Solution components - AWS Perspective

Solution components

Authentication mechanism

AWS Perspective uses an Amazon Cognito User Pool for both the web user interface (UI) and Amazon API Gateway authentication. Once authenticated, Amazon Cognito provides a JSON Web Token (JWT) to the web UI that will be provided with all subsequent API requests. If a valid JWT is not provided, the API request will fail and return a HTTP 403 Forbidden response.

Web UI and storage management

The web UI was developed using React and provides a front-end console to enable users to interact with AWS Perspective.

Lambda@Edge appends secure headers to every HTTP request to the web UI. This provides an additional layer of security, protecting against attacks such as Cross-site scripting (XSS).

AWS Perspective web UI and storage management components

Figure 3: AWS Perspective web UI and storage management components

The web UI resources are hosted in the WebUIBucket Amazon Simple Storage Service (Amazon S3) bucket and distributed by Amazon CloudFront. AWS Amplify provides an abstraction layer to simplify the integrations to API Gateway, AWS AppSync, and Amazon S3. Amazon Cognito authenticates users at the login stage. On successful login, a JSON Web Token (JWT) is provided in the authentication response from Amazon Cognito. The JWT must be sent with all subsequent API requests. If the JWT is not provided, then the API request will fail and return a HTTP 403 Forbidden response.

AWS AppSync is used to facilitate interaction with various configurations available to AWS Perspective, including managing imported Regions and accounts. AWS AppSync integrates with Amazon DynamoDB for create, read, update, and delete (CRUD) operations, but utilizes the Settings AWS Lambda function to handle more complex requests, such as importing a new account and Region, which require an API call to AWS Config to authorize the new Region.

Amazon API Gateway builds the PerspectiveWebRestAPI endpoint and and provides access to the relationship data that AWS Perspective collects. This API endpoint is called when the user builds out their architecture diagram.

Refer to Web UI features and common tasks for an overview of UI features and common tasks.

Data component

        AWS Perspective data component

Figure 4: AWS Perspective data component

The web UI sends requests to the PerspectiveWebRestAPI API Gateway endpoint serving requests to the GremlinFunction AWS Lambda function. This Lambda function processes the request and queries Amazon Neptune and the cost component to gather the required data about the AWS resource specified in the request.

The discovery component sends requests to the API Gateway PerspectiveWebRestAPI endpoint when it requires the latest data about the resources already discovered. This is to ensure that the discovery component aligns with the current state of the Neptune relationship graph.

The ServerGremlinAPI API Gateway endpoint receives requests from the AWS Fargate task in the discovery component and is authenticated using an Identity and Access Management (IAM) role that provides access to the Amazon Elasticsearch Service (Amazon ES) cluster. The API Gateway endpoint is backed by the Search Lambda function that processes incoming requests and communicates with the Amazon ES cluster. The Amazon ES cluster provides an index of the relationship data discovered by AWS Perspective.

Image deployment component

        AWS Perspective image deployment component

Figure 5: AWS Perspective image deployment component

The image deployment component builds the container image that is used by the discovery component. The code is hosted in the DiscoveryBucket Amazon S3 bucket and downloaded at deployment time by AWS CodePipeline. CodePipeline initiates an AWS CodeBuild job that builds the container image and uploads it to Amazon Elastic Container Registry (Amazon ECR). Amazon Elastic Container Services (Amazon ECS) downloads this container image from Amazon ECR and triggers a task at regular intervals (every 15 minutes by default).

Discovery component

The discovery component is the main data-gathering element of the AWS Perspective architecture. It is responsible for querying AWS Config and making describe API calls to maintain the inventory of resources and their relationships between one another.

        AWS Perspective discovery component

Figure 6: AWS Perspective discovery component

This solution configures Amazon ECS to run an AWS Fargate task using the container image downloaded from Amazon ECR. The AWS Fargate task is scheduled to run at 15-minute intervals. The resource relationship data that is collected is inserted into an Amazon Neptune graph database and Amazon ES.

The discovery component workflow consists of three steps:

  1. Amazon ECS triggers an AWS Fargate task at 15 minutes intervals.

  2. The Fargate task gathers resource data from AWS Config and AWS API describe calls.

  3. The Fargate task runs HTTP POST requests to the ServerGremlinAPI API Gateway endpoint to aggregate resource relationship data and insert into Amazon Neptune and Amazon ES.

Cost component

        AWS Perspective cost component

Figure 7: AWS Perspective cost component

You can create an AWS Cost and Usage Report in AWS Billing and Cost Management. This publishes a zipped comma-separated value (CSV) report into the PerspectiveCostBucket Amazon S3 bucket created at deployment time and configured post deployment. When the new Amazon S3 object is uploaded, it triggers the Cost Parser Lambda function. This solution processes this object and inserts the relevant cost data into an Amazon DynamoDB table where the data component queries the data.

Supported Resources

To see a list of AWS resources types that Perspective is able to discover within your accounts and Regions, refer to Appendix B.

AWS Perspective architecture diagram management

You can store AWS Perspective architecture diagrams that you have created in the web UI. You can also perform standard create, read, update, and delete (CRUD) operations on them. The AWS Amplify storage API allows this solution to store architecture diagrams in an Amazon S3 bucket. This API manages the CRUD operations and permissions and has three levels:

  • All users - Allows AWS Perspective architecture diagrams to be visible to AWS Perspective users in your deployment. Users can download and edit these diagrams.

  • You - Allows AWS Perspective architecture diagrams to be visible only to the creator. Other users will not see them.