Prerequisites for configuring AWS instance

This section describes the prerequisites that you must perform before you configure an AWS instance. The following topics are provided:


Creating a user with read-only access

If you want to monitor an AWS, create a user with read-only access.

  1. Log on to the Amazon Web Services console with valid user credentials.
  2. Select Policies > Create policy.

  3. Click the JSON tab and enter the following JSON example:

    JSON example
    {
    "Version": "yyyy-mm-dd",
    "Statement": [      
    {
    "Sid": "Statement Id",
    "Effect": "Allow",
    "Action": [  
              "Service1:Permission1",
              "Service2:Permission2"
              ],
    "Resource": [
                 "*"          
                ]      
          }
        ]
    }
    Sample for Read Only Access to Amazon Web Services
    {
      "Version":"2012-10-17",
      "Statement": [
       {
        "Effect": "Allow",          
        "Action": [
    "apigateway:GET",
        "application-autoscaling:Describe*",
    "applicationinsights:Describe*",
    "applicationinsights:List*",          
    "autoscaling:Describe*",          
    "cloudfront:Get*",
    "cloudfront:List*",
    "cloudhsm:Describe*",
    "cloudhsm:Get*",
    "cloudhsm:List*",
    "cloudtrail:Describe*",
    "cloudtrail:Get*",
    "cloudtrail:List*",
    "cloudwatch:Describe*",
    "cloudwatch:Get*",
    "cloudwatch:List*",
    "dynamodb:BatchGet*",
    "dynamodb:Describe*",
    "dynamodb:Get*",
    "dynamodb:List*",
    "dynamodb:Query",
    "dynamodb:Scan",
    "ec2:Describe*",
    "ec2:Get*",
    "ec2:SearchTransitGatewayRoutes",
    "ecs:Describe*",
    "ecs:List*",
    "eks:Describe*",
    "eks:List*",
    "elasticache:Describe*",
    "elasticache:List*",
    "elasticfilesystem:Describe*",
    "elasticloadbalancing:Describe*",
    "elasticmapreduce:Describe*",
    "elasticmapreduce:GetBlockPublicAccessConfiguration",
    "elasticmapreduce:List*",
    "elasticmapreduce:View*",
    "es:Describe*",
    "es:ESHttpGet",
    "es:ESHttpHead",
    "es:Get*",
    "es:List*",
    "iam:Get*",
    "iam:List*",
    "iot:Describe*",
    "iot:Get*",
    "iot:List*",
    "kafka:Describe*",
    "kafka:Get*",
    "kafka:List*",
    "lambda:Get*",
    "lambda:List*",
    "opsworks:Describe*",
    "opsworks:Get*",
    "rds:Describe*",
    "rds:Download*",
    "rds:List*",
    "redshift:Describe*",
    "redshift:View*",
    "route53:Get*",
    "route53:List*",
    "s3:Get*",
    "s3:List*",
    "sns:Get*",
    "sns:List*",
    "sqs:Get*",
    "sqs:List*",
    "storagegateway:Describe*",
    "storagegateway:List*",
    "sts:GetAccessKeyInfo",
    "sts:GetCallerIdentity",
    "sts:GetSessionToken",
    "waf-regional:Get*",
    "waf-regional:List*",
    "waf:Get*",
    "waf:List*"
    ],
             
    "Resource": "*"


       }
      ]
    }

    JSON that you enter is validated and errors are displayed, if any.

  4. Click Next: Tags.
    For more information, see Creating a new policy

  5. (Optional) Add tags (key–value pairs) that you can add to AWS resources to help identify, organize, or search for resources.
  6. Click Next: Review.
  7. Enter a name for the policy.
    For example, aws-monitor-policy.
  8. Review the policy details and click Create Policy.
  9. To create a user to use for monitoring, perform the following actions:
    1. Go to Users > Add Users.
    2. In the User name field, enter the user name for the new IAM account.
       For example, aws-monitor-user.
    3. Under Select AWS access type, select Programmatic access.
      AWS_AddingUser.png
    4. Click Next: Permissions.
    5. Select Attach existing policies directly.
    6. In the Filter box, search for the policy that you created in the previous step (aws-monitor-policy) and select it.
      AWS_ApplyingPolicyToUser.png
    7. Click Next: Tags and then click Next: Review.
    8. Click Create User.
       The policy (aws-monitor-policy) is associated with the newly created IAM user (aws-monitor-user).

    9. Note down the access key ID and the secret access key.

      Tip

      Click Download .csv to download the access key ID and the secret key of the newly added user.

Monitoring multiple AWS accounts

You can configure monitoring of multiple AWS accounts by using one account as main account or trusted account. The main account is responsible for retrieving data from other accounts or trusting accounts.

Configure the main or trusted account as per the steps mentioned in the Monitoring single AWS account topic.

Perform these steps in all additional or trusting accounts from which you want the main, trusted account to retrieve data.


Step

Details

1

Obtain the account ID and note it down of the main account.

You will need to enter this account ID when configuring a policy in the main, trusted AWS account to include the additional account details. You will also need to enter it while configuring the monitoring policy.

In the AWS Management Console header, click the account name and select My Account.

AccountID.png

The Account Settings information displays the Account ID.

AccountSettings.png

2

In the main AWS account, configure a policy (aws-trusted-policy) to specify permissions for the user of the additional, trusted AWS account.

  1. Select Policies > Create policy.

  2. Click the JSON tab and enter the following JSON example:

    Sample for Read Only Access to Amazon Web Services
    {
      "Version":"2012-10-17",
      "Statement": [
       {
        "Effect": "Allow",          
        "Action": [
    "apigateway:GET",
        "application-autoscaling:Describe*",
    "applicationinsights:Describe*",
    "applicationinsights:List*",          
    "autoscaling:Describe*",          
    "cloudfront:Get*",
    "cloudfront:List*",
    "cloudhsm:Describe*",
    "cloudhsm:Get*",
    "cloudhsm:List*",
    "cloudtrail:Describe*",
    "cloudtrail:Get*",
    "cloudtrail:List*",
    "cloudwatch:Describe*",
    "cloudwatch:Get*",
    "cloudwatch:List*",
    "dynamodb:BatchGet*",
    "dynamodb:Describe*",
    "dynamodb:Get*",
    "dynamodb:List*",
    "dynamodb:Query",
    "dynamodb:Scan",
    "ec2:Describe*",
    "ec2:Get*",
    "ec2:SearchTransitGatewayRoutes",
    "ecs:Describe*",
    "ecs:List*",
    "eks:Describe*",
    "eks:List*",
    "elasticache:Describe*",
    "elasticache:List*",
    "elasticfilesystem:Describe*",
    "elasticloadbalancing:Describe*",
    "elasticmapreduce:Describe*",
    "elasticmapreduce:GetBlockPublicAccessConfiguration",
    "elasticmapreduce:List*",
    "elasticmapreduce:View*",
    "es:Describe*",
    "es:ESHttpGet",
    "es:ESHttpHead",
    "es:Get*",
    "es:List*",
    "iam:Get*",
    "iam:List*",
    "iot:Describe*",
    "iot:Get*",
    "iot:List*",
    "kafka:Describe*",
    "kafka:Get*",
    "kafka:List*",
    "lambda:Get*",
    "lambda:List*",
    "opsworks:Describe*",
    "opsworks:Get*",
    "rds:Describe*",
    "rds:Download*",
    "rds:List*",
    "redshift:Describe*",
    "redshift:View*",
    "route53:Get*",
    "route53:List*",
    "s3:Get*",
    "s3:List*",
    "sns:Get*",
    "sns:List*",
    "sqs:Get*",
    "sqs:List*",
    "storagegateway:Describe*",
    "storagegateway:List*",
    "sts:GetAccessKeyInfo",
    "sts:GetCallerIdentity",
    "sts:GetSessionToken",
    "waf-regional:Get*",
    "waf-regional:List*",
    "waf:Get*",
    "waf:List*"
    ],
             
    "Resource": "*"


       }
      ]
    }


    JSON that you enter is validated and errors are displayed, if any.

  3. Click Next: Tags.
    For more information, see Creating a new policy

  4. (Optional) Add tags (key–value pairs) that you can add to AWS resources to help identify, organize, or search for resources.
  5. Click Next: Review.
  6. Enter a name for the policy.
    For example, aws-monitor-trusting-policy.
  7. Review the policy details and click Create Policy.

3

In the trusting accounts, create a cross-account access role (aws-cross-account-role).

This step enables the main, trusted AWS account user (aws-monitor-user) to have federated read-only access to the AWS services in the additional, trusting account and to enable account switching.

  1. Click Roles > Create role.
  2. Select Another AWS account.
  3. Enter the account ID of the main AWS account.
  4. Click Next: Permissions.
  5. Search for the policy that you created (aws-monitor-trusting-policy), select it, and click Next: Tags.
  6. Click Next: Review.
  7. Enter the role name as aws-cross-account-role and click Create role
    The role is created.
  8. Click the role.
  9. On the Trust relationships tab, click Edit trust relationship.
  10. Replace the "root" element with the user/IAM username that you created in the main account (aws-monitor-user).
    AWS_UpdateTrustPolicy.png
  11. Click Update Trust Policy to save the changes.

4

In the main, trusted AWS account, configure a policy file (aws-assume-role-policy.json) to include the additional account details.If you are configuring the first additional AWS account, you need to create a policy file. Else, you need to update the existing file with the additional AWS account details.

Information

A single policy file can include details of all the additional AWS accounts.

To create a policy file

  1. Open a new file in any text editor, such as Notepad.

  2. Copy the following content in the file and replace ADDITIONAL_ACCOUNT_ID with the account ID of the additional account that you obtained in step 1.

    {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "Stmt1500499562000",
               "Effect": "Allow",
               "Action": [
                   "sts:AssumeRole"
                ],
               "Resource": [
                   "arn:aws:iam::ADDITIONAL_ACCOUNT_ID:role/aws-cross-account-role"
                ]
           }
        ]
    }
  3. Save the file as aws-assume-role-policy.json.

To update an existing policy file

  1. In the JSON file that you created (aws-assume-role-policy.json), add the next additional account information on a new line, separated by a comma.

    {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "Stmt1500499562000",
               "Effect": "Allow",
               "Action": [
                   "sts:AssumeRole"
                ],
               "Resource": [
                   "arn:aws:iam::ADDITIONAL_ACCOUNT_ID1:role/aws-cross-account-role",
                   "arn:aws:iam::ADDITIONAL_ACCOUNT_ID2:role/aws-cross-account-role"
                ]
           }
        ]
    }
  2. Save the file.

5

Enable the policy (aws-assume-role-policy.json) that includes additional AWS account details in the main AWS account.

  1. Select the IAM service and select Users.
  2. Select the IAM user (aws-monitor-user) that you created in the Creating a user with read-only accesssection.
  3. On the Summary page, select the Permissions tab and click Add inline policy.
  4. Click the JSON tab and enter the contents of the policy file (aws-assume-role-policy.json).
  5. On the Review Policy page, enter a name for the policy (aws-assume-role).
  6. Click Create Policy.

 

In a firewall or a proxy-enabled environment, the following AWS services endpoints must be allowed:

  • http://monitoring.<region>.amazonaws.com/
  • http://ec2.<region>.amazonaws.com/
  • http://autoscaling.<region>.amazonaws.com/
  • http://sts.<region>.amazonaws.com/
  • http://ec2.amazonaws.com/
  • http://iam.amazonaws.com/

where <region> is one of the regions in AWS. For more information about regions, see Regions and Availability Zones.

Enabling Elastic Kubernetes Service monitoring

To enable the Elastic Kubernetes service monitoring, do the following:

  1. Install the following:
    AWS CLI
    kubectl

  2. To enable metrics collections in CloudWatch, perform the steps mentioned on the following page as an administrator:
    Container insights
    If you skip this step, the Status attributes in the Amazon EKS Cluster and Amazon EKS Node Group container classes are still discovered and no attributes are discovered in the Namespace container class.

  3. To ensure that Kubernetes cluster is created, run the following command on Windows PowerShell:

    kubectl get svc

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*