Note: Please go to docs.rightscale.com to access the current RightScale documentation set. Also, feel free to Chat with us!
Home > Guides > Dashboard Users Guide > Settings > Account > Actions > Enable Authorization Logging

Enable Authorization Logging

Objective

To send RightScale authorization events to a specific location using Amazon SNS.

Table of Contents

  1. Prerequisites
  2. Overview
  3. Steps
  4. Next Steps
    1. Create an Amazon SNS Subscription 
  5. See also

Prerequisites

  • This feature will be enabled if you have an Enterprise RightScale Account.  If you do not have an Enterprise Account, but would like this feature enabled, contact your RightScale Sales Account Manager or the sales department at sales@rightscale.com.
  • You must have valid Amazon Web Service (AWS) credentials. See  Sign-up for Amazon Web Services (AWS).
  • 'actor' user role privileges are required to enable this feature.

Overview

You can send authentication events through Amazon SNS each time a RightScale user authenticates against the RightScale Dashboard or API. Amazon's Simple Notification Services enables applications, end-users, and devices to instantly send and receive notifications from the cloud. The purpose of this tutorial is to show RightScale account managers how to monitor authentication events of RightScale's Dashboard and API and have those events sent either through HTTP/HTTPS, email, or to an AWS SQS.

Steps

  1. Go to Settings > Account Settings > Authorization Logging and click Enable. 
  2. The AWS Account ID associated with the AWS Account added to the RightScale account will automatically be displayed. Click Save.
  3. Click Save.
  4. An AWS SNS Topic ARN will appear as well as the Status and Subscriber AWS Account Number. Take note of the AWS SNS Topic ARN.
    screen-ARN-v1.png

NOTE: An AWS SNS Topic ARN consists of the region the Topic ARN was created in, an AWS ID, and the name of the Topic ARN. When Authorization Logging is enabled and saved, RightScale automatically generates this value for your account. The AWS ID contained with the Topic ARN has no association with the AWS Account Number associated with your own AWS account. The 12-digit AWS Account Number associated with the RightScale account is listed as the Subscriber AWS Account Number.

  1. If enabled, the owner of the RightScale account (Settings > Account Settings > Info tab) will receive an email from Amazon's SNS service for any of the following actions.
    • A user of the RightScale account logs in to the RightScale Dashboard. (Note: The owner will still receive a notification even if the user logs in to view a different RightScale account to which they have access.) 
      screen-Example_Login-v1.png
    • An authenticated API session and/or call is made from the RightScale account.
    • A user accepts an invitation to the RightScale account. 
      screen-Example_Account_Invitation-v1.png

Next Steps

Create an Amazon SNS Subscription 

Once the Authorization Logging feature is enabled for the RightScale account, you can set up a subscription to an Amazon SNS Topic that will allow you to send SNS notifications to a different user than the designated owner of a RightScale account and choose from other protocol options than the default (email) protocol. For example, you might want to send notifications to an email alias (e.g. ops@rightscale.com) or to a third party service like Splunk or Loggly.

  1. You will need to log in to your AWS Console and navigate to SNS. If you have not already enabled the Amazon SNS service for your account, you sign-up for the service inside the AWS Console. See Amazon Simple Notification Services and see Amazon SNS Pricing
  2. Go to Subscriptions.  Make sure you're in the same EC2 region as the created ARN and then click Create Subscription.
    screen-Create_Subscription-v1.png
     
  3. Next, you will need to enter the following information:
    screen-Email_Subscription-v1.png
  • TopicARN - The TopicARN servers as the unique AWS ID for the new SNS topic. Typically the Amazon Resource Name (ARN) of your SNS topic contains your own AWS account number, but in this case, you're going to use the ARN that RightScale generated for you instead. Use the ARN from the RightScale Dashboard.
  • Protocol - Select the protocol that will be used to send the notifications. 
    • HTTPS
    • HTTP
    • Email
    • Email-JSON
    • Amazon SQS
    • Application

  • Endpoint - The correct syntax for the endpoint is different depending on the protocol selection.

    • HTTP/HTTPS - Specify a URL where an HTTP POST containing the information will be sent, which is useful for users of Splunk, Loggly, or other data monitoring tools and services.

    • Email/Email-JSON - Specify the email address that will receive event notifications as either raw text (Email) or JSON objects (Email-JSON).

    • Amazon SQS - Specify an AWS SQS queue as the endpoint. If you are monitoring your AWS SQS queue through RightScale, see Enable Authentication Logging with an AWS SQS in RightScale. You can also choose to have messages sent as an SMS text message to a valid phone number (due to SMS restrictions, if a notification exceeds 140 characters, the remainder will be truncated). 

    • Application - Specify a complete string with the application name. (e.g. arn:aws:sns:us-east-1:123456123456:authorization-223344)

  1. Click Subscribe.

 

  1. To test if authorization logging is properly configured, log out of the RightScale Dashboard and log back in. Then check the endpoint that you chose to see if AWS SNS sent a message.

See also

You must to post a comment.
Last modified
14:45, 11 Mar 2014

Tags

Classifications

This page has no classifications.

Announcements

None

Powered by MindTouch ®

© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.