# Getting started This section describes how to start using AWS Resilience Hub. This includes creating AWS Identity and Access Management (IAM) permissions for an account. **Topics** + [ # Prerequisites ](prerequisites.md) + [ # Add an application to AWS Resilience Hub ](describe-applicationlication.md) # Prerequisites Before you can use the AWS Resilience Hub, you must complete the following prerequisites: + AWS accounts – Create one or more AWS accounts for each account type (primary/secondary/resource accounts) you want use within AWS Resilience Hub. For more information about creating and managing AWS accounts, see the following: + First time AWS user – [Getting started: Are you a first-time AWS user?](https://docs.aws.amazon.com/accounts/latest/reference/welcome-first-time-user.html) + Managing AWS account – [https://docs.aws.amazon.com/accounts/latest/reference/managing-accounts.html](https://docs.aws.amazon.com/accounts/latest/reference/managing-accounts.html) + AWS Identity and Access Management (IAM) permissions – After creating the AWS accounts, you must configure the required roles and IAM permissions for each of the accounts you have created. For example, if you have created an AWS account to access application resources, you must setup a new role and configure the necessary IAM permissions for AWS Resilience Hub to access the application resources from your account. To learn more about IAM permissions, see [How AWS Resilience Hub works with IAM](security_iam_service-with-iam.md) and for more information about adding a policy to the role, see [Defining trust policy using JSON file](security-iam-resilience-hub-invoker-role.md#security-iam-resilience-define-policy). To get started quickly with adding IAM permissions to users, groups, and roles, you can use our AWS managed policies ([AWS managed policies for AWS Resilience Hub](security-iam-awsmanpol.md)). It is easier to use AWS managed policies to cover common use cases that are available in your AWS account than to write policies yourself. AWS Resilience Hub adds additional permissions to an AWS managed policy to extend support to other AWS services and to include new features. Hence: + If you are an existing customer and if you want your application to use the latest enhancements within your assessment, you must publish a new version of the application and then run a new assessment. For more information, see the following topics: + [Publishing a new AWS Resilience Hub application version](applications-publish.md) + [Running resiliency assessments in AWS Resilience Hub](run-assessment.md) + If you are not using AWS managed policies to assign appropriate IAM permissions to users, groups, and roles, you must manually configure these permissions. For more information about AWS managed policies, see [AWSResilienceHubAsssessmentExecutionPolicy](security-iam-awsmanpol.md#security_iam_aws-assessment-policy). # Add an application to AWS Resilience Hub Add an application AWS Resilience Hub offers resiliency assessment and validation that integrates into your software development lifecycle. AWS Resilience Hub helps you proactively prepare and protect your AWS applications from disruptions by: + Uncovering resiliency weaknesses. + Estimating whether your target recovery time objective (RTO) and recovery point objective (RPO) can be met. + Resolving issues before they are released into production. This section guides you through adding an application. You gather resources from an existing myApplications application, AWS CloudFormation stacks, or AWS Resource Groups and create an appropriate resiliency policy. After describing an application, you can publish it in AWS Resilience Hub, and generate an assessment report on the resiliency of your application. You can then use recommendations from the assessment to improve resiliency. You can run another assessment, compare results, and then iterate until the estimated workload RTO and estimated workload RPO achieves your RTO and RPO targets. **Topics** + [ # Get started by adding an application ](describe-app-intro.md) + [ # Select how this application is managed ](how-app-manage.md) + [ # Add resource collections ](discover-structure.md) + [ # Set RTO and RPO ](setup-resiliency-policy.md) + [ # Setup scheduled assessments and drift notification ](scheduled-assessment.md) + [ # Setup permissions ](setup-permissions.md) + [ # Configure the application configuration parameters ](app-config-param.md) + [ # Add tags ](add-tags.md) + [ # Review and publish your AWS Resilience Hub application ](review-and-publish.md) + [ # Run an assessment of your AWS Resilience Hub application ](run-assessment-start.md) # Get started by adding an application Get started by adding an application Get started with AWS Resilience Hub by describing the details of your AWS application and running a report to assess resiliency. To get started, on the AWS Resilience Hub home page under **Get started**, choose **Add application**. To learn more about costs and billing associated with AWS Resilience Hub, see [AWS Resilience Hub pricing](https://aws.amazon.com/resilience-hub/pricing/). ## Describe the details of your application in AWS Resilience Hub Describe application details This section shows you how to describe the details of your existing AWS application in AWS Resilience Hub. **To describe the details of your application** 1. Enter a name for the application. 1. (Optional) Enter a description for the application. ### Next [Select how this application is managed](how-app-manage.md) # Select how this application is managed Manage your application resources In addition to AWS CloudFormation stacks, AWS Resource Groups, myApplications applications, and Terraform state files, you can add resources that are located on Amazon Elastic Kubernetes Service (Amazon EKS) clusters. That is, AWS Resilience Hub allows you to add resources that are located on your Amazon EKS clusters as optional resources. This section provides the following options, which help you to determine the location of your application resources. + **Resource collections** – Select this option if you want to discover resources from one of the resource collections. Resource collections include AWS CloudFormation stacks, AWS Resource Groups, myApplications applications, and Terraform state files. If you select this option, you must complete one of the procedures in [Add resource collections](discover-structure.md#resource-collection). + **EKS only** – Select this option if you want to discover resources from namespaces within the Amazon EKS clusters. If you select this option, you must complete the procedure in [Add EKS clusters](discover-structure.md#add-eks-clusters) + **Resource collections & EKS** – Select this option if you want to discover resources from AWS CloudFormation stacks, AWS Resource Groups, Terraform state files, and Amazon EKS clusters. If you select this option, complete one of the procedures in [Add resource collections](discover-structure.md#resource-collection) and then complete the procedure in [Add EKS clusters](discover-structure.md#add-eks-clusters). **Note** For information about the number of resources supported per application, see [Service Quotas](https://docs.aws.amazon.com//general/latest/gr/resiliencehub.html#limits_resiliencehub). ## Next [Add resource collections](discover-structure.md) # Add resource collections Add resources to your AWS Resilience Hub application This section discusses the following options that you can use to form the basis of your application structure: + [Add resource collections](#resource-collection) + [Add EKS clusters](#add-eks-clusters) ## Add resource collections This section discusses the following methods that you use to form the basis of your application structure: + [Using AWS CloudFormation stacks](#cloudformation-steps) + [Using AWS Resource Groups](#resource-groups-steps) + [Using myApplications applications](#myApplications-steps) + [Using Terraform state files](#terraformstate-steps) ### Using AWS CloudFormation stacks Choose the AWS CloudFormation stacks that contain the resources you want to use in the application you're describing. The stacks can be from the AWS account that you are using to describe the application, or they can be from different accounts or different Regions. **To discover the resources that form the basis of your application structure** 1. Select **CloudFormation stack** to discover your stack-based resources. 1. Choose stacks from the **Choose stacks** dropdown list that are associated with your AWS account and Region. To use stacks that are in a different AWS account, different Region, or both, choose the right arrow adjacent to **Add stack outside of AWS Region** and enter the Amazon Resource Name (ARN) of the stack in the **Enter a stack ARN** box, and then choose **Add stack ARN**. For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference*. ### Using AWS Resource Groups Choose the AWS Resource Groups that contain the resources that you want to use in the application that you're describing. **To discover the resources that form the basis of your application structure** 1. Select **Resource groups** to discover the AWS Resource Groups that contain the resources. 1. Choose resources from **Choose a resource group** dropdown list. To use AWS Resource Groups that are in a different AWS account, different Region, or both, choose the right arrow adjacent to **Resource Group ARN:** and enter the Amazon Resource Name (ARN) of the AWS Resource Groups in the **Enter a resource group ARN** box, and then choose **Add resource Group ARN**. For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference*. ### Using myApplications applications Choose the myApplications application you want to include in AWS Resilience Hub **To include myApplications application in AWS Resilience Hub** 1. Select **myApplications**. 1. Choose an application from the **Select application** dropdown list. ### Using Terraform state files Choose the Terraform state file that contains your Amazon S3 bucket resources that you want to use in the application you're describing. You can navigate to the location of your Terraform state file or provide a link to a Terraform state file you have access to that’s located in a different Region. **Note** AWS Resilience Hub supports Terraform state file version `0.12` and later. **To discover the resources that form the basis of your application structure** 1. Select **Terraform state files** to discover your S3 bucket resources. 1. From the **Select state files::** section, choose **Browse S3** to navigate to the location of your Terraform state file. To use Terraform state files located in a different Region, provide the link to the location of Terraform state file in the **S3 URI** field, and choose **Add S3 URL**. The limit for Terraform state files is 4 megabytes (MB). 1. From **Choose an archive in S3** dialog box, select your Amazon Simple Storage Service bucket from the **Buckets** section. 1. From the **Objects** section, select a key, and choose **Choose**. ## Add EKS clusters This section discusses about using Amazon EKS clusters to form the basis of your application structure. **Note** You must have Amazon EKS permissions and additional IAM roles to connect to the Amazon EKS cluster. For more information about adding single account and cross-account Amazon EKS permissions and additional IAM roles to connect to the cluster, see the following topics: [AWS Resilience Hub access permissions reference](security-iam-resilience-hub-permissions.md) [Enabling AWS Resilience Hub access to your Amazon Elastic Kubernetes Service cluster](enabling-eks-in-arh.md) Choose the Amazon EKS clusters and namespaces that contain the resources you want to use in the application you're describing. The Amazon EKS clusters can be from the AWS account that you are using to describe the application, or they can be from different accounts or different Regions. **Note** For AWS Resilience Hub to assess your Amazon EKS clusters, you must manually add the relevant namespaces to each of the Amazon EKS clusters in **EKS clusters and namespaces** section. The namespace name must match exactly with the namespace name on your Amazon EKS clusters. **To add Amazon EKS clusters** 1. In **1. Select EKS clusters** section, choose the Amazon EKS clusters from the **Choose EKS clusters** dropdown list that are associated with your AWS account and Region. 1. To use Amazon EKS clusters that are in a different AWS account, different Region, or both, choose the right arrow adjacent to **Add an EKS cluster within a different account or Region** and enter the Amazon Resource Name (ARN) of the Amazon EKS cluster in the **Enter an EKS ARN** box, and then choose **Add EKS ARN**. For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference*. For more information about adding permissions to access cross-Region Amazon Elastic Kubernetes Service clusters, see [Enabling AWS Resilience Hub access to your Amazon Elastic Kubernetes Service cluster](enabling-eks-in-arh.md). **To add namespaces from the selected Amazon EKS clusters** 1. In the **Add namespaces** section, from the **EKS clusters and namespaces** table, select the radio button located at the left of Amazon EKS cluster name, and then choose **Update namespaces**. You can identify Amazon EKS clusters by the following: + **EKS cluster name** – Indicates the name of the selected Amazon EKS clusters. + **\$1 of Namespaces** – Indicates the number of namespaces selected in the Amazon EKS clusters. + **Status** – Indicates whether AWS Resilience Hub has included the namespaces from the selected Amazon EKS clusters in your application. You can identify the status using the following options: + **Namespace required** – Indicates that you have not included any namespaces from the Amazon EKS cluster. + **Namespaces added** – Indicates that you have included one or more namespaces from the Amazon EKS cluster. 1. To add a namespace, in the **Update namespaces** dialog box, choose **Add a new namespace**. The **Update namespaces** dialog box displays all the namespaces that you have selected from your Amazon EKS cluster, as an editable option. 1. In the **Update namespaces** dialog box, you have the following edit options: + To add a new namespace, choose **Add a new namespace**, and then enter the namespace name in **namespace** box. The namespace name must exactly match with the namespace name on your Amazon EKS cluster. + To remove a namespace, choose **Remove** located next to the namespace. + To apply the selected namespaces to all the Amazon EKS clusters, choose **Apply namespaces to all EKS clusters**. If you choose this option, your previous namespace selection in the other Amazon EKS clusters will be overridden with the current namespace selection. 1. To include the updated namespaces in your application, choose **Update**. ### Next [Set RTO and RPO](setup-resiliency-policy.md) # Set RTO and RPO Set RTO and RPO You can define a new resiliency policy with your own RTO/RPO targets, or you can choose an existing resiliency policy with predefined RTO/RPO targets. If you want to use one of the existing resiliency policies, select **Choose an existing policy** option and select an existing target application from the **Option item** drop-down list. **To define your own RTO/RPO targets** 1. Select ** Create a new resiliency policy** option. 1. Enter a name for the resiliency policy in the **Enter policy name** box (under **Name**). We have pre-populated this field with an auto-generated name. You can choose to use the same, or provide a different name. 1. (Optional) Enter a description for the resiliency policy in the **Description** box. 1. Define your RTO/RPO in the **RTO/RPO targets** section. **Note** We have pre-populated a default RTO and RPO for your application. You can change the RTO and RPO now, or after you assess the application. AWS Resilience Hub allows you to enter a value zero in the **RTO** and **RPO** fields of your resiliency policy. But, while assessing your application, the lowest possible assessment result is near zero. Hence, if you enter a value zero in the **RTO** and **RPO** fields, the estimated workload RTO and estimated workload RPO results will be near zero and the **Compliance status** for your application will be set to **Policy breached**. 1. To define RTO/RPO for your infrastructure and AZ, choose the right arrow to expand the **Infrastructure RTO and RPO** section. 1. In **RTO/RPO targets**, enter a numeric value in the box and then choose the unit of time that the value represents for both **RTO** and **RPO**. Repeat these entries for **Infrastructure** and **Availability Zone** in **Infrastructure RTO and RPO** section. 1. (Optional) If you have a multi-Region application and if you want to define a Region RTO and RPO, turn on **Region - Optional**. In **RTO** and **RPO**, enter a numeric value in the box and then choose the unit of time that the value represents for both **RTO** and **RPO**. ## Next [Setup scheduled assessments and drift notification](scheduled-assessment.md) # Setup scheduled assessments and drift notification Setup scheduled assessment and drift notification AWS Resilience Hub allows you to setup scheduled assessments and drift notification for assessing your application daily and getting notified when a drift is detected. **To setup drift notification** 1. To assess your application daily, turn on **Automatically assess daily**. If this option is turned on, the daily assessment schedule begins only after the following: + The application is manually assessed successfully for the first time. + The application is configured with an appropriate IAM role. + If your application is configured with current IAM user permissions, you must create the `AWSResilienceHubAsssessmentExecutionPolicy` role using the appropriate procedure in [How AWS Resilience Hub works with IAM](security_iam_service-with-iam.md). 1. To get notified when AWS Resilience Hub detects any drifts from the resiliency policies, or when its resources have drifted, turn on **Get notified when the application drifts**. If this option is turned on, to receive drift notifications, you must specify an Amazon Simple Notification Service (Amazon SNS) topic. To provide Amazon SNS topic, in **Provide an SNS Topic** section, select **Choose an SNS topic** option and select an Amazon SNS topic from the **Choose an SNS topic** dropdown list. **Note** To enable AWS Resilience Hub to publish notifications to your Amazon SNS topics, your Amazon SNS topic must be configured with appropriate permissions. For more information about configuring permissions, see [Enabling AWS Resilience Hub to publish to your Amazon Simple Notification Service topics](enabling-sns-in-arh.md). Daily assessments can have an impact on your quota for runs. For more information about quotas, see [AWS Resilience Hub endpoints and quotas](https://docs.aws.amazon.com//general/latest/gr/resiliencehub.html) in the *AWS General Reference*. To use Amazon SNS topics that are in a different AWS account or different Region, or both, select **Enter SNS topic ARN** and enter the Amazon Resource Name (ARN) of the Amazon SNS topic in the **Provide an SNS topic** box. For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference*. ## Next [Setup permissions](setup-permissions.md) # Setup permissions Setup permissions AWS Resilience Hub allows you to configure the necessary permissions for **Primary account** and **Secondary account** to discover and assess the resources. However, you must run the procedure separately to configure permissions for each account. **To configure IAM roles and IAM permissions** 1. To select an existing IAM role that will be used for accessing resources in the current account, select an IAM role from the **Select an IAM role** dropdown list. **Note** For a cross account setup, if you do not specify the Amazon Resource Names (ARNs) of the IAM role in the **Enter an IAM role ARN** box, AWS Resilience Hub will use the IAM role you have selected from the **Select an IAM role** dropdown list for all the accounts. If there are no existing IAM roles attached to your account, you can create an IAM role by using one of the following options: + **AWS IAM console** – If you choose this option, you must complete the procedure in **To create your AWS Resilience Hub role in the IAM console**. + **AWS CLI** – If you choose this option, you must complete all the steps in **AWS CLI**. + **CloudFormation template** – If you choose this option, depending on which account type (**Primary account** or **Secondary account**), you must create the roles using the appropriate AWS CloudFormation template. 1. Choose the right arrow to expand **Add IAM role(s) from a cross account - Optional** section. 1. To select IAM roles from a cross account, enter the ARNs of the IAM role in **Enter an IAM role ARN** box. Ensure that the ARNs of the IAM roles you are entering does not belong to the current account. 1. If you want to use current IAM user to discover your application resources, choose the right arrow to expand ** Use the current IAM user permissions** section and select **I understand that I must manually configure permissions to enable the required functionality within AWS Resilience Hub**. If you select this option, some of the AWS Resilience Hub features (such as drift notification) may not function as expected and the inputs you have provided for creating a new application will be ignored. ## Next [Configure the application configuration parameters](app-config-param.md) # Configure the application configuration parameters Configure the application configuration parameters This section allows you to provide the details of your cross-Region failover support using AWS Elastic Disaster Recovery. AWS Resilience Hub will use this information to provide resiliency recommendations. For more information about application configuration parameters, see [Application configuration parameters](app-config.md). **To add application configuration parameters (Optional)** 1. To expand the **Application configuration parameters** section, choose the right arrow. 1. Enter the failover account ID in the **Account ID** box. By default, we have pre-populated this field with your account ID that is used for AWS Resilience Hub, which can be changed. 1. Select a failover Region from the **Region** dropdown list. **Note** If you want to disable this feature, select "**–**" from the dropdown list. ## Next [Add tags](add-tags.md) # Add tags Add tags to your application Assign a tag or label to an AWS resource to search and filter your resources, or track your AWS costs. (Optional) To add tags to your application, choose **Add new tag** if you want to associate one or more tags with the application. For more information about tags, see [Tagging resources](https://docs.aws.amazon.com//general/latest/gr/aws_tagging.html) in the *AWS General Reference*. Choose **Add application** to create your application. ## Next [Review and publish your AWS Resilience Hub application](review-and-publish.md) # Review and publish your AWS Resilience Hub application Review and publish After creating the application, you can still review the application and edit its resources. After you finish, choose **Publish** to publish the application. **Note** AWS Resilience Hub scans your application resources in the background and checks if they can be grouped in a more efficient way that will improve the accuracy of the assessments. If AWS Resilience Hub identifies resources that can be grouped into relevant AppComponents, it displays **Resource grouping recommendations** information alert in the **Application structure** tab of the application page and you can review them by choosing **Review recommendations**. For more information, see [AWS Resilience Hub resource grouping recommendations](grouping-recommendation.md). For more information about reviewing the application and editing its resources, see the following: + [Viewing an AWS Resilience Hub application summary](view-app-summary.md) + [Editing AWS Resilience Hub application resources](application-resources.md) ## Next [Run an assessment of your AWS Resilience Hub application](run-assessment-start.md) # Run an assessment of your AWS Resilience Hub application Run an assessment The application that you published is listed on the **Summary** page. After you publish your AWS Resilience Hub application, you are redirected to the application summary page where you can run a resiliency assessment. The assessment evaluates your application configuration against the resiliency policy that is attached to your application. An assessment report is generated that shows how your application measures against the objectives in your resiliency policy. **To run a resiliency assessment** 1. On the **Applications summary** page, choose **Assess resiliency**. 1. In the **Run resiliency assessment** dialog, enter a unique name for the report or use the generated name in the **Report name** box. 1. Choose **Run**. 1. After you are notified that the assessment report has been generated, choose the **Assessments** tab and your assessment to view the report. 1. Choose the **Review** tab to view your application's assessment report.