AWS Certificate Manager Private Certificate Authority (ACM PCA) monitoring

Dynatrace ingests metrics for multiple preselected namespaces, including AWS Certificate Manager Private Certificate Authority. You can view metrics for each service instance, split metrics into multiple dimensions, and create custom charts that you can pin to your dashboards.

Prerequisites

To enable monitoring for this service, you need:

  • An Environment or Cluster ActiveGate version 1.197+
    Note: For role-based access (whether in a SaaS or Managed deployment), you need an Environment ActiveGate installed on an AWS EC2 host.
  • Dynatrace version 1.217+
  • An updated AWS monitoring policy to include the additional AWS services.

To update the AWS IAM policy, use the JSON below, which contains the monitoring policy (permissions) for all supporting services.

If you don't want to add permissions to all services, and select permissions for only certain services, consult the table below. The table contains the set of permissions that are required for all services (All monitored Amazon services) and, for each supporting service, a list of optional permissions specific to that service.

Example

The following is an example JSON policy for a single service.

In this example, from the complete list of permissions you need to select

  • "apigateway:GET" for Amazon API Gateway
  • "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "sts:GetCallerIdentity", "tag:GetResources", "tag:GetTagKeys", and "ec2:DescribeAvailabilityZones" for All monitored Amazon services.

Enable monitoring

To enable monitoring for this service, you first need to integrate Dynatrace with Amazon Web Services:

Add the service to monitoring

In order to view the service metrics, you must add the service to monitoring in your Dynatrace environment.

Cloud-service monitoring consumption

As of 2021, all cloud services consume Davis data units (DDUs). The amount of DDU consumption per service instance depends on the number of monitored metrics and their dimensions (each metric dimension results in the ingestion of 1 data point; 1 data point consumes 0.001 DDUs).

Monitor resources based on tags

You can choose to monitor resources based on existing AWS tags, as Dynatrace automatically imports them from service instances. Nevertheless, the transition from AWS to Dynatrace tagging isn't supported for all AWS services. Expand the table below to see which supporting services are filtered by tagging.

To monitor resources based on tags

  1. In the Dynatrace menu, go to Settings > Cloud and virtualization > AWS and select Edit for the desired AWS instance.
  2. For Resources to be monitored, select Monitor resources selected by tags.
  3. Enter the Key and Value.
  4. Select Save.

Configure service metrics

Once you add a service, Dynatrace starts automatically collecting a suite of metrics for this particular service. These are recommended metrics.

Recommended metrics:

  • Are enabled by default
  • Can't be disabled
  • Can have recommended dimensions (enabled by default, can't be disabled)
  • Can have optional dimensions (disabled by default, can be enabled)

Apart from the recommended metrics, most services have the possibility of enabling optional metrics.

Optional metrics:

  • Can be added and configured manually

View service metrics

You can view the service metrics in your Dynatrace environment either on the custom device overview page or on your Dashboards page.

View metrics on the custom device overview page

To access the custom device overview page

  1. In the Dynatrace menu, go to Technologies and processes.
  2. Filter by service name and select the relevant custom device group.
  3. Once you select the custom device group, you're on the custom device group overview page.
  4. The custom device group overview page lists all instances (custom devices) belonging to the group. Select an instance to view the custom device overview page.

View metrics on your dashboard

You can also view metrics in the Dynatrace web UI on dashboards. There is no preset dashboard available for this service, but you can create your own dashboard.

To check the availability of preset dashboards for each AWS service, see the list below.

Available metrics

Name Description Unit Statistics Dimensions Recommended
CRLGenerated A certificate revocation list (CRL) was generated. This metric applies only to a private CA. None Sum PrivateCAArn ✔️
Failure An operation failed. This metric applies only to the IssueCertificate operation. None Sum Operation, PrivateCAArn ✔️
Failure None Sum Operation, Region
MisconfiguredCRLBucket The S3 bucket specified for the CRL is not correctly configured. Check the bucket policy. This metric applies only to a private CA. None Sum PrivateCAArn ✔️
Success A certificate was successfully issued. This metric applies only to the IssueCertificate operation. None Sum Operation, PrivateCAArn ✔️
Success None Sum Operation, Region
Time The elapsed time in milliseconds for a certificate to be issued. This metric applies only to the IssueCertificate operation. None Multi Operation, PrivateCAArn
Time None Multi Operation, Region