# AWS AVM (Amazon Account Vending Machine) The AWS AVM software helps AWS customers set up a secure, multi-account AWS environment. AVM creates a baseline of AWS accounts, networks, and security policies. AWS Lambda SDK connects to the data source and crawls the users. It also performs Access Cart operations like creating a role, assigning a role to a user, and assigning policies to the role.
| This connector document should be used along with the [Generic Features of Connectors](https://docs.google.com/document/d/1p-qODOxHwnfLO-M1lag4TLpO2S6cZvq7oz3f-v7DyZU/) document which covers the generic features and settings (Establishing Connection, Connector Parameters, Connector Settings, etc.) of the OvalEdge connectors that are common. This document outlines the specific connector information only. | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ### Connector Characteristics | Connector Category | Integration type | | -------------------------------------------- | ------------------------------------------ | | Connectivity | AWS Lambda SDK connects to the client AVM. | | Connector Version | Every Version | | AVM Versions Supported | All Versions | | OvalEdge Releases Supported (Available from) | 7.0 onwards | ### Supported Features |

Crawling of Metadata Objects


| Users and Roles | | ----------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- | | Metadata Source | From the AVM, we will fetch the Users and Roles | | Profiling | Not Supported | | Crawling of Query Logs | Not Supported | | Data Preview | Not Supported | | Data Lineage | Not Supported | |

RDAM (Remote Data Access Management) Support

More info: RDAM

| Not Supported | | Bridge Support | Supported | |

Query Sheet Support

(Run simple queries)

| Not Supported | | Crawl of Usage Statistics (Source System) | Not Supported | | Certifications at Source (Source System) | Not Supported | ### Prerequisites (Prepare AVM Environment) The following are the prerequisites required for establishing a connection: * AVM User Account and Permissions The minimum permissions required for OvalEdge to validate the AVM connection are the Getfunction and InvokeFunction on the Lambda function provided. Note: Only crawling of Users and roles from the source creates roles and assigns existing users to the roles. * Configure Environment Variables (Optional) This section describes the settings or instructions you should know before establishing a connection. If your environments have been configured, skip this step. For more information, refer to the "[Generic Features of Connectors](https://docs.google.com/document/d/1p-qODOxHwnfLO-M1lag4TLpO2S6cZvq7oz3f-v7DyZU/edit#heading=h.a068g7zhum9t)" document. ### Establish Connection In the OvalEdge application, the AVM connector allows you to crawl the buckets and file data objects using IAM User Authentication and Role-Based Authentication. * IAM User Authentication: AWS Identity and Access Management(IAM) authentication is used to get and invoke the lambda function. You can create and configure IAM user policies to control user access to Lambda. An IAM user belongs to one particular user. Building a connection successfully requires a secret key and an access key. * Role-Based Authentication: Amazon Resource Name(ARN) is a unique identification name for AWS resources such as buckets, folders, users, and roles. In AWS, roles are identified using ARN, and no Secret Key or Access Key is required. Resource ARNs can include a path. #### IAM User Authentication | Fields | Details | | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | | Account\* | It is the name of the AWS account. | | Organization Unit\* | It is the name of the Organization Unit. Organization Unit (OU) is a logical grouping within AWS Organizations that helps manage and organize AWS accounts. | | Lambda Function\* | It is the name of the Lambda Function. The Lambda Function is used to automate and manage various aspects of AWS account provisioning and maintenance. | | Access key\* |

Unique identifier for AWS authentication.

Ex: AKIAIOSXXXNN7EXAMPLE

| | Secret key\* |

The confidential key is paired with the access key for secure access.

Ex: wJalrXUtnFEMI/K7MDENG/bPxXxXCYEXAMPLEKEY

| | Database region\* |

Specifies the AWS region for your data and ETL jobs.

Ex: us-west-2

| #### Role Based Authentication | Fields | Details | | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Cross-Account Role ARN |

Amazon Resource Name (ARN) of an IAM role in another AWS account that grants permissions for cross-account access.

Ex: arn:aws:iam::1234567XXXXXX:role/CrossAccountAccessRole

| ### Connector Settings The AVM connector doesn’t have any connector settings. ### Errors & Resolution | S.No. | Error Message(s) | Description / Resolution | | ----- | --------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | Failed to establish a connection. Please check the credentials. |

Error Description: Invalid credentials are provided or the user or role does not have access.

Resolution: Provide valid credentials and ensure the user or role has access.

| | 2 | Connection Timeout |

Error Description: Invalid credentials are provided or the server is not running.

Resolution: Provide valid credentials and ensure the server is running.

| | 3 | 403: Access denied |

Error Description: The user or role is unauthorized to perform specific operations like GetFunction and InvokeFunction.


Resolution: Provide access to the user or role with GetFunction and InvokeFunction on the Lambda Function.

| | 4 | 404: No Such Key |

Error Description: The Function FunctionName trying to invoke does not exist.


Resolution: Provide a valid function name in the connection fields and retry.

| ### FAQs Q1: How does OvalEdge connect to AVM? A: OvalEdge uses the Lambda Function and connects to the AVM.