How do I monitor AWS using role-based access?

This topic applies to Dynatrace Managed installations only.

For details about using key-based access to monitor AWS infrastructure, please see How do I start Amazon Web Services monitoring?

To monitor target instances of AWS infrastructure with Dynatrace Managed using role-based permissions, you must have a Security Gateway installed that can assume a role within the target AWS account that allows it to read Dynatrace Managed monitoring data. For security reasons, the Security Gateway first assumes an additional internal role (“proxy”), before it assumes the target role in a follow-up step.

The high-level steps involved in preparing your AWS environment are described below.

Before you begin

What you need

  • Your Amazon Web Services source account ID within which your Dynatrace Managed servers run.
  • The name of the role with which your Dynatrace Managed Server (or public Security Gateway) was started.
  • The Amazon Web Services target account ID of the account you want to monitor.

Step 1. Create a cross-account access role in the source account

To create a cross-account access role in the source account

  1. Login to the source AWS account
  2. Go to IAM in your AWS Console
  3. Go to Roles and create a new role called roleXassume.
  4. Select Role for Cross-Account Access, then provide access between the AWS accounts you own.
  5. Enter the source AWS account ID (i.e, cross-account access on the same account).
  6. Skip the step for attaching an existing policy. Proceed to next step.
  7. On the Review page click Create Role.
  8. Select the newly created role and click the Permissions tab
  9. Under Permissions, expand Inline Policies, and create a new inline policy (follow the Click here link)
  10. Under Set Permissions select Custom Policy.
  11. Create the policy with the following permissions:
{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": "sts:AssumeRole",
     "Resource": "*"
   }
 ]
}
  1. Once the roleXassume role is created, select the role in the IAM roles section and click the Trust Relationships tab.
  2. Click Edit Trust Relationships and change the permissions. For security reasons, the default policy permissions must be restricted to the calling PSG role:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": [ "arn:aws:iam::<12 digit target account number>:role/<role name of the Dynatrace Managed PSG>" ]
    }
  ]
}

Note: If you don't know the roles on the target accounts being monitored, you can alter the resource filter (e.g., to include multiple roles). You may also use wildcards (*) as a resource. Note however that this will allow the use of any role that's available in the source account. In such cases, consider using a separate “proxy” account for greater security.

Step 2. Modify the role policy for Dynatrace Managed Server

To modify the role policy for Dynatrace Managed Server

  1. Login to the source AWS account (if not done so already in step 1).
  2. Go to IAM in your AWS Console.
  3. Select the role with which your Dynatrace Managed Server is started and go to the Permissions tab.
  4. Under Permissions, expand Inline Policies, and create a new inline policy (follow the click here link).
  5. Under Set Permissions, select Custom Policy.
  6. Create the policy with the following permissions:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::<12 digit source account number>:role/roleXassume"
    }
  ]
}

Note: The roleXassume role in the policy must match the policy you created earlier.

Step 3. Add configuration settings

  1. On Dynatrace Managed Security Gateway, change the config.properties section:
[vertical.topology]
aws_proxy_account = <12 digit source account number>
aws_proxy_role = roleXassume

Note: The roleXassume role in the policy must match the policy you created earlier.

Step 4. Create a cross-account access role in the target AWS account

Here you will create a cross-account role, though this time you will create a new account ID.

  1. Login to the target AWS account.
  2. Go to IAM in your AWS Console.
  3. Go to Roles and create a new role.
  4. Select Role for Cross-Account Access, then Allow IAM users from a 3rd party AWS account to access this account.
  5. Establish trust with your source account. Type the 12 digit source account number used to access the target account. Take note of the External ID, you’ll need it later.
  6. Skip the step involving attaching the existing policy by going to the next step.
  7. On the Review page, click Create Role.
  8. Select the newly created role and click the Permissions tab
  9. Under Permissions, expand Inline Policies, and create a new inline policy (follow the click here link).
  10. Under Set Permissions, select Custom Policy.
  11. Create the policy according to the

    AWS policy.

  12. (Optional) Once the target role is created, select the role in the IAM roles section again and click the Trust Relationships tab. Then click Edit Trust Relationships and change the permissions:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": [ "arn:aws:iam::<12 digit source account number>:role/roleXassume" ]
    }
  ]
}

Step 5. Connect AWS to Dynatrace Managed

Now you can connect your Amazon account to Dynatrace Managed, as explained in How do I start Amazon Web Services monitoring?