Installation process
The installation process for Try Snowplow takes around 15 minutes and comprises the following steps:
- Sign up to Try Snowplow
- Install the infrastructure into your cloud account
- Connect to your pipeline
Security note
Snowplow will never ask you to disclose your Amazon, Google or database credentials.
Pre-requisites
Required IAM permissions
Setting up Try Snowplow in your AWS account requires following IAM roles:
cloudformation:CreateStack
cloudformation:DescribeStackEvents
cloudformation:DescribeStacks
cloudformation:ListStacks
cloudformation:GetTemplateSummary
ec2:AssociateRouteTable
ec2:AttachInternetGateway
ec2:AuthorizeSecurityGroupIngress
ec2:CreateInternetGateway
ec2:CreateRoute
ec2:CreateRouteTable
ec2:CreateSecurityGroup
ec2:CreateSubnet
ec2:CreateTags
ec2:CreateVpc
ec2:ModifySubnetAttribute
ec2:ModifyVpcAttribute
ecs:CreateCluster
ecs:CreateService
ecs:DescribeClusters
ecs:DescribeServices
ecs:RegisterTaskDefinition
ec2:DescribeVpcs
ec2:DescribeAvailabilityZones
ec2:DescribeSecurityGroups
ec2:DescribeAccountAttributes
ec2:DescribeSubnets
ec2:DescribeRouteTables
elasticloadbalancing:AddTags
elasticloadbalancing:CreateLoadBalancerListeners
elasticloadbalancing:CreateLoadBalancer
elasticloadbalancing:CreateTargetGroup
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeTargetGroups
health:DescribeEventAggregates
iam:CreateRole
iam:GetRole
iam:GetRole
iam:GetRole
iam:GetRolePolicy
iam:PutRolePolicy
iam:PassRole
rds:AddTagsToResource
rds:CreateDBInstance
rds:CreateDBParameterGroup
rds:CreateDBSubnetGroup
rds:DescribeDBInstances
rds:DescribeDBSubnetGroups
rds:DescribeEngineDefaultParameters
rds:ModifyDBParameterGroupCode language: CSS (css)Installation steps
Install the infrastructure
- In the Try Snowplow console, click on “Install your Try Snowplow infrastructure”.
- Read the notes and then select either the “Basic Installer” or the “Advanced Installer” and launch the installer.
What is the difference between the Basic and Advanced installers?
The Basic Installer is the quickest and simplest installer and should be sufficient for most use cases. The Advanced Installer provides a couple of extra configuration options; allowing you to secure your database with an IP AllowList and to set an AWS Permissions Boundary for your install.
- You will be taken to AWS console to deploy the components in your AWS account; at this point you may need to sign into AWS if you are not already signed in.
- Most fields on the installation script are pre-filled, but you can
- optionally edit the stack name, should you wish to
- set a login username for the database that will be created
- set a login password for the database that will be created
- set an IP allow list for database access (advanced template only)
- set an AWS permission boundary (advanced template only)
- Check the boxes under “Capabilities” to allow the creation of an IAM security role for pushing CloudWatch logs
- Click “Create stack” to start the deployment of your Try Snowplow application
You have just started deployment of Try Snowplow into your own Virtual Private Cloud environment.
During installation
This installation takes around 10 minutes to run. At this point you can close AWS console and you will receive an email from Try Snowplow once the deployment is complete.
Once the infrastructure is installed, the system will assign you a dedicated, secure .try-snowplow.com URL that you will use to track events. This can take a minute or two, in the meantime you can get started with tracking events.
Further security considerations
Try Snowplow is designed to be secure by default, however if you wish to further tighten security you can take the following measures using
Limited deployment privileges
Some organizations impose limited access policies by using AWS Permissions Boundary. If your organization has this setup you can specify the Permissions Boundary ARN during setup in the PermissionsBoundaryArn field.
Requires you to select the Advanced Install option.
Restricting access to the database
You can physically restrict access to your database to IPs matching a filter by editing the Security Groups definitions.
As part of install
You can specify an IP address range to limit access to your database during install in the DatabaseAccessIPs field.
Post-install
If you use the basic installer and later decide you wish to add this security layer you can do so by following these steps:
- Navigate to EC2 Service in your AWS console account, making sure you are in the same region where you installed your Try Snowplow stack.
- Go to Security Groups.
- Find and select the security group named
$snowplow-sg-dbwith the description “Frontend Access to Database”snowplowmay also be your custom stack name if you provided one). - In the panel that opens select the
Inbound rulestab and click “Edit inbound rules”. - Remove the existing rule if it is no longer needed (ie.
0.0.0.0/0filter will allow for anyone with database credentials to initiate connection).
- In editor change the
Sourcevalue. There can be many rules applied to the same security group, so you can even set individual IP addresses in separate rules. Set a description for future reference. - Accept by clicking the “Save rules” button.
Traffic to your Try Snowplow pipeline will be dropped for a very brief period of time while the new rule is created.
