Prerequisites for configuring AWS instance

This section describes the prerequisites that you must perform before you configure an AWS instance.

The following topics are provided:


Creating a monitor policy and a user for the monitoring account

Perform these steps in one of the following conditions:

  • You want to monitor an AWS account
  • You want to monitor all the trusting accounts by using the trusted accounts. Perform these steps for the main, trusted account
  • You want to monitor all member accounts in the organization by using management account

These steps need to be performed on the account that you are monitoring or the trusted or management account.

If you want to monitor an AWS, create a user with read-only access.

  1. Log on to the Amazon Web Services with valid user credentials.
  2. Select Policies > Create policy.

  3. Click the JSON tab and enter the following JSON example:

    JSON example
    {
    "Version": "yyyy-mm-dd",
    "Statement": [      
    {
    "Sid": "Statement Id",
    "Effect": "Allow",
    "Action": [  
              "Service1:Permission1",
              "Service2:Permission2"
              ],
    "Resource": [
                 "*"          
                ]      
          }
        ]
    }
    Sample for Read Only Access to Amazon Web Services
    {
      "Version":"2012-10-17",
      "Statement": [
       {
        "Effect": "Allow",          
        "Action": [
    "apigateway:GET",
        "application-autoscaling:Describe*",
    "applicationinsights:Describe*",
    "applicationinsights:List*",          
    "autoscaling:Describe*",          
    "cloudfront:Get*",
    "cloudfront:List*",
    "cloudhsm:Describe*",
    "cloudhsm:Get*",
    "cloudhsm:List*",
    "cloudtrail:Describe*",
    "cloudtrail:Get*",
    "cloudtrail:List*",
    "cloudwatch:Describe*",
    "cloudwatch:Get*",
    "cloudwatch:List*",
        "codebuild:List*",
    "codebuild:BatchGet*",
    "dynamodb:BatchGet*",
    "dynamodb:Describe*",
    "dynamodb:Get*",
    "dynamodb:List*",
    "dynamodb:Query",
    "dynamodb:Scan",
    "ec2:Describe*",
    "ec2:Get*",
    "ec2:SearchTransitGatewayRoutes",
    "ecs:Describe*",
    "ecs:List*",
    "eks:Describe*",
    "eks:List*",
        "elasticbeanstalk:Describe*",
    "elasticbeanstalk:List*",
    "elasticbeanstalk:Request*",
    "elasticache:Describe*",
    "elasticache:List*",
    "elasticfilesystem:Describe*",
    "elasticloadbalancing:Describe*",
    "elasticmapreduce:Describe*",
    "elasticmapreduce:GetBlockPublicAccessConfiguration",
    "elasticmapreduce:List*",
    "elasticmapreduce:View*",
    "es:Describe*",
    "es:ESHttpGet",
    "es:ESHttpHead",
    "es:Get*",
    "es:List*",
    "iam:Get*",
    "iam:List*",
    "iot:Describe*",
    "iot:Get*",
    "iot:List*",
    "kafka:Describe*",
    "kafka:Get*",
    "kafka:List*",
    "kinesis:Describe*",
        "kinesis:Get*",
    "kinesis:List*",
    "lambda:Get*",
    "lambda:List*",
    "opsworks:Describe*",
    "opsworks:Get*",
    "rds:Describe*",
    "rds:Download*",
    "rds:List*",
    "redshift:Describe*",
    "redshift:View*",
    "route53:Get*",
    "route53:List*",
    "s3:Get*",
    "s3:List*",
    "sns:Get*",
    "sns:List*",
    "sqs:Get*",
    "sqs:List*",
    "storagegateway:Describe*",
    "storagegateway:List*",
    "sts:GetAccessKeyInfo",
    "sts:GetCallerIdentity",
    "sts:GetSessionToken",
    "waf-regional:Get*",
    "waf-regional:List*",
    "waf:Get*",
    "waf:List*"
    ],
             
    "Resource": "*"


       }
      ]
    }

    JSON that you enter is validated and errors are displayed, if any.

  4. Click Next: Tags.
    For more information, see Creating a new policy

  5. (Optional) Add tags (key–value pairs) that you can add to AWS resources to help identify, organize, or search for resources.
  6. Click Next: Review.
  7. Enter a name and description for the policy.
    For example, aws-monitor-policy.
  8. Review the policy details and click Create Policy.
  9. To create a user to use for monitoring, perform the following actions:
    1. Go to Users > Add Users.
    2. In the User name field, enter the user name for the main user.
      For example, aws-monitor-user.
    3. Under Select AWS access type, select Programmatic access.
      AWS_AddingUser.png
    4. Click Next: Permissions.
    5. Select Attach existing policies directly.
    6. In the Filter box, search for the policy that you created in the previous step (aws-monitor-policy) and select it.
      AWS_ApplyingPolicyToUser.png
    7. Click Next: Tags and then click Next: Review.
    8. Click Create User.
      The policy (aws-monitor-policy) is associated with the newly created IAM user (aws-monitor-user).

    9. Note down the access key ID and the secret access key.
      You need to provide these details while configuring the policy to monitor your AWS environment.

      Tip

      Click Download .csv to download the access key ID and the secret key of the newly added user.

  10. (Applicable to multi-account monitoring) If you plan to monitor multiple accounts and associate these accounts with a main account for monitoring, note the account ID of the main account by performing the following steps:

    1. In the AWS Management Console header, click the account name and select My Account.
      AccountID.png
    1. Note the Account Id from the Account Settings page.
      AccountSettings.png
      You need to provide the account ID of the main account while configuring multiple Amazon Web Services accounts and to associate them with the main account.


Monitoring multiple AWS accounts

The following diagram helps you understand how to manage multiple accounts in an organization unit using a single account.

AWS Prerequisites.png

You can monitor multiple accounts by using a single account that is considered as the trusted or management account (in case of AWS organization). The trusted or management account is responsible for retrieving data from other accounts.

Step

Where to perform

Action

Details

1

Additional, trusting or member accounts

Configure a policy to specify permissions

  1. Select Policies > Create policy.

  2. Click the JSON tab and enter the following JSON example:

    Sample for Read Only Access to Amazon Web Services
    {
      "Version":"2012-10-17",
      "Statement": [
       {
        "Effect": "Allow",          
        "Action": [
    "apigateway:GET",
        "application-autoscaling:Describe*",
    "applicationinsights:Describe*",
    "applicationinsights:List*",          
    "autoscaling:Describe*",          
    "cloudfront:Get*",
    "cloudfront:List*",
    "cloudhsm:Describe*",
    "cloudhsm:Get*",
    "cloudhsm:List*",
    "cloudtrail:Describe*",
    "cloudtrail:Get*",
    "cloudtrail:List*",
    "cloudwatch:Describe*",
    "cloudwatch:Get*",
    "cloudwatch:List*",
    "dynamodb:BatchGet*",
    "dynamodb:Describe*",
    "dynamodb:Get*",
    "dynamodb:List*",
    "dynamodb:Query",
    "dynamodb:Scan",
    "ec2:Describe*",
    "ec2:Get*",
    "ec2:SearchTransitGatewayRoutes",
    "ecs:Describe*",
    "ecs:List*",
    "eks:Describe*",
    "eks:List*",
        "elasticbeanstalk:Describe*",
    "elasticbeanstalk:List*",
    "elasticbeanstalk:Request*",
    "elasticache:Describe*",
    "elasticache:List*",
    "elasticfilesystem:Describe*",
    "elasticloadbalancing:Describe*",
    "elasticmapreduce:Describe*",
    "elasticmapreduce:GetBlockPublicAccessConfiguration",
    "elasticmapreduce:List*",
    "elasticmapreduce:View*",
    "es:Describe*",
    "es:ESHttpGet",
    "es:ESHttpHead",
    "es:Get*",
    "es:List*",
    "iam:Get*",
    "iam:List*",
    "iot:Describe*",
    "iot:Get*",
    "iot:List*",
    "kafka:Describe*",
    "kafka:Get*",
    "kafka:List*",
    "kinesis:Describe*",
        "kinesis:Get*",
    "kinesis:List*",
    "lambda:Get*",
    "lambda:List*",
    "opsworks:Describe*",
    "opsworks:Get*",
    "rds:Describe*",
    "rds:Download*",
    "rds:List*",
    "redshift:Describe*",
    "redshift:View*",
    "route53:Get*",
    "route53:List*",
    "s3:Get*",
    "s3:List*",
    "sns:Get*",
    "sns:List*",
    "sqs:Get*",
    "sqs:List*",
    "storagegateway:Describe*",
    "storagegateway:List*",
    "sts:GetAccessKeyInfo",
    "sts:GetCallerIdentity",
    "sts:GetSessionToken",
    "waf-regional:Get*",
    "waf-regional:List*",
    "waf:Get*",
    "waf:List*"
    ],
             
    "Resource": "*"


       }
      ]
    }

    JSON that you enter is validated and errors are displayed, if any.

  3. Click Next: Tags.
  4. (Optional) Add tags (key–value pairs) that you can add to AWS resources to help identify, organize, or search for resources.
  5. Click Next: Review.
  6. Enter a name for the policy.
    For example, aws-monitor-trusting-policy1.
  7. Review the policy details and click Create Policy.

2

Additional, trusting or member accounts

Create a cross account role
This step enables the primary account user (aws-monitor-user) to have federated read-only access to the Amazon Web Services in the additional accounts, and to enable account switching.

  1. Click Roles > Create role.
  2. Select Another AWS account.
  3. Enter the account ID of the primary Amazon Web Services account. You would have noted the account ID of the primary account while setting up the primary account for Amazon Web Services monitoring.
  4. Click Next: Permissions.
  5. Search for the policy that you created in Step 2 (for example, aws-monitor-trusting-policy1) in the Filter policies search box, and select the policy.
  6. Click Next: Tags.
  7. Click Next: Review.
  8. Enter the role name.
    For example, aws-cross-account-role1.
  9. Click Create role
    The role is created.
  1. Click the role.
  2. Note the Role ARN.

3

Main, trusted and management account

Associate the primary account with additional, trusting accounts.
This step enables the main account user (aws-monitor-user) to have federated read-only access to the Amazon Web Services in the additional accounts, and to enable account switching.

Perform one of the following actions to include the additional account details in the main account.

Notes

  • If you are configuring the first additional AWS account, you need to create a policy file. Else, you need to update the existing file with the additional account details.
  • A single policy file can include details of all the additional Amazon Web Services accounts.

  • Create a new policy

    Click here to expand...
    1. Go to IAM > Users.
    2. Select the IAM user that you created for the primary account. For example, aws-monitor-user.
    3. On the Summary page, select the Permissions tab, and click Add inline policy.

    4. Click theJSON tab and enter the following details. Replace the Role ARN with the actual ARN details of the additional accounts that you want to monitor.

      {
         "Version": "2012-10-17",
         "Statement": [
             {
                 "Sid": "Stmt1500499562000",
                 "Effect": "Allow",
                 "Action": [
                     "sts:AssumeRole"
                  ],
                 "Resource": [
                     "Role ARN"
                  ]
             }
          ]
      }

      Example

      If there are three additional Amazon Web Services accounts that you plan to associate with the main Amazon Web Services account, the Resource section will look like this:

       "Resource": [
                      "Role_ARN_Account_1",

      "Role_ARN_Account_2",

      "Role_ARN_Account_3"
                   ]

      For an organization, you can use the following:

         "Resource":  [

                                  "arn:aws:iam::*:role/Monitoring_Role_Name"

                               ]

    5. Click Review policy.
    6. Enter a name for the inline policy.
      For example, aws-assume-role.
    7. Click Create policy.

  • Update an existing policy

    Click here to expand...
    1. Go to IAM > Users.
    2. Select the IAM user that you created for the primary account. For example, aws-monitor-user.
    3. Locate the inline policy associated with this user. For example, aws-assume-role.
    1. Click the policy to view its details.
    2. Click Edit policy.

    3. Click the JSON tab, and append the Role ARNs of the additional accounts in the Resource section as shown in the following example:

      {
         "Version": "2012-10-17",
         "Statement": [
             {
                 "Sid": "Stmt1500499562000",
                 "Effect": "Allow",
                 "Action": [
                     "sts:AssumeRole"
                  ],
                 "Resource": [
                     "Role_ARN_Account_1",
                     "Role_ARN_Account_2",
                     "Role_ARN_Account_3"
                  ]
             }
          ]
      }
    4. Click Review policy.
    5. Click Save changes.


In a firewall or a proxy-enabled environment, the following AWS services endpoints must be allowed:

  • http://monitoring.<region>.amazonaws.com/
  • http://ec2.<region>.amazonaws.com/
  • http://autoscaling.<region>.amazonaws.com/
  • http://sts.<region>.amazonaws.com/
  • http://ec2.amazonaws.com/
  • http://iam.amazonaws.com/

where <region> is one of the regions in AWS. For more information about regions, see Regions and Availability Zones.

Enabling Elastic Beanstalk service monitoring

To enable the monitoring of Elastic Beanstalk, do the following:

  1. Open the Elastic Beanstalk console, and from the Regions list, select your AWS region.
  2. In the navigation pane, click Environments, and then select the name of your environment.
  3. In the navigation pane, click Configuration.
  4. From the Monitoring configuration category, select Edit.
  5. In Health reporting, select the instance and environment metrics to publish to CloudWatch.
  6. To select multiple metrics, press the Ctrl key while choosing.
  7. Click Apply.

For more information, see AWS documentation..

Enabling Elastic Kubernetes Service monitoring

To enable the Elastic Kubernetes service monitoring, do the following:

  1. Install the following:
    AWS CLI
    kubectl

  2. To enable metrics collections in CloudWatch, perform the steps mentioned on the following page as an administrator:
    Container insights
    If you skip this step, the Status attributes in the Amazon EKS Cluster and Amazon EKS Node Group container classes are still discovered and no attributes are discovered in the Namespace container class.

  3. To ensure that Kubernetes cluster is created, run the following command on Windows PowerShell:

    kubectl get svc

Enabling Container Insights for ECS

To enable Container Insights on Amazon ECS clusters, see Enable Container Insights.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*