MAN-04 Supply Chain Management: Cloud Dependencies
Manual for cloud dependency configuration management using Ketryx Software Supply Chain Management
1. Introduction
Ketryx Software Supply Chain Configuration Management automatically keeps track of the user’s cloud infrastructure by storing, tracking, and grouping the configuration of their cloud instances and resources.
For traceability, Ketryx keeps the history of recorded cloud configuration data for each version release and provides automatic generation of cloud configuration report documents for later reference.
Ketryx currently supports AWS with AWS Config enabled. Other platforms, such as Google Cloud, Azure, etc., may be supported in the future.
2. Terms and definitions
The definitions of this document conform to the ones of ISO/IEC 62304.
3. AWS support
For each AWS resource, Ketryx will track the following data:
Resource type
Resource ID
Creation timestamp
Snapshot timestamp
Matched environment (as defined by the Ketryx AWS cloud configuration settings)
Raw JSON configuration (as provided by AWS Config)
3.1. Prerequisites
An AWS account with access to all the resources that should be tracked for cloud configuration data. This account also requires AWS Config to be enabled.
An IAM user/role with relevant permissions to create new roles and policies for the relevant AWS account.
A Ketryx admin user with organization and project editing permissions.
Note: Adding Cloud Configuration Management to Ketryx will require giving AssumeRole
permissions to the Ketryx AWS account. Ketryx will only require the minimal set of permissions to get relevant configuration data from AWS Config.
3.2. AWS Config
Ketryx relies on AWS Config to fetch configuration data from an AWS account. Use the AWS Config dashboard to verify that all relevant resources for your project are listed.
3.3. Resource tags
All resources that should be tracked by Ketryx require a proper project tag and environment tag. If the AWS account is dedicated to a single project, the project tag may be omitted.
Environment tag examples:
Key:
Environment
, Value:production
Key:
Environment
, Value:staging
Project tag example:
Key:
Project
, Value:ketryx-app
3.4. Manage AWS connections
3.5. Add a new connection
Press the Add AWS connection button and follow the instructions to set up the necessary Ketryx connection role and policies via the AWS IAM service.
Note: This will require appropriate IAM user credentials to edit/create new roles/policies in AWS. If you don’t have the necessary credentials, talk to an AWS administrator to set up the necessary permissions.
As soon as the role has been created, copy the role ARN into the Role ARN field, and select the relevant AWS region for accessing your AWS Config data. Ketryx will only access data in the selected region.
Click the Save & Test Connection button to verify your connection. Ketryx will store your new ARN when a connection could be established.
Important: Closing and opening the Add AWS Connection dialog will create a new Ketryx External ID used for identifying Ketryx on the AWS. In case you reopened the dialog, but have already created a new role, go to your IAM > Roles page > [your role], open the Trust relationships tab, and update the sts:ExternalId
key to the dialog’s newly generated ID.
On successful save, the connection will now show up in your AWS connections section. You may add multiple connections or remove existing connections. All configured AWS connections will be available for every project within your organization. It is impossible to add multiple connections for the same AWS account ID.
3.6. Enabling AWS tracking in a Ketryx project
After configuring your AWS connection, you can now add project-specific AWS settings to track all relevant AWS cloud configuration items.
Open a Ketryx project you want to track cloud configuration items for, and navigate to Settings > Cloud Configuration.
The cloud configuration settings page will automatically pre-select your newly created AWS connection. You may now configure your project to fetch data from your AWS account with the following settings:
Enable AWS cloud: When enabled, Ketryx will automatically fetch resources according to the configuration. Data will be fetched after each settings change, later on every 6 hours.
Project Filter: If your AWS account is used for multiple independent projects, you may provide a general tag filter that will instruct Ketryx to only fetch tagged resources with the relevant project tag. If your AWS account only hosts resources for your selected Ketryx project, this setting may be omitted to fetch all resources.
Environments: You may define one or more environment matchers for your target environments. All resources captured by Ketryx will be categorized by the given environment tags. Environments will be listed on the Cloud item page and in the generated Cloud Configuration report.
3.7. Test and save settings
Click the Run test button in the Test settings section to see the number of resources fetched for each environment. If you are satisfied with the result, press the Save changes button to save your settings. When Enable AWS cloud configuration is activated, Ketryx will start fetching data from AWS.
Note: All data fetched from AWS will be stored as immutable records and will never change for versions released on Ketryx. Keep in mind that wrongly matched data will be tracked but may be marked as obsolete when adjusting the cloud configuration settings page later on.
4. List cloud configuration data
Within your project, navigate to the Cloud page to show all cloud configuration items. You may pick a version and/or environment to narrow down to a particular dataset. When Current is selected, all the latest up-to-date record data will be shown. When selecting a released version, all records recorded at the point of release will be displayed.
4.1. Show cloud configuration item details
Selecting a listed Cloud Configuration Item will show you the record details with all configuration parameters.
4.2. Download a cloud configuration report
You may download a cloud configuration report for a particular version. Select the target version and click the Download cloud configuration report button to start the process.
Note: The generation may take a few minutes, depending on the amount of data.
The cloud configuration report will contain all version-related cloud configuration items grouped by all recorded environments.
Note: Configured cloud configuration settings may change, but released cloud configuration items will keep track of their environment name, even when the environment has been removed. Therefore, released cloud configuration reports will only list environments that existed at the point of release.
Last updated