The installation process for Try Snowplow takes around 15 minutes and comprises the following steps:
- Sign up to Try Snowplow
- Install the infrastructure into your cloud account
- Connect to your pipeline
Required IAM permissions
Setting up Try Snowplow in your AWS account requires following IAM roles:
Code language: CSS (css)
cloudformation:CreateStack cloudformation:DescribeStackEvents cloudformation:DescribeStacks cloudformation:ListStacks cloudformation:GetTemplateSummary ec2:AssociateRouteTable ec2:AttachInternetGateway ec2:AuthorizeSecurityGroupIngress ec2:CreateInternetGateway ec2:CreateRoute ec2:CreateRouteTable ec2:CreateSecurityGroup ec2:CreateSubnet ec2:CreateTags ec2:CreateVpc ec2:ModifySubnetAttribute ec2:ModifyVpcAttribute ecs:CreateCluster ecs:CreateService ecs:DescribeClusters ecs:DescribeServices ecs:RegisterTaskDefinition ec2:DescribeVpcs ec2:DescribeAvailabilityZones ec2:DescribeSecurityGroups ec2:DescribeAccountAttributes ec2:DescribeSubnets ec2:DescribeRouteTables elasticloadbalancing:AddTags elasticloadbalancing:CreateLoadBalancerListeners elasticloadbalancing:CreateLoadBalancer elasticloadbalancing:CreateTargetGroup elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeTargetGroups health:DescribeEventAggregates iam:CreateRole iam:GetRole iam:GetRole iam:GetRole iam:GetRolePolicy iam:PutRolePolicy iam:PassRole rds:AddTagsToResource rds:CreateDBInstance rds:CreateDBParameterGroup rds:CreateDBSubnetGroup rds:DescribeDBInstances rds:DescribeDBSubnetGroups rds:DescribeEngineDefaultParameters rds:ModifyDBParameterGroup
Install the infrastructure
- In the Try Snowplow console, click on “Install your Try Snowplow infrastructure”.
- Read the notes and then select either the “Basic Installer” or the “Advanced Installer” and launch the installer.
What is the difference between the Basic and Advanced installers?
- You will be taken to AWS console to deploy the components in your AWS account; at this point you may need to sign into AWS if you are not already signed in.
- Most fields on the installation script are pre-filled, but you can
- optionally edit the stack name, should you wish to
- set a login username for the database that will be created
- set a login password for the database that will be created
- set an IP allow list for database access (advanced template only)
- set an AWS permission boundary (advanced template only)
- Check the boxes under “Capabilities” to allow the creation of an IAM security role for pushing CloudWatch logs
- Click “Create stack” to start the deployment of your Try Snowplow application
You have just started deployment of Try Snowplow into your own Virtual Private Cloud environment.
This installation takes around 10 minutes to run. At this point you can close AWS console and you will receive an email from Try Snowplow once the deployment is complete.
Once the infrastructure is installed, the system will assign you a dedicated, secure
.try-snowplow.com URL that you will use to track events. This can take a minute or two, in the meantime you can get started with tracking events.
Further security considerations
Try Snowplow is designed to be secure by default, however if you wish to further tighten security you can take the following measures using
Limited deployment privileges
Some organizations impose limited access policies by using AWS Permissions Boundary. If your organization has this setup you can specify the Permissions Boundary ARN during setup in the
Requires you to select the Advanced Install option.
Restricting access to the database
You can physically restrict access to your database to IPs matching a filter by editing the Security Groups definitions.
As part of install
You can specify an IP address range to limit access to your database during install in the
If you use the basic installer and later decide you wish to add this security layer you can do so by following these steps:
- Navigate to EC2 Service in your AWS console account, making sure you are in the same region where you installed your Try Snowplow stack.
- Go to Security Groups.
- Find and select the security group named
$snowplow-sg-dbwith the description “Frontend Access to Database”
snowplowmay also be your custom stack name if you provided one).
- In the panel that opens select the
Inbound rulestab and click “Edit inbound rules”.
- Remove the existing rule if it is no longer needed (ie.
0.0.0.0/0filter will allow for anyone with database credentials to initiate connection).
- In editor change the
Sourcevalue. There can be many rules applied to the same security group, so you can even set individual IP addresses in separate rules. Set a description for future reference.
- Accept by clicking the “Save rules” button.
Traffic to your Try Snowplow pipeline will be dropped for a very brief period of time while the new rule is created.