AWS Setup for Snowplow Insights Enterprise

To setup Snowplow, we need you to create a sub-account dedicated to Snowplow, then set up a user within this sub-account with the appropriate permissions (using an IAM policy) to set up the pipeline. The process for this is as follows:

Create sub-account

  1. From your main AWS account, set up an Organisation if you haven’t done so already.
  2. Create an account in that organisation (sub-account)
  3. Sign out and sign into the new sub-account. Everything Snowplow-related will take place within this account from here in.

Set up User and IAM permissions

  1. Create the IAM policy
  2. Create a group and assign them this policy
  3. Create user in that group, and send the login details to the alexdean user via passpack

Walkthrough

Step 1. Create an Organisation and sub-account

  • From the console homepage, navigate to ‘AWS Organizations’ (via the search bar), and select Create Organization.

shot 0 search org

shot 1 org home

  • Create an organization - Choose enable all features

shot 2 add account

  • Add account - you will need to create this account with a separate email address. This will be the sub-account we use for Snowplow. You can invite an existing account, or create a new one, but make sure that this account is not used for anything but setting up the Snowplow Pipeline.

shot 3 add account

shot 4 create account

  • Sign out, and sign in with that account - this is your Snowplow sub-account and everything to do with Snowplow happens here from now on.

Step 2. Create a Permissions Policy, User Group, and User

Create IAM policy:

  • Navigate to ‘IAM’ (via the search bar) - Note that all steps from here take place from within this section

shot 5 search iam

  • Navigate to Policies (left panel) -> Create policy -> Create Your Own Policy

shot 6 create policy

shot 7 create own policy

  • Name the policy snowplow-policy-setup-infrastructure, copy and paste the below into the policy document:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "acm:*",
        "autoscaling:*",
        "aws-marketplace:Subscribe",
        "aws-marketplace:Unsubscribe",
        "aws-marketplace:ViewSubscriptions",
        "cloudformation:*",
        "cloudfront:*",
        "cloudwatch:*",
        "dynamodb:*",
        "ec2:*",
        "es:*",
        "elasticbeanstalk:*",
        "elasticloadbalancing:*",
        "elasticmapreduce:*",
        "iam:*",
        "kinesis:*",
        "logs:*",
        "rds:*",
        "redshift:*",
        "s3:*",
        "sns:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

shot 9 policy text rt

Create a Group with this policy:

  • Navigate to Groups (left pane) -> Create New Group

shot 10 create new group

  • Name the Group snowplow-setup

shot 11 name group

  • On the attach policy step, select the policy we have just created: snowplow-policy-setup-infrastructure. You can use the searchbar to find it easily.

shot 12 attach policy

  • Review the details and create the group.

shot 13 review and create

Create a User in this Group:

  • Navigate to Users (left pane, from the IAM homescreen) -> Add User

shot 14 add user

  • Name the user snowplow-setup
  • Select both checkboxes under ‘Access type’
  • Select Autogenerated Password under ‘Console Password’
  • Make sure that the Require password reset box is checked

shot 15 user config

  • On the next screen, add the check the box next to snowplow-setup to add the user to this group.

shot 16 add user to group

  • Once you see the success message, copy the username, password and AWS Console login URL - we will need these to set up the pipeline.

shot 17 details

User Creation

You will need to create users in order to upload schemas and implement custom tracking - we will create a usergroup SnowplowIgluAdmin with the minimum required permissions to do so - it is recommended that users are created within this group for these purposes.