Metadata collection allows Kentik to discover your AWS infrastructure (VPCs, Subnets, Gateways) and visualize your network topology on the Kentik Map. This guide covers how to select and configure an IAM architecture that enables Kentik to access your AWS metadata.
When Should I Use Metadata Collection Only?
Topology Only: You want to see your network inventory and hierarchy without ingesting traffic logs.
Split Architecture: Your flow logs are centralized in a "Log Archive" account, but you need to gather metadata from the various "Member" accounts where the resources actually live.
IAM Architecture: Standard vs. Nested
To authorize Kentik to fetch your AWS metadata, you must configure IAM roles. Choose the strategy that matches your AWS environment.
Feature | ||
|---|---|---|
Connection | Kentik connects to every account directly. | Kentik connects to one "Primary" account. |
Trust Mechanism | Individual Trust Policy per account. | Primary Role "assumes" Secondary Roles. |
Best For | Small environments or single accounts. | Large Orgs, Control Tower, or MSPs. |
A nested structure in which account A is primary and accounts B and C are secondary.
Standard Configuration
For a standard AWS metadata collection setup, repeat these steps for every account you want Kentik to monitor.
Create Policy
Create a JSON policy in the AWS account using the permissions required for metadata (EC2 describe, CloudWatch, etc.).
To set up an AWS account policy for metadata export to Kentik:
Log into the AWS account you want to monitor.
Navigate to IAM » Policies and click Create policy.
Select the JSON tab.
Replace the editor’s content with the required metadata permissions.
Note: You can use the exact same JSON block as the Secondary Policy JSON here, as it contains the necessary
ec2:Describe*,cloudwatch:ListMetrics, ands3:Get*actions.Click Next.
Provide a name and description for the new policy under Policy details.
Click Create policy to save and exit.
Create IAM Role
To create the role that Kentik will assume:
Navigate to IAM » Roles and click Create role.
Select Custom trust policy.
Replace the editor content with a trust policy that sets the Principal to Kentik’s AWS Account:
arn:aws:iam::834693425129:root(see JSON directly below).CRITICAL: In the
Conditionblock forsts:ExternalId, replace the placeholder with your Kentik Company ID (found in the portal under Settings » Licenses).Click Next.
Standard Role Trust Policy JSON
The following JSON assigns a trust policy to the role, enabling access by Kentik's AWS account.
IMPORTANT: In the
sts:ExternalIdfield, you must replace<your_Company_ID>with your specific Kentik company ID, which is the "Account #" on the portal's Licenses page (Settings » Licenses).
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KentikTrust",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::834693425129:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<your_Company_ID>"
},
"ArnEquals": {
"aws:PrincipalArn": "arn:aws:iam::834693425129:role/eks-ingest-node"
}
}
}
]
}Attach Policy
To link your permissions to the new role:
On the Add permissions screen, search for and select the policy you created in the first section.
Click Next.
Enter a role name and description.
Click Create role to save and return to the Roles page.
Nested Configuration
For a nested AWS metadata collection setup, you configure one “hub” account and multiple “spoke” accounts.
Provision the Hub Account
Create a Primary Policy
To set up a primary AWS account policy for metadata export to Kentik:
Log into the AWS account designated as the primary for metadata export.
Navigate to IAM » Policies and click Create policy.
Select the JSON tab.
Replace the editor’s content with the JSON specified in Primary Policy JSON.
Click Next and ensure the policy includes STS as an action.
Provide a name and description for the new policy under Policy details.
Click Create policy to save and exit.
Primary Policy JSON
The following JSON defines a policy to enable access to the primary AWS account:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AssumeSecondaryRoles",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
},
{
"Sid": "OrgListing",
"Effect": "Allow",
"Action": [
"organizations:ListAccounts"
],
"Resource": "*"
}
]
}Create a Primary Role
To assign the created policy to a role in the primary AWS account:
Navigate to IAM » Roles and click Create role.
Select Custom trust policy.
Replace editor content with the Primary Role JSON.
CRITICAL: You must replace
<your_Company_ID>with your specific Kentik company ID (found in the portal under Settings » Licenses).Click Next. Find and select your policy and click Next.
Enter a role name and description.
Click Create role to save and return to the Roles page.
Primary Role JSON
The following JSON assigns a trust policy to a role in the primary account, enabling access by Kentik's AWS account. In the sts:ExternalId field, use your Kentik company ID which is the "Account #" on the portal's Licenses page (Settings » Licenses).
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KentikTrust",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::834693425129:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<your Company or External ID here>"
},
"ArnEquals": {
"aws:PrincipalArn": "arn:aws:iam::834693425129:role/eks-ingest-node"
}
}
}
]
}IMPORTANT:
If you prefer to use a 16-digit randomized string as your
ExternalIdinstead of your Kentik Company ID, email Kentik support at support@kentik.com.For more on
ExternalId, see Automated Configuration Options.
Provision the Spoke Accounts
Create Secondary Policies
To provision secondary AWS accounts to enable access to their metadata by the primary account:
Log into the AWS console for the secondary account.
Go to the Policy editor page.
Replace editor content with the Secondary Policy JSON.
Click Next, then enter a name and description for the new policy.
Click Create policy to save and return to the Policies page.
Repeat for each secondary account.
Secondary Policy JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:GetMetricData",
"organizations:ListAccounts",
"cloudwatch:Describe*",
"directconnect:List*",
"directconnect:Describe*",
"ec2:Describe*",
"ec2:Search*",
"ec2:GetManagedPrefixListEntries",
"elasticloadbalancing:Describe*",
"iam:ListAccountAliases",
"network-firewall:Describe*",
"network-firewall:List*",
"networkmanager:ListCoreNetworks",
"networkmanager:GetCoreNetwork",
"networkmanager:GetCoreNetworkPolicy",
"networkmanager:ListAttachments",
"networkmanager:GetNetworkRoutes"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::YOUR_S3_BUCKET_NAME",
"arn:aws:s3:::YOUR_S3_BUCKET_NAME/*"
]
}
]
}Create Secondary Roles
To create a role in each secondary AWS account and assign the policy to the role:
Log into the AWS console for the secondary account.
Go to the Select trusted entity page.
Choose Custom trust policy.
Replace editor content with the Secondary Role JSON.
CRITICAL: Replace
primary_account_idwith the account ID of the primary account.Assign the created policy to the new role, enter a name and description, and click Create role.
Repeat for each secondary account.
Secondary Role JSON
The following JSON assigns a policy to a role in the secondary AWS account, enabling access by the primary account:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::primary_account_id:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}