’s AWS account

Troubleshooting

“Access Denied” when assuming role

  • Verify the Role ARN is correct
  • Check the External ID matches the CloudFormation output exactly
  • Ensure the role’s trust policy includes Firetiger’s AWS account

“Role does not exist”

  • Confirm the CloudFormation stack completed successfully
  • Check you’re using the correct AWS region

Credentials expire too quickly

  • Increase session_duration_seconds (max 43200 = 12 hours)
  • Note: The IAM role’s max session duration must also allow this

Best Practices

  • Use descriptive names - Include environment and purpose (e.g., “Production CloudWatch Logs”)
  • Document access scope - Describe which log groups or resources are accessible
  • Use External ID - Always configure for cross-account security
  • Limit permissions - The default role has read-only access; don’t add write permissions unless needed
This site uses Just the Docs, a documentation theme for Jekyll.