AWS Perspective - Implementation GuideAWS Perspective Implementation Guide Cost Overview Monitoring your AWS Cloud workloads is key to maintaining operational health and eﬃciency

AWS PerspectiveImplementation Guide

AWS Perspective Implementation Guide

AWS Perspective: Implementation GuideCopyright © Amazon Web Services, Inc. and/or its affiliates. All rights reserved.

Amazon's trademarks and trade dress may not be used in connection with any product or service that is notAmazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages ordiscredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who mayor may not be affiliated with, connected to, or sponsored by Amazon.


Table of ContentsHome ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Overview .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Cost ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Architecture overview .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Solution components .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Authentication mechanism ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Web UI and storage management .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Data component .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Image deployment component .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Discovery component .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Cost component .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Supported Resources .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10AWS Perspective architecture diagram management .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Considerations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Create dedicated deployment account .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

AWS CloudFormation template .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Automated deployment .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Prerequisites ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Gather deployment parameter details ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Deployment overview .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Step 1. Launch the stack .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Step 2. Post-deployment configuration tasks .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Enable public object access on the AWS Amplify storage bucket (optional) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Enable Advanced security in Amazon Cognito .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Create Amazon Cognito users ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Log in .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Import an account .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Deploy the stack to import the account .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Verify the data imported correctly from the new account. ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Import a new Region .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Deploy the stack to import the Region .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Set up the cost feature .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Edit S3 bucket lifecycle policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Web UI features and common tasks .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Side navigation pane .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25AWS Perspective architecture diagrams .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Build an AWS Perspective architecture diagram ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Visualize AWS resources by resource type .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Search for resources .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Export AWS Perspective architecture diagrams .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Save an AWS Perspective architecture diagram ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Download an AWS Perspective architecture diagram ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Filtering in AWS Perspective .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Security ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Resource Access .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

IAM roles .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Amazon Cognito .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Network Access .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Amazon Virtual Private Cloud (Amazon VPC) .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Amazon CloudFront .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Application Configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Amazon API Gateway .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33AWS Lambda .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Amazon Elasticsearch Service (Amazon ES) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

iii


Additional resources .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Appendix A: Locating deployment resources .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Appendix B: Supported resources .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Appendix C: Supported deployment Regions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Appendix D: IAM roles .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Appendix E: Debugging the discovery component .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Appendix F: Uninstall the solution .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Using the AWS Management Console .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Using AWS Command Line Interface .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Appendix G: Collection of operational metrics ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Source code .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Contributors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Revisions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Notices .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

iv


AWS PerspectiveAWS Solutions Implementation Guide

Publication date: September 2020

This implementation guide discusses architectural considerations and configuration steps for deployingAWS Perspective in the Amazon Web Services (AWS) Cloud. It includes a link to an AWS CloudFormationtemplate that launches and configures the AWS services required to deploy this solution using AWS bestpractices for security and availability.

The guide is intended for end users who have practical experience with the AWS Cloud.

1

https://aws.amazon.com/cloudformation

AWS Perspective Implementation GuideCost

OverviewMonitoring your AWS Cloud workloads is key to maintaining operational health and efficiency. However,keeping track of the AWS resources and the relationships between them can be a challenge. AWSPerspective is a visualization tool that quickly generates architecture diagrams of AWS Cloud workloads.You can use the solution to build, customize, and share detailed workload visualizations based on livedata from AWS. This solution works by maintaining an inventory of the AWS resources across youraccounts and Regions, mapping relationships between them, and displaying them in a web user interface(web UI). When making changes to a resource, AWS Perspective saves you time by providing a link to theresource in the AWS Management Console.

Figure 1: Sample architecture diagram generated by AWS Perspective

CostYou are responsible for the cost of the AWS services used while running this solution. As of the dateof publication, the estimated cost for running AWS Perspective in the US East (N. Virginia) Regionis approximately $0.79/hr or $535.85/mth. This includes estimated charges for the following AWSservices, which are billed on a monthly basis.

AWS service Hourly cost

Amazon Neptune (db.r5.large) $0.348

Amazon Elasticsearch Service(m4.large.elasticsearch)

$0.320

Amazon VPC $0.002

2

AWS Perspective Implementation GuideArchitecture overview

AWS service Hourly cost

NAT gateway $0.090

AWS Config

(Item cost = $0.003)

N/A

Amazon ECS $0.001

Total $0.761

ImportantThis pricing estimate is based on the Amazon Neptune read-replica option being disabled (theCreateNeptuneReplica parameter is set to No with the instance type set to db.r5.large. Thecost for Amazon Neptune varies, depending on the instance type you select.

Prices are subject to change. For full details, see the pricing webpage for each AWS service you will beusing in this solution.

Architecture overviewDeploying this solution with the default parameters builds the following environment in the AWS Cloud.

Figure 2: AWS Perspective architecture on AWS

AWS Perspective is deployed to your account using an AWS CloudFormation template consisting of sixcomponents. The following is a high level overview of the components. For additional details about eachcomponent, refer to the Solution components (p. 5) section.

The web user interface (UI) interacts with the data component via Amazon API Gateway and AWSAppSync endpoints. The web UI requests resource relationship data from the data component. The datacomponent queries and returns data from an Amazon Neptune database.

3

http://aws.amazon.com/api-gateway/http://aws.amazon.com/appsync/http://aws.amazon.com/appsync/http://aws.amazon.com/neptune/

AWS Perspective Implementation GuideArchitecture overview

The storage management component stores user preferences and saved architecture diagrams. This isimplemented using AWS Amplify and an Amazon Simple Storage Service (Amazon S3) bucket..

The discovery component uses AWS Config and AWS API (p. 34) calls to maintain an inventory ofresource data from imported accounts and Regions, then stores its findings in the data component. Thisruns every 15 minutes as a container task on AWS Fargate. The discovery component container image isbuilt in the image deployment component using AWS CodePipeline and AWS CodeBuild.

The cost component processes AWS Cost and Usage Report (AWS CUR) to make cost data availablein AWS Perspective. To use this feature, you must create a report in AWS CUR to deliver the reportsto the PerspectiveCostBucket Amazon S3 bucket. When an AWS CUR is delivered, it triggers anAWS Lambda function to process the cost data and store it in an Amazon DynamoDB table. The datacomponent queries this DynamoDB table to provide the costs associated with the individual resourcesfor display in the web UI. If you do not create an AWS CUR, cost data will not be included in architecturediagrams generated by AWS Perspective.

4

http://aws.amazon.com/amplify/http://aws.amazon.com/s3/http://aws.amazon.com/confighttp://aws.amazon.com/fargate/http://aws.amazon.com/codepipeline/http://aws.amazon.com/codebuild/https://docs.aws.amazon.com/cur/latest/userguide/what-is-cur.htmlhttps://docs.aws.amazon.com/cur/latest/userguide/cur-create.htmlhttp://aws.amazon.com/lambdahttp://aws.amazon.com/dynamodb/

AWS Perspective Implementation GuideAuthentication mechanism

Solution components

Authentication mechanismAWS Perspective uses an Amazon Cognito User Pool for both the web user interface (UI) and AmazonAPI Gateway authentication. Once authenticated, Amazon Cognito provides a JSON Web Token (JWT) tothe web UI that will be provided with all subsequent API requests. If a valid JWT is not provided, the APIrequest will fail and return a HTTP 403 Forbidden response.

Web UI and storage managementThe web UI was developed using React and provides a front-end console to enable users to interact withAWS Perspective.

Lambda@Edge appends secure headers to every HTTP request to the web UI. This provides an additionallayer of security, protecting against attacks such as Cross-site scripting (XSS).

5

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.htmlhttps://en.wikipedia.org/wiki/JSON_Web_Tokenhttps://reactjs.org/http://aws.amazon.com/lambda/edge/https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-xss-match.html

AWS Perspective Implementation GuideWeb UI and storage management

Figure 3: AWS Perspective web UI and storage management components

The web UI resources are hosted in the WebUIBucket Amazon Simple Storage Service (Amazon S3)bucket and distributed by Amazon CloudFront. AWS Amplify provides an abstraction layer to simplifythe integrations to API Gateway, AWS AppSync, and Amazon S3. Amazon Cognito authenticates usersat the login stage. On successful login, a JSON Web Token (JWT) is provided in the authenticationresponse from Amazon Cognito. The JWT must be sent with all subsequent API requests. If the JWT isnot provided, then the API request will fail and return a HTTP 403 Forbidden response.

AWS AppSync is used to facilitate interaction with various configurations available to AWS Perspective,including managing imported Regions and accounts. AWS AppSync integrates with Amazon DynamoDBfor create, read, update, and delete (CRUD) operations, but utilizes the Settings AWS Lambda functionto handle more complex requests, such as importing a new account and Region, which require an API callto AWS Config to authorize the new Region.

Amazon API Gateway builds the PerspectiveWebRestAPI endpoint and and provides access to therelationship data that AWS Perspective collects. This API endpoint is called when the user builds out theirarchitecture diagram.

Refer to Web UI features and common tasks (p. 25) for an overview of UI features and common tasks.

6

http://aws.amazon.com/cloudfront/

AWS Perspective Implementation GuideData component

Data component

Figure 4: AWS Perspective data component

The web UI sends requests to the PerspectiveWebRestAPI API Gateway endpoint serving requests tothe GremlinFunction AWS Lambda function. This Lambda function processes the request and queriesAmazon Neptune and the cost component to gather the required data about the AWS resource specifiedin the request.

The discovery component sends requests to the API Gateway PerspectiveWebRestAPI endpoint whenit requires the latest data about the resources already discovered. This is to ensure that the discoverycomponent aligns with the current state of the Neptune relationship graph.

The ServerGremlinAPI API Gateway endpoint receives requests from the AWS Fargate task in thediscovery component and is authenticated using an Identity and Access Management (IAM) role thatprovides access to the Amazon Elasticsearch Service (Amazon ES) cluster. The API Gateway endpoint isbacked by the Search Lambda function that processes incoming requests and communicates with theAmazon ES cluster. The Amazon ES cluster provides an index of the relationship data discovered by AWSPerspective.

7

AWS Perspective Implementation GuideImage deployment component

Image deployment component

Figure 5: AWS Perspective image deployment component

The image deployment component builds the container image that is used by the discovery component.The code is hosted in the DiscoveryBucket Amazon S3 bucket and downloaded at deployment timeby AWS CodePipeline. CodePipeline initiates an AWS CodeBuild job that builds the container imageand uploads it to Amazon Elastic Container Registry (Amazon ECR). Amazon Elastic Container Services(Amazon ECS) downloads this container image from Amazon ECR and triggers a task at regular intervals(every 15 minutes by default).

Discovery componentThe discovery component is the main data-gathering element of the AWS Perspective architecture. It isresponsible for querying AWS Config and making describe API calls (p. 34) to maintain the inventoryof resources and their relationships between one another.

8

AWS Perspective Implementation GuideDiscovery component

Figure 6: AWS Perspective discovery component

This solution configures Amazon ECS to run an AWS Fargate task using the container image downloadedfrom Amazon ECR. The AWS Fargate task is scheduled to run at 15-minute intervals. The resourcerelationship data that is collected is inserted into an Amazon Neptune graph database and Amazon ES.

The discovery component workflow consists of three steps:

1. Amazon ECS triggers an AWS Fargate task at 15 minutes intervals.

2. The Fargate task gathers resource data from AWS Config and AWS API describe calls.

3. The Fargate task runs HTTP POST requests to the ServerGremlinAPI API Gateway endpoint toaggregate resource relationship data and insert into Amazon Neptune and Amazon ES.

9

AWS Perspective Implementation GuideCost component

Cost component

Figure 7: AWS Perspective cost component

You can create an AWS Cost and Usage Report in AWS Billing and Cost Management. This publishes azipped comma-separated value (CSV) report into the PerspectiveCostBucket Amazon S3 bucketcreated at deployment time and configured post deployment (p. 22). When the new Amazon S3object is uploaded, it triggers the Cost Parser Lambda function. This solution processes this object andinserts the relevant cost data into an Amazon DynamoDB table where the data component queries thedata.

Supported ResourcesTo see a list of AWS resources types that Perspective is able to discover within your accounts andRegions, refer to Appendix B (p. 36).

AWS Perspective architecture diagrammanagement

You can store AWS Perspective architecture diagrams that you have created in the web UI. You can alsoperform standard create, read, update, and delete (CRUD) operations on them. The AWS Amplify storageAPI allows this solution to store architecture diagrams in an Amazon S3 bucket. This API manages theCRUD operations and permissions and has three levels:

10

https://docs.aws.amazon.com/cur/latest/userguide/what-is-cur.htmlhttps://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-what-is.htmlhttps://aws-amplify.github.io/amplify-js/api/classes/storageclass.htmlhttps://aws-amplify.github.io/amplify-js/api/classes/storageclass.html

AWS Perspective Implementation GuideAWS Perspective architecture diagram management

• All users - Allows AWS Perspective architecture diagrams to be visible to AWS Perspective users in yourdeployment. Users can download and edit these diagrams.

• You - Allows AWS Perspective architecture diagrams to be visible only to the creator. Other users willnot see them.

11

AWS Perspective Implementation GuideCreate dedicated deployment account

Design considerations

Create dedicated deployment accountWe recommend that you deploy AWS Perspective into a dedicated AWS account created specificallyfor this solution. This approach means AWS Perspective is isolated from your existing workloads andprovides a single location for configuring the solution, such as adding users and importing new accountsand Regions. It is also easier to track the costs involved with running the solution.

Once AWS Perspective is deployed, you can then import any accounts and Regions you already haveprovisioned.

12


AWS CloudFormation templateThis solution uses AWS CloudFormation to automate the deployment of AWS Perspective in the AWSCloud. It includes the following CloudFormation template, which you can download before deployment:

aws-perspective.template: Use this template to launch the solution and allassociated components. The default configuration deploys Amazon CloudFront, Amazon Simple StorageService (Amazon S3), AWS Lambda, Amazon Cognito, AWS Amplify, Amazon API Gateway, AmazonNeptune, Amazon Elasticsearch Service (Amazon ES), Amazon Elastic Container Service (Amazon ECS),AWS Fargate, AWS Config, Amazon Elastic Container Registry (Amazon ECR), Amazon DynamoDB, AWSCodePipeline, and AWS CodeBuild. You can customize the template to meet your specific needs.

13

https://s3.amazonaws.com/solutions-reference/aws-perspective/latest/aws-perspective.template

AWS Perspective Implementation GuidePrerequisites

Automated deploymentBefore you launch the solution, review the architecture, configuration, network security, and otherconsiderations discussed in this guide. Follow the step-by-step instructions in this section to configureand deploy the solution into your account.

Time to deploy: Approximately 30 minutes

PrerequisitesGather deployment parameter detailsBefore deploying AWS Perspective, review your configuration details for the Amazon ElasticsearchService (Amazon ES) service-linked role and AWS Config.

Verify whether you have anAWSServiceRoleForAmazonElasticsearchService roleThe deployment creates an Amazon ES cluster inside an Amazon Virtual Private Cloud (Amazon VPC).The template uses a service-linked role to create the Amazon ES cluster; however, if you already have therole created in your account, use the existing role.

To check if you already have this role:

1. Sign in to the Identity and Access Management (IAM) console for the account you plan to deploy thissolution to.

2. In the Search box below the menu, search forAWSServiceRoleForAmazonElasticsearchService.

If your search returns a role, select No for the CreateElasticsearchServiceRole parameter when youlaunch the stack.

Verify your AWS Config details in your accountThe deployment will attempt to set up AWS Config. If you already use AWS Config in the account youplan to deploy to, or make discoverable by AWS Perspective, select the relevant parameters when youdeploy this solution. Furthermore, for successful deployment, ensure that you have not restricted theresources that AWS Config scans.

To check your current AWS Config configuration:

1. Sign in to the AWS Config console.2. Choose Settings and ensure the Record all resources supported in this Region and Include global

resources boxes are checked.

Deployment overviewUse the following steps to deploy this solution on AWS. For detailed instructions, follow the links foreach step.

the section called “Step 1. Launch the stack” (p. 15)

14

https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/slr-es.htmlhttps://console.aws.amazon.com/iam/https://console.aws.amazon.com/config/

AWS Perspective Implementation GuideStep 1. Launch the stack

• Launch the AWS CloudFormation template into your AWS account.• Enter values for required parameters:

• Stack Name• AdminUserEmailAddress• AlreadyHaveConfigSetup• CreateElasticsearchServiceRole• OptOutOfSendingAnonymousUsageMetrics• CreateNeptuneReplica• NeptuneInstanceClass

• Review the other template parameters, and adjust if necessary.

the section called “Step 2. Post-deployment configuration tasks” (p. 16)

• Enable advanced security in Cognito (Optional)• Create Cognito users• Log in• Import an account• Import new Region• Set up cost feature• Edit S3 bucket lifecycle policies

Step 1. Launch the stackThis automated AWS CloudFormation template deploys AWS Perspective in the AWS Cloud. You mustgather deployment parameter details before launching the stack. See Prerequisites (p. 14) for details.

NoteYou are responsible for the cost of the AWS services used while running this solution. For moredetails, visit to the Cost (p. 2) section in this guide, and refer to the pricing webpage for eachAWS service used in this solution.

1. Sign in to the AWS Management Console and use the button below to launch the aws-perspective.template AWS CloudFormation template.

Alternatively, you can download the template as a starting point for your own implementation.2. The template launches in the US East (N. Virginia) Region by default. To launch the solution in a

different AWS Region, use the Region selector in the console navigation bar.

NoteThis solution uses services that are not available in all AWS Regions. Refer to AppendixC (p. 38) for a list of supported AWS Regions.

3. On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box andchoose Next.

4. On the Specify stack details page, assign a name to your solution stack. For information aboutnaming character limitations, see IAM and STS Quotas in the AWS Identity and Access ManagementUser Guide.

15

https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?templateURL=https://s3.amazonaws.com/solutions-reference/aws-perspective/latest/aws-perspective.templatehttps://s3.amazonaws.com/solutions-reference/aws-perspective/latest/aws-perspective.templatehttps://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html

AWS Perspective Implementation GuideStep 2. Post-deployment configuration tasks

5. Under Parameters, review the parameters for this solution template and modify them as necessary.This solution uses the following default values.

Parameter Default Description

Stack Name

A name to indicate the solution youare deploying.

AdminUserEmailAddress

An email address that will be used tocreate the first user. The temporarycredentials will be sent to this emailaddress.

AlreadyHaveConfigSetup No Confirmation of whether or not youalready have AWS Config set up inthe deployment account. Refer toPrerequisites (p. 14) for details.

CreateElasticsearchServiceRole Yes Confirmation of whether or notyou already have a service-linkedrole for Amazon ES. Refer toPrerequisites (p. 14) for details.

CreateNeptuneReplica No Choose whether to create a readreplica for Neptune in a separateAvailability Zone. Choosing Yesimproves resilience; however,increases the cost of this solution.

NeptuneInstanceClass db.r5.large The instance type that will beused to host the Amazon Neptunedatabase. What you select hereaffects the cost of running thissolution.

OptOutOfSendingAnonymousUsageMetrics No Choose whether to opt out ofsending basic usage metrics to AWS.

6. Choose Next.7. On the Configure stack options page, choose Next.

8. On the Review page, review and confirm the settings. Check the boxes acknowledging that thetemplate will create AWS Identity and Access Management (IAM) resources and require certaincapabilities.

9. Choose Create stack to deploy the stack.

You can view the status of the stack in the AWS CloudFormation Console in the Status column. Youshould receive a CREATE_COMPLETE status in approximately 30 minutes.

NoteIf deleted, this stack removes all resources. If the stack is updated, it retains the AmazonCognito user pool to ensure configured users are not lost.

Step 2. Post-deployment configuration tasksAfter AWS Perspective has been successfully deployed, review the following post-deploymentconfiguration tasks.

16

AWS Perspective Implementation GuideEnable public object access on the

AWS Amplify storage bucket (optional)

Enable public object access on the AWS Amplifystorage bucket (optional)

NoteThis optional configuration enables a single-click deployment option when importing accountsand Regions. Skip this configuration if you do not want Perspective to create public objects. Youcan still download the AWS CloudFormation template and deploy it manually.

As part of the import process, AWS Perspective generates AWS CloudFormation templates to bedeployed in the account and Region to make them discoverable. The templates are stored in the aws-perspective-amplifystoragebucket- Amazon S3bucket. To make the S3 objects public, provide the required permissions to this bucket.

1. Sign in to the AWS Management Console for your AWS Perspective account.2. Navigate to the Amazon S3 console.3. Search for "amplifystoragebucket".4. Select the S3 bucket.5. Choose the Permissions tab.6. Choose Block public access.7. Choose Edit.8. Ensure Block all public access is not selected.

Enable Advanced security in Amazon CognitoIf you would like to enable the advanced security features for Amazon Cognito, follow the instructions onAdding Advanced Security to a User Pool.

Create Amazon Cognito usersAWS Perspective uses Amazon Cognito to manage all users and authentication. It creates a user for youduring deployment and sends an email at the address provided with temporary credentials.

To create additional users:1. Sign in to the AWS Cognito console.2. Choose Manage User Pools.3. Choose perspective..userpool.4. In the navigation pane, under General Settings, choose Users and groups.5. On the Users tab, choose Create user.6. On the Create user box, enter values for all required fields.

Form Field Required? Description

Username Yes The username that you will useto log in to AWS Perspective.

Send an invitation Yes (email only) When selected, sends anotification as a reminder ofthe temporary password. Select

17

https://s3.console.aws.amazon.com/https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.htmlhttps://console.aws.amazon.com/cognito/

AWS Perspective Implementation GuideLog in

Form Field Required? Description

Email only. If you select SMS(default) an error message willbe displayed, but the user willstill be created.

Temporary Password Yes Enter a temporary password.The user will be forced tochange this when they log into AWS Perspective for the firsttime.

Phone Number Yes Enter a phone number ininternational format, forexample, +44. Ensure Markphone number as verified? boxis selected.

Email Yes Enter a valid email address.Ensure Mark email as verified?box is selected.

7. Choose Create user.8. Repeat this process to create as many users as you need.

NoteEvery user will have the same level of access to resources discovered. We recommendprovisioning a separate deployment of AWS Perspective for accounts that contain sensitiveworkloads or data. This will let you restrict access to only the users that need it.

Log inAfter this solution is successfully deployed, determine the URL for the Amazon CloudFront distributionthat serves the AWS Perspective web UI.

1. Sign in to the AWS CloudFormation console.2. Choose View nested to display the nested stacks that make up the AWS Perspective deployment.

Depending on your preferences, nested stacks might already be displayed.3. Select the CloudFront stack. Example stack name format: aws-perspective---CloudFrontDistribution-XXXXX.4. Select the Outputs tab and choose the URL in the Value column.5. On the Sign in to AWS Perspective screen, enter the username and password that you received via

email. Then take the following actions:a. Follow the prompts to change your password.b. Use the verification code sent to your email to complete account recovery.

6. When the AWS Perspective web UI loads, you will be prompted to import your first account. Werecommend that you first import the account that you use to deploy AWS Perspective because itcontains resources to help you use the solution. Click Import. The progress popup disappears whenthe import is complete, after about 30 minutes.

To import a different account, refer to Import anaccount (p. 19).

Once the import has succeeded, explore your resources. Refer to Web UI features and commontasks (p. 25) for details about getting started.

18

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.htmlhttps://console.aws.amazon.com/cloudformation/

AWS Perspective Implementation GuideImport an account

Import an account1. Sign in to AWS Perspective. Refer to Log in (p. 18) for the URL.

2. Under the Configuration category on the left pane, select Accounts & Regions.

If the left pane is not visible, choose the menu icon to expand the list.

3. On the window showing the accounts and Regions currently discoverable to AWS Perspective, selectthe Import tab.

4. Under Import an Account, enter the 12-digit account ID. Enter numbers only, do not include thehyphens.

5. From the dropdown, select the Region you would like to import into this account.

6. Choose Import.

There will be two options:

a. If you choose Deploy Template, ensure that you are logged in to the AWS Management Consolefor the account you are importing and have enabled public object access on the Amplify storagebucket (p. 17). You will be redirected to the CloudFormation console to deploy the stack toimportthe account (p. 19).

b. If you choose Save Template, the AWS CloudFormation template (import-account.template)will be downloaded. Follow the procedure to deploy the stack to import the account (p. 19),beginning at step 1.a.

Deploy the stack to import the account1. On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box and

choose Next.

The key the template link should be public/cfn/import-templates/accounts/ and the bucketshould reference aws-perspective.

If you are not signed in:

a. Sign in to the AWS CloudFormation console.

b. Choose Create stack and then select With new resources (standard).

c. On the Create stack page, in the Specify template section, select Upload a template file.

d. Choose Choose file and select the account-import.template file that you downloaded earlier, andchoose Next.

e. On the Specify stack details page, assign a name to your solution stack. For information aboutnaming character limitations, see IAM and STS Quotas in the AWS Identity and Access ManagementUser Guide.


Field Name Default Description

Stack name aws-perspective The name of this AWSCloudFormation stack.

AccountId AWS Perspective deployment accountID

The account Id of the originalAWS Perspective deploymentaccount. Must be left as default.

19

https://console.aws.amazon.com/cloudformation/https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html

AWS Perspective Implementation GuideVerify the data imported correctly from the new account.


AggregationRegion AWS Perspective deployment Region The Region that AWSPerspective was originallydeployed into. Must be left asdefault.

ConfigAggregator PerspectiveConfigAggregator The name of the AWS Configaggregator to install in thisaccount.

AlreadyHaveConfigSetup No Confirmation of whether theRegion already has AWS Configinstalled. Set to Yes if AWSConfig is already installed inthis Region.

3. Choose Next.

4. Check the box acknowledging that AWS CloudFormation might create IAM resources with customnames.

5. Choose Create stack.

After a few minutes the stack will be created. Your account and Region will then be processed duringthe next discovery component task execution, after 15 minutes.

Verify the data imported correctly from the newaccount1. Sign in to AWS Perspective (or refresh the page if it’s already loaded). Refer to Log in (p. 18) for the

URL.

2. Select Accounts & Regions under the Configuration category on the left pane. If the left pane is notvisible, choose the menu icon to expand the list.

3. Select the Active tab.

4. The Region and account ID will be in the table. The Last Scanned column shows when AWSPerspective last discovered resources in that Region. If the Last Scanned column is blank, thenthe discovery process is still running. If it stays this way for more than 30 mins, refer to AppendixE (p. 40) to debug.

Import a new Region1. Sign in to AWS Perspective. Refer to Log in (p. 18) for the URL.

2. Under the Configuration category on the left pane, select Accounts & Regions.

3. If the left pane is not visible, choose the menu icon to expand the list.

4. On the window showing the accounts and Regions currently discoverable to AWS Perspective, selectthe Import tab.

5. Under Import a Region, enter the 12-digit account ID.

6. From the dropdown, select the Region to import into this account.

Choose Import.

There will be two options:

20

AWS Perspective Implementation GuideDeploy the stack to import the Region

a. If you choose Deploy Template, ensure that you are logged in to the AWS Management Consolefor the account you are importing and have enabled public object access on the Amplify storagebucket (p. 17). You will be redirected to the AWS CloudFormation console to deploy the stack toimportthe Region (p. 21).

b. If you choose Save Template, the AWS CloudFormation template (import-region.template)will be downloaded. Follow the procedure to deploy the stack to import the Region (p. 21),beginning at step 1.a.

Deploy the stack to import the Region1. On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box and

choose Next.

The bucket should reference aws-perspective and the template link key should include: public/cfn/import-templates/regions/.

If you are not signed in:

a. Sign in to the AWS CloudFormation console.

b. Choose Create stack, and then select With new resources (standard).

c. On the Create stack page, in the Specify template section, select Upload a template file.

d. Choose Choose file and select the region-import.template file that you downloaded earlier,and choose Next.

e. On the Specify stack details page, assign a name to your solution stack. For information aboutnaming character limitations, refer to IAM and STS Quotas in the AWS Identity and AccessManagement User Guide.



Stack name aws-perspective The name of this AWSCloudFormation stack.

AccountId Perspective deploymentaccount ID

The account Id of the originalAWS Perspective deploymentaccount. Must be left as default.

AggregationRegion Perspective deployment Region The Region that AWSPerspective was originallydeployed into. Must be left asdefault.

ConfigAggregator PerspectiveConfigAggregator The name of the AWS Configaggregator to be installed inthis account.

AlreadyHaveConfigSetup No Confirmation of whether theRegion already has AWS Configinstalled. Set to Yes if AWSConfig is already installed inthis Region.

3. Choose Next.

21

https://console.aws.amazon.com/cloudformation/https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html

AWS Perspective Implementation GuideSet up the cost feature

4. Check the box acknowledging that AWS CloudFormation might create IAM resources with customnames.

5. Choose Create stack.

After a few minutes the stack will be created. Your account and Region will then be processed duringthe next discovery component task execution, after 15 minutes.

After 30 minutes, follow the steps to Verify data correctly imported from the new account (p. 20).

Set up the cost featureUse the following procedure to set up the cost feature in AWS Perspective.

Create and schedule the AWS Cost and Usage Report1. Sign in to the Billing console of the account for which you would like to gather cost data.2. Under the Cost Management category on the left pane, select Cost & Usage Reports.3. Choose Create Report.4. On the Report content page, create a name for your report and check the Include resource IDs box.

NoteYou must select the Include resource IDs box to see cost data. This ID is needed to matchwith the resources discovered by AWS Perspective.

5. Choose Next.6. On the Delivery options page choose Configure.7. Create a new S3 bucket to replicate this data to the AWS Perspective account for processing. Give your

S3 bucket a name and choose Next.

NoteIf you are setting up cost data for the account you deployed AWS Perspective into, then selectthe aws-perspective---cost-bucket bucket. There’s no need to create a new one or set up replication (p. 22).

8. Review the policy, check the confirmation box, and choose Save.9. Provide a Report prefix path that is meaningful to you, for example, aws-perspective-cost-

report-.10.Select Daily for the time granularity and ZIP for the compression type. Choose Next.11.Choose Review and Complete.

To see that the report is correctly set up, check the S3 bucket for the test file.

NoteIt can take up to 24 hours for the reports to be uploaded to your bucket.

Set up replicationSet up replication into the S3 bucket created during deployment. The S3 bucket follows the followingformat: aws-perspective---cost-bucket.This allows AWS Perspective to process the cost and usage data and map it to the resources it has alreadydiscovered.

Note: If you are configuring cost data for the account AWS Perspective is deployed in, then you don’tneed to set up replication because the cost data will already be in the correct bucket.

1. Sign in to the Amazon S3 console.

22

https://console.aws.amazon.com/billing/https://console.aws.amazon.com/s3/

AWS Perspective Implementation GuideEdit S3 bucket lifecycle policies

2. Select the S3 bucket created when configuring your AWS Cost and Usage Report. (Step 7 of Createand schedule the AWS Cost and Usage Report (p. 22).)

3. Select the Management tab, and then choose Replication.

4. Choose Add rule.

5. Leave the default setting of Entire bucket selected, and then choose Next.

6. Choose Select bucket.

a. Choose Buckets in another account.

b. Enter the account ID.

c. Enter the bucket name that was created during deployment of AWS Perspective. Follow theinstructions in Appendix A (p. 35) using the logical ID PerspectiveCostBucket and the stack nameCostAndUsage to find the actual bucket name.

d. Choose Save.

The bucket has versioning enabled. Ignore the warning about versioning that might appear.

7. Leave the default settings and choose Next.

a. Under IAM role, choose Create a new role.

b. Under Rule name, give the rule a descriptive name.

c. Choose Copy. You must paste the S3 bucket policy into the policy for the S3 bucket in the accountyou are replicating to (the AWS Perspective Cost S3 bucket). This is to give it access to copy objectsto it.

d. Choose Next.

8. Review the replication rule details and choose Save.

When the reports are in the AWS Perspective account you will start to see cost data appearing on thebounding boxes and individual resources.

Figure 8: Example of a bounding box with cost data

Edit S3 bucket lifecycle policiesDuring deployment we configure lifecycle policies on two buckets:

• PerspectiveCostBucket

• AccessLogsBucket

23

https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-lifecycle.html

AWS Perspective Implementation GuideEdit S3 bucket lifecycle policies

ImportantThese lifecycle policies will delete data from these buckets after 90 days. You can edit thelifecycle to fit any internal policies you have.

For additional information about how to navigate the web UI, refer to Web UI features and commontasks (p. 25).

24

https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-lifecycle.htmlhttps://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-lifecycle.html

AWS Perspective Implementation GuideSide navigation pane

Web UI features and common tasksThe AWS Perspective solution deploys an AWS Amplify web UI to build architecture diagrams of yourservices and resources. This section provides details about the features of the web UI and how tonavigate it.

Side navigation paneIf the left pane is not visible, choose the menu icon to expand the list of options. The side navigationpane provides the following functionalities.

Main Option Sub Options Description

All Select resources to visualize.Resources are grouped byservice. Select to visualizeindividual resources.

Resources

Types Select resources to visualize.Resources are grouped by type.Select to visualize all resourcesof a particular type, for example,all Lambda functions.

Architecture Diagrams Manage Save, load, and deletearchitecture diagrams.

Export Export the architecture diagramin a variety of formats includingCSV, JSON, PNG, and draw.io.

Actions

Clear Map This will remove all resourcesfrom the current architecturediagram.

Preferences Filters Filters that can be applied to thedata. These are persisted to S3to allow them to be saved acrosssessions.

Configuration Accounts & Regions Users can manage theaccounts and Regions thatAWS Perspective can discoverresources from.

Feature Request Users can provide details of anew feature they would like tosee in AWS Perspective.

Provide Feedback

Raise an issue Users can log an issue that theyhave encountered on our GitHubrepository page.

25

https://github.com/awslabs/aws-perspective

AWS Perspective Implementation GuideAWS Perspective architecture diagrams

Main Option Sub Options Description

Icon Key Shows a legend of the icons thatwill be used in the architecturediagrams produced by AWSPerspective.

AWS Perspective architecture diagramsArchitecture diagrams generated by AWS Perspective appear in the main body of the web UI. Eacharchitecture diagram displays the selected resources and the relationships between those resources andrelated components. AWS Perspective architecture diagrams are interactive, you can drag resources toanother position and zoom in or out to produce the architecture diagram to suit your needs.

Build an AWS Perspective architecture diagramAfter AWS Perspective is deployed and you have logged in to the web UI, you can start buildingarchitecture diagrams. Before you can run this exercise, ensure you have imported the AWS Perspectivedeployment account and AWS Region as suggested in step 6 of the Log in (p. 18) procedure. Use thefollowing procedure to build an architecture diagram based on a Lambda function.

1. Under the Resources category on the left pane, select All.

If the left pane is not visible, choose the menu icon to expand the list.2. Choose Lambda to expand the list of resources directly related to Lambda.

In the AWS Perspective account, there are both environment variables and functions.3. Choose Function to expand the list of Lambda functions.4. Choose GremlinFunction. AWS Perspective then builds the architecture diagram.

26

AWS Perspective Implementation GuideBuild an AWS Perspective architecture diagram

Figure 9: AWS Perspective architecture diagram for the GremlinFunction Lambda function

The GremlinFunction Lambda function appears at the center of the AWS Perspective architecturediagram, with a line to each associated resource. The architecture diagram groups the resources byaccount, Region, Availability Zone, VPC, subnet, and type.

You can zoom in and out. Zooming in to the Environment variables section enables you to view thevariables for the GremlinFunction Lambda function.

To learn more about the Environment variables, access the context menu and select Show Details.

Context menuUse the context menu to explore AWS Perspective architecture diagrams. Select a resource in thearchitecture diagram.

Option Description

Focus Redraw the visualization to show this resource andits immediate dependencies, removing everythingelse.

Expand See additional resource dependencies and redrawthe architecture diagram to include the resourcedependencies of the selected resource. Repositionthe resources or bounding boxes by clicking anddragging them around the screen to a suitablespot.

Remove Remove this resource from the currentvisualization.

Show Details Open a dialog box containing the configurationdetails for the selected resource.

After choosing a resource grouping (for example, a group of tags), the following options becomeavailable.

Option Description

Collapse All Collapse the group of resources down to one icon.

Remove All Remove all the resources in the group.

Clear Map Remove the architecture diagram and leave ablank canvas.

The following table shows the options available after choosing an empty section of the canvas.

Option Description

Clear Map Remove the architecture diagram and leave ablank canvas.

Fit to View Reset the viewport on the canvas to bring thecontents to the center.

27

AWS Perspective Implementation GuideVisualize AWS resources by resource type

Resource Details dialog box

The Resource details dialog box provides the following:

• High level information about the selected resource.

• A link to access the resource within the AWS Console, when possible.

• The data object that we have stored for that resource as JSON.

The structure and content of the resource details dialog depends on the type of resource being viewed.

Open a key that explains the meaning behind the different types of icons by selecting Icon key on theleft pane.

To view a JSON formatted document holding the data about a resource, choose Show All.

Below is an example of a Resource details dialog box.

Figure 10: Resource details box

NoteYou can also see a high-level overview of a resource without selecting it. When you hover over aresource, a small detail box appears towards the side of the screen containing some key detailsabout the resource.

Visualize AWS resources by resource type1. Under the Resources category on the left pane, select Types.

If the left pane is not visible, click the menu icon to expand the list.

2. Choose Lambda to expand the list of resources directly related to Lambda.

In the AWS Perspective account, there are both Environment variables and Functions and they will allload.

28

AWS Perspective Implementation GuideVisualize AWS resources by resource type

3. Choose Function to build an architecture diagram of all Lambda functions discovered across yourimported accounts and regions. The architecture diagram will be grouped by accounts and Regions.Below is an example.

Figure 11: AWS Perspective architecture diagram of Lambda functions

29

AWS Perspective Implementation GuideSearch for resources

NoteIf resources are not appearing, check to see if you have any filters (p. 31) applied.

Search for resourcesThe Search bar is useful for quickly finding AWS resources. Imagine that a CloudWatch log file containsthe name of an EC2 instance that has terminated and you want to see potentially affected resources.Simply search for the instance ID.

1. Enter your search term into the search bar at the top of the screen. The autocomplete dropdown helpsyou narrow down the possible matches.

2. Select the resource to visualize from the autocomplete dropdown.3. After a brief pause, an AWS Perspective architecture diagram builds showing the resource and its

related resources.

Export AWS Perspective architecture diagramsExport an AWS Perspective architecture diagram as CSVUnder the Actions category on the left pane, under Export, select CSV.

The Export Graph dialog box loads a list of resources that are about to be exported.

1. Enter a file name and change the delimiter, if required.2. Choose Export and the CSV file downloads to your computer.

Export an AWS Perspective architecture diagram as PNG1. Under the Actions category on the left pane, under Export, select PNG.2. Enter a file name.3. Choose Download to save it to your computer.

Export an AWS Perspective Architecture Diagram as JSON1. Under the Actions category on the left pane, under Export, select JSON.2. Enter a file name.3. Choose Download to save it to your computer.

Export an AWS Perspective Architecture Diagram to draw.ioUnder the Actions category on the left pane, under Export, select Drawio.

Drawio opens in a new tab displaying your architecture diagram.

Save an AWS Perspective architecture diagramYou can save architecture diagrams created in AWS Perspective to S3. Saving files allows you to continueediting them later.

1. Under the Architecture Maps category on the left pane, select Manage.

30

AWS Perspective Implementation GuideDownload an AWS Perspective architecture diagram

2. On the You tab, enter a file name and choose Save. Only you will be able to see the saved architecturediagram.

If you would like other users in your deployment of AWS Perspective to have access to the architecturediagram, select the All users tab and save your file.

Download an AWS Perspective architecture diagram1. Under the Architecture Maps category on the left pane, select Manage.2. Choose the relevant tab, You or All users. A list of architecture diagrams available to you appears.3. Choose a diagram and choose Preview to verify the diagram in the preview section.4. When you are ready to load the diagram, choose Download. The diagram renders in the main canvas

for you to start editing.

Filtering in AWS PerspectiveThere are two ways that you can filter the data in AWS Perspective: by account and Region, and byresource type.

Accounts & Regions filterThese filters allow you to restrict the accounts and Regions you see data from.

1. Under the Preferences category on the left pane, select Filters.2. Choose the Accounts & Regions tab.3. Search for the accounts and Regions you want to filter by.4. Select the checkboxes to set your filter. AWS Perspective only shows resources from the selected

accounts and Regions.

Resource Types filterThese filters allow you to restrict particular resource types. For example, you can filter out resources withtags if you don’t want to see your tagged resources.

1. Under the Preferences category on the left pane, select Filters.2. Choose the Resource Types tab.3. Search for the resource types you want to filter by.4. Select the checkboxes to set your filter. AWS Perspective will not show the resource types applied in

your filter.

Filter notificationsA simple notification bubble under the Preferences category on the left pane, next to Filters shows thenumber of filters currently in action.

31

AWS Perspective Implementation GuideResource Access

SecurityWhen you build systems on AWS infrastructure, security responsibilities are shared between you andAWS. This shared model reduces your operational burden because AWS operates, manages, and controlsthe components including the host operating system, the virtualization layer, and the physical securityof the facilities in which the services operate. For more information about AWS security, visit the AWSSecurity Center. AWS Perspective has been architected and configured to be secure. These include thefollowing best practices for AWS Perspective and its component parts:

• Access is configured to grant least privilege and scoped down to only required resources wherepossible.

• Data at rest and transit is encrypted using keys stored in AWS Key Management Service (AWS KMS)—adedicated key management store.

• When credentials are used, they are short-lived and implement a strong password policy.• Logging, tracing, and versioning is enabled where applicable.• Automatic patching (minor-version) and snapshot creation is enabled where applicable.• Network access is private by default with Amazon Virtual Private Cloud (Amazon VPC) endpoints being

enabled where available.

Resource AccessIAM rolesAWS Identity and Access Management (IAM) roles enable customers to assign granular access policiesand permissions to services and users on the AWS Cloud. Multiple roles are required to run AWSPerspective and discover resources in AWS accounts. Refer to Appendix D (p. 39) for details.

Amazon CognitoAmazon Cognito is additionally used to authenticate access with short-lived strong credentials grantingaccess to components needed by AWS Perspective.

Network AccessAmazon Virtual Private Cloud (Amazon VPC)AWS Perspective is deployed within an &VPC; and configured according to best practices to deliversecurity and high availability. For additional details, refer to Security best practices for your VPC. VPCendpoints allow non-internet transit between services and are configured where available.

Security groups are used to control and isolate network traffic between the components needed to runAWS Perspective.

We recommend that you review the security groups and further restrict access as needed once thedeployment is up and running.

32

http://aws.amazon.com/security/http://aws.amazon.com/security/http://aws.amazon.com/kms/https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-best-practices.html

AWS Perspective Implementation GuideAmazon CloudFront

Amazon CloudFrontThis solution deploys a web console hosted in an Amazon Simple Storage Service (Amazon S3) bucketwhich is distributed by Amazon CloudFront. The contents of this Amazon S3 bucket are accessible onlyvia CloudFront. This is enabled using the Origin Access Identity feature. For more information, refer toRestricting Access to Amazon S3 Content by Using an Origin Access Identity in the Amazon CloudFrontDeveloper Guide.

Additional Security mitigations are enabled with Lambda@Edge appending HTTP security headers toeach origin request. For additional details, refer to Adding HTTP Security Headers Using Lambda@Edgeand Amazon CloudFront. This solution uses the default CloudFront certificate which supports TLSv1.0 only. To use TLS v1.1 or TLS v1.2, you must use a custom SSL certificate instead of the defaultCloudFront certificate. For more information, refer to How do I configure my CloudFront distribution touse an SSL/TLS certificate.

Application ConfigurationAmazon API GatewayAWS Perspective APIs have basic request validation enabled with deeper input validation implementedwithin integrations, including AWS Lambda. Furthermore, authentication and authorization areimplemented using IAM and Cognito, which make use of the JSON Web Token (JWT) provided by Cognitowhen a user authenticates successfully in the web UI.

AWS LambdaBy default, the Lambda functions are configured with the most recent stable version of the languageruntime. No sensitive data or secrets are logged. Service interactions are carried out with the leastrequired privilege. Roles that define these privileges are not shared between functions. Furthermore,sensitive environment variables are stored as secure parameters in a dedicated vault.

Amazon Elasticsearch Service (Amazon ES)Amazon ES domains are configured with an access policy that restricts access in order to stop anyunsigned requests made to the Amazon ES cluster. This is restricted to a single Lambda function.

The Amazon ES cluster is built with node-to-node encryption enabled to add an extra layer of dataprotection on top of the existing Amazon ES security features.

33

https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.htmlhttps://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.htmlhttp://aws.amazon.com/blogs/networking-and-content-delivery/adding-http-security-headers-using-lambdaedge-and-amazon-cloudfront/http://aws.amazon.com/blogs/networking-and-content-delivery/adding-http-security-headers-using-lambdaedge-and-amazon-cloudfront/http://aws.amazon.com/premiumsupport/knowledge-center/install-ssl-cloudfront/http://aws.amazon.com/premiumsupport/knowledge-center/install-ssl-cloudfront/https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-method-request-validation.htmlhttps://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.htmlhttps://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/security.html


Additional resourcesAWS services

• Amazon API Gateway• Amazon CloudFront• Amazon CloudWatch• Amazon Cognito• Amazon DynamoDB• Amazon Elastic Container Registry• Amazon Elastic Container Service• Amazon Elasticsearch Service• Amazon Neptune• Amazon Simple Notification Service• Amazon S3

• Amazon Virtual Private Cloud• AWS AppSync• AWS CloudFormation• AWS CodePipeline• AWS CodeBuild• AWS Config• AWS Fargate• IAM• AWS Lambda• AWS SDK for Java• AWS Systems Manager

AWS API

• describeVpcEndpoints• describeSpotFleetRequests• describeSpotInstanceRequests• describeDBClusters• getAccountAuthorizationDetails

• describeTaskDefinition• describe-tasks• describe-services• list-clusters

AWS SDK for JavaScript

• get-rest-apis

34

http://aws.amazon.com/api-gateway/http://aws.amazon.com/cloudfront/http://aws.amazon.com/cloudwatch/http://aws.amazon.com/cognito/http://aws.amazon.com/dynamodb/http://aws.amazon.com/ecr/http://aws.amazon.com/ecs/http://aws.amazon.com/elasticsearch-service/http://aws.amazon.com/neptune/http://aws.amazon.com/sns/http://aws.amazon.com/s3/http://aws.amazon.com/vpc/http://aws.amazon.com/appsync/http://aws.amazon.com/cloudformation/http://aws.amazon.com/codepipeline/http://aws.amazon.com/codebuild/http://aws.amazon.com/config/http://aws.amazon.com/fargate/http://aws.amazon.com/iam/http://aws.amazon.com/lambda/http://aws.amazon.com/sdk-for-java/http://aws.amazon.com/systems-manager/https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcEndpoints.htmlhttps://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSpotFleetRequests.htmlhttps://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSpotInstanceRequests.htmlhttps://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBClusters.htmlhttps://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountAuthorizationDetails.htmlhttps://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeTaskDefinition.htmlhttps://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeTasks.htmlhttps://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeServices.htmlhttps://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeServices.htmlhttps://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/APIGateway.html


Appendix A: Locating deploymentresources

You may need to locate resources that AWS Perspective deployed into your account. Follow these stepsto locate the resources you need.

1. Sign in to the AWS CloudFormation console.2. Select the Region you deployed AWS Perspective in.

Depending on the usage of this account, it may contain multiple stacks for different workloads.AWS Perspective will create a main stack called aws-perspective-- and multiple nested stacks beneath it, all prefixed with aws-perspective.

3. Select each stack to access the resources deployed using that template.4. Select the Resources tab and choose the Physical ID link for the relevant resource to view the

resource in its respective service console.

If you know the Logical ID of a resource, you can also use search.

35

https://console.aws.amazon.com/cloudformation/


Appendix B: Supported resourcesThe following table contains the supported resources that AWS Perspective discovers. Details areprovided in the corresponding AWS documentation listing. Select the link and search for the specificresource type.

Resource Type Source Description

AWS::IAM::Policy AWS Config

AWS::IAM::User AWS Config

AWS::IAM::Role AWS Config

AWS::IAM::Role_In_Line_Policy AWS Config

AWS::IAM::CustomerManagedPolicyStatement AWS Config

AWS::EC2::VPC AWS Config

AWS::EC2::Instance AWS Config

AWS::EC2::Volume AWS Config

AWS::RDS::DBInstance AWS Config

AWS::EC2::NetworkInterface AWS Config

AWS::Lambda::Function AWS Config

AWS::S3::Bucket AWS Config

AWS::DynamoDB::Table AWS Config

AWS::CloudFormation::Stack AWS Config

AWS::CloudWatch::Alarm AWS Config

AWS::EC2::SecurityGroup AWS Config

AWS::EC2::EIP AWS Config

AWS::ElasticLoadBalancing::LoadBalancer AWS Config

AWS::ElasticLoadBalancingV2::LoadBalancer AWS Config

AWS::AutoScaling::AutoScalingGroup AWS Config

AWS::EC2::NatGateway AWS Config

AWS::Elasticsearch::Domain AWS Config

AWS::KMS::Key AWS Config

AWS::CodeBuild::Project AWS Config

AWS::CodePipeline::Pipeline AWS Config

AWS::QLDB::Ledger AWS Config

AWS Config docs

36

https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html


Resource Type Source Description

AWS::ApiGateway::RestApi SDK

AWS::ApiGateway::Resource SDK

AWS::ApiGateway::Method SDK

get-rest-apis

AWS::ECS::Cluster SDK list-clusters

AWS::ECS::Service SDK describe-services

AWS::ECS::Task SDK describe-tasks

AWS::ECS::TaskDefinition SDK describeTaskDefinition

AWS::IAM::AWSManagedPolicy SDK getAccountAuthorizationDetails

AWS::RDS::DBCluster SDK describeDBClusters

AWS::EC2::Spot SDK describeSpotInstanceRequests

AWS::EC2::SpotFleet SDK describeSpotFleetRequests

AWS::ECS::EnvironmentVariable SDK describeTaskDefinition

AWS::VPC::Endpoint SDK describeVpcEndpoints

37

https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/APIGateway.html#getRestApis-propertyhttps://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeServices.htmlhttps://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeServices.htmlhttps://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeTasks.htmlhttps://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeTaskDefinition.htmlhttps://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountAuthorizationDetails.htmlhttps://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBClusters.htmlhttps://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSpotInstanceRequests.htmlhttps://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSpotFleetRequests.htmlhttps://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeTaskDefinition.htmlhttps://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcEndpoints.html


Appendix C: Supported deploymentRegions

The following table lists the supported AWS Regions for AWS Perspective.

Region ID Region Name

us-east-1 US East (N. Virginia)

us-east-2 US East (Ohio)

us-west-2 US West (Oregon)

ap-south-1 Asia Pacific (Mumbai)

ap-northeast-2 Asia Pacific (Seoul)

ap-southeast-1 Asia Pacific (Singapore)

ap-southeast-2 Asia Pacific (Sydney)

ap-northeast-1 Asia Pacific (Tokyo)

ca-central-1 Canada (Central)

eu-west-2 Europe (London)

eu-central-1 Europe (Frankfurt)

eu-west-1 Europe (Ireland)

38


Appendix D: IAM rolesThe following table lists all the Identity and Access Management (IAM) roles employed by AWSPerspective.

IAM role name

aws-perspective--APIGatewayCloudWatchLogs-*

aws-perspective--AuthPerspectiveRole-*

aws-perspective--CleanupBucketFunctionRol-*

aws-perspective--CleanupRepositoryFunctio-*

aws-perspective--CodePipelineRole-*

aws-perspective--CodeBuildRole-*

aws-perspective--ConfigRole-*

aws-perspective--DrawIOExportFunctionRole-*

aws-perspective--EcsTaskExecutionRole-*

aws-perspective--FlowLogRole-*

aws-perspective--LambdaEdgeFunctionRole-*

aws-perspective--LambdaFunctionRole-*

aws-perspective--NeptuneRole-*

aws-perspective--PerspectiveCostRole-*

aws-perspective--PerspectiveDiscoveryServ-*

aws-perspective--RegionalEdgeLambdaFuncti-*

aws-perspective--SearchLambdaRole-*

aws-perspective--ServerAPIGatewayCloudWat-*

aws-perspective-ApiGatewayCloudWatchRole-*

aws-perspective-CleanupBucketFunctionRole-*

aws-perspective-LambdaExecutionRole-*

aws-perspective-PerspectiveDiscoveryRole-*

AWSServiceRoleForAmazonElasticsearchService

39


Appendix E: Debugging thediscovery component

If you have imported an account and region that does not start showing resources within the AWSPerspective UI, then you can check a couple of items to ensure you have everything set up.

1. Check that you have deployed the CloudFormation template in the region of the account you areimporting and that it created successfully. Ensure you have followed the steps for importing anaccount (p. 19) orimporting a Region (p. 21).

2. Double check the account ID that you have imported is correct. Follow the steps in verify the dataimported correctly from the new account (p. 20) to verify the import details.

3. If you are still not seeing resources appear, then there could be a problem with the discoverycomponent. You can check this by following these steps:a. Sign in to the AWS Management Console in the account you deployed AWS Perspective in.b. Choose Services.c. From the collection of services, choose Lambda.d. Search for GremlinFunction and select it.e. Choose the Monitoring tab.f. Choose View logs in CloudWatch.g. In the Log streams section, select the latest log file link in the table (usually the top entry). This

opens up the log file.h. Search for "400" or "500".

This searches for HTTP 400 or 500 error codes in the log file. If it returns any entries, then it meansthat there is a problem in the discovery component. Raise an issue on our GitHub repository to requestassistance from AWS. Select create an issue and follow the prompts.

40

http://console.aws.amazon.com/https://github.com/awslabs/aws-perspective/issues

AWS Perspective Implementation GuideUsing the AWS Management Console

Appendix F: Uninstall the solutionTo uninstall the AWS Perspective solution, use the AWS Management Console or the AWS Command LineInterface (AWS CLI).

Using the AWS Management Console1. Sign in to the AWS CloudFormation console.2. Select the stack with the name provided during deployment.3. Choose Delete stack.4. Select this solution’s installation stack: aws-perspective--.5. Choose Delete.6. Choose Edit termination protection, select Disabled, and choose Save.7. Select the aws-perspective stack and choose Delete.

Using AWS Command Line InterfaceDetermine whether the AWS Command Line Interface (AWS CLI) is available in your environment. Forinstallation instructions, see What Is the AWS Command Line Interface in the AWS CLI User Guide. Afterconfirming that the AWS CLI is available, run the following command.

$ aws cloudformation delete-stack --stack-name aws-perspective--$ aws cloudformation delete-stack --stack-name

41

https://console.aws.amazon.com/cloudformation/home?https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html


Appendix G: Collection ofoperational metrics

This solution includes an option to send anonymous operational metrics to AWS. We use this data tobetter understand how customers use this solution and related services and products. When enabled, thefollowing information is collected and sent to AWS:

• Solution ID: SO0075 SO0075a SO0075b SO0075c• Unique ID (UUID): Randomly generated, unique identifier for each AWS Perspective deployment• Timestamp: Data-collection timestamp• Login Attempts: Increments on each log in and is sent back anonymously• Instance Data: Count of the state and type of instances that are managed by the EC2 Scheduler in

each AWS Region

Example data:

Running: {t2.micro: 2}, {m3.large:2}Stopped: {t2.large: 1}, {m3.xlarge:3}

AWS owns the data gathered though this survey. Data collection is subject to the AWS PrivacyPolicy. To opt out of this feature, ensure that you deploy the aws-perspective.template with theOptOutOfSendingAnonymousUsageMetrics set to ‘Yes’ and complete the following task.

Modify the AWS CloudFormation template mapping section as follows:

“Send” : { “AnonymousUsage” : { “Data” : “Yes” }},

to

“Send” : { “AnonymousUsage” : { “Data” : “No" }},

42

http://aws.amazon.com/privacy/http://aws.amazon.com/privacy/


Source codeVisit the AWS Pespective GitHub repository to download the templates and scripts for this solution, andto share your customizations with others.

43

https://github.com/awslabs/aws-perspective


ContributorsThe following individuals contributed to this document:

• Mohsan Jaffery• Matthew Ball• Stefano Vozza

44


RevisionsDate Change

September 2020 Initial release

September 2020 Bug fixes for version 1.0.1. For more information,refer to the CHANGELOG.md file in the GitHubrepository

45

https://github.com/awslabs/aws-perspective/blob/master/CHANGELOG.md


NoticesCustomers are responsible for making their own independent assessment of the information in thisdocument. This document: (a) is for informational purposes only, (b) represents current AWS productofferings and practices, which are subject to change without notice, and (c) does not create anycommitments or assurances from AWS and its affiliates, suppliers or licensors. AWS products or servicesare provided “as is” without warranties, representations, or conditions of any kind, whether express orimplied. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements,and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The AWS Perspective solution is licensed under the terms of the Apache License Version 2.0 available atThe Apache Software Foundation.

46

https://www.apache.org/licenses/LICENSE-2.0

AWS PerspectiveTable of ContentsAWS PerspectiveOverviewCostArchitecture overview

Solution componentsAuthentication mechanismWeb UI and storage managementData componentImage deployment componentDiscovery componentCost componentSupported ResourcesAWS Perspective architecture diagram management

Design considerationsCreate dedicated deployment account

AWS CloudFormation templateAutomated deploymentPrerequisitesGather deployment parameter detailsVerify whether you have an AWSServiceRoleForAmazonElasticsearchService roleVerify your AWS Config details in your account

Deployment overviewStep 1. Launch the stackStep 2. Post-deployment configuration tasksEnable public object access on the AWS Amplify storage bucket (optional)Enable Advanced security in Amazon CognitoCreate Amazon Cognito usersTo create additional users:

Log inImport an accountDeploy the stack to import the accountVerify the data imported correctly from the new accountImport a new RegionDeploy the stack to import the RegionSet up the cost featureCreate and schedule the AWS Cost and Usage ReportSet up replication

Edit S3 bucket lifecycle policies

Web UI features and common tasksSide navigation paneAWS Perspective architecture diagramsBuild an AWS Perspective architecture diagramContext menuResource Details dialog box

Visualize AWS resources by resource typeSearch for resourcesExport AWS Perspective architecture diagramsExport an AWS Perspective architecture diagram as CSVExport an AWS Perspective architecture diagram as PNGExport an AWS Perspective Architecture Diagram as JSONExport an AWS Perspective Architecture Diagram to draw.io

Save an AWS Perspective architecture diagramDownload an AWS Perspective architecture diagramFiltering in AWS PerspectiveAccounts & Regions filterResource Types filterFilter notifications

SecurityResource AccessIAM rolesAmazon Cognito

Network AccessAmazon Virtual Private Cloud (Amazon VPC)Amazon CloudFront

Application ConfigurationAmazon API GatewayAWS LambdaAmazon Elasticsearch Service (Amazon ES)

Additional resourcesAppendix A: Locating deployment resourcesAppendix B: Supported resourcesAppendix C: Supported deployment RegionsAppendix D: IAM rolesAppendix E: Debugging the discovery componentAppendix F: Uninstall the solutionUsing the AWS Management ConsoleUsing AWS Command Line Interface

Appendix G: Collection of operational metricsSource codeContributorsRevisionsNotices

Documents

AWS Perspective - Implementation GuideAWS Perspective Implementation Guide Cost Overview Monitoring your AWS Cloud workloads is key to maintaining operational health and eﬃciency