Using AWS VPC Traffic Mirrors

To set up a traffic mirroring session please review Working With AWS Traffic Mirroring. Additional information is available on the AWS News Blog.

Creating AWS IAM Role for Custom Tag Support

To enable support for AWS Custom Tags, the EC2 instance must have additional AWS permissions that are not enabled by default. The permissions granted by this IAM roles are read-only and will only apply to the EC2 instance itself. The EC2 instance needs permission to read its own tags so it can report them to the SaaS console. The step-by-step instructions for creating these permissions is below.

  1. First, go to your AWS Console and select the IAM service. Now click on create role.

  1. Choose which service will use the role. This will be EC2. This click the Next:Permissions at the bottom of the page.

  2. Now you will create a new policy which grants the appropriate permissions. Click on “Create Policy”. This will spawn a new tab, so remember to come back to this tab when creation is complete.

  1. On the create policy screen, select the JSON tab. You will be pasting in the JSON config below. Then select review policy.



“Version”: “2012-10-17”,

“Statement”: [


“Effect”: “Allow”,

“Action”: [



“Resource”: “*”




  1. Now give your policy a name and a description; then click create policy.

  1. Remember after creating the policy, go BACK to your Role Creation tab to continue.

  2. Now, refresh the policies by clicking the circular arrows on the right. Then search for your newly created policy, here Nubeva-Describe-Instances. Select this then click Next:Tags at the bottom right

  1. You can add any tags that you like this will not impact how Nubeva operates or read EC2 instance AWS custom tags.

  2. Now give your role a name, and save it.

  1. The final step is to associate this IAM role with an EC2 instance. You can do this any number of ways via the CLI or automation tools. In the GUI, go back to the EC2 console and select the EC2 instance that needs this new role. Then select, Actions - Instance Settings - Attach/Replace IAM Role

  1. Choose your newly created role and hit apply. You should receive a green success message.

  1. Now, this IAM role will be attached to the EC2 instance and will be visible on the EC2 console details for this host.