Set up Dynatrace SaaS for AWS monitoring

You can integrate Dynatrace with Amazon Web Services (AWS) for intelligent monitoring of services running in the Amazon Cloud. AWS integration helps you stay on top of the dynamics of your data center in the cloud.

Overview

Follow these basic steps to integrate Dynatrace SaaS with Amazon Web Services (AWS):

1. Create AWS monitoring policy.

2. Choose an access method:

   • Key-based access.
   • Role-based access.
     If you choose role-based access, use the appropriate procedure for your deployment scenario:
     • Role-based access for SaaS deployments with Environment ActiveGate.
     • Role-based access for SaaS deployments with NO Environment ActiveGate.

   You must install and configure an Environment ActiveGate if you want to monitor either or both of the following:

   • More than 2,000 AWS resources (AWS service instances)
   • AWS Supporting Services

3. Select your AWS partition

4. Define AWS resource tagging

AWS costs

Dynatrace makes Amazon API requests every 5 minutes. In addition to CloudWatch API calls, Dynatrace makes API calls to the monitored AWS services in order to learn about their instances, tags, etc. The list of called services and actions is available below in the Create the monitoring policy section. Here's a rough estimate of AWS monitoring costs:

AWS monitoring policy

The AWS monitoring policy defines the minimum scope of permissions you need to give to Dynatrace to monitor the services running in your AWS account. Create it once and use anytime when enabling Dynatrace access to your AWS account.

1. Go to Identity and Access Management (IAM) in your Amazon Console.

2. Go to Policies and select Create policy.

3. Select the JSON tab, and paste the predefined policy from the box below.

   Predefined policy in JSON

   jsoncopydownload
   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Sid": "VisualEditor0",
         "Effect": "Allow",
         "Action": [
           "acm-pca:ListCertificateAuthorities",
           "apigateway:GET",
           "apprunner:ListServices",
           "appstream:DescribeFleets",
           "appsync:ListGraphqlApis",
           "athena:ListWorkGroups",
           "autoscaling:DescribeAutoScalingGroups",
           "cloudformation:ListStackResources",
           "cloudfront:ListDistributions",
           "cloudhsm:DescribeClusters",
           "cloudsearch:DescribeDomains",
           "cloudwatch:GetMetricData",
           "cloudwatch:GetMetricStatistics",
           "cloudwatch:ListMetrics",
           "codebuild:ListProjects",
           "datasync:ListTasks",
           "dax:DescribeClusters",
           "directconnect:DescribeConnections",
           "dms:DescribeReplicationInstances",
           "dynamodb:ListTables",
           "dynamodb:ListTagsOfResource",
           "ec2:DescribeAvailabilityZones",
           "ec2:DescribeInstances",
           "ec2:DescribeNatGateways",
           "ec2:DescribeSpotFleetRequests",
           "ec2:DescribeTransitGateways",
           "ec2:DescribeVolumes",
           "ec2:DescribeVpnConnections",
           "ecs:ListClusters",
           "eks:ListClusters",
           "elasticache:DescribeCacheClusters",
           "elasticbeanstalk:DescribeEnvironmentResources",
           "elasticbeanstalk:DescribeEnvironments",
           "elasticfilesystem:DescribeFileSystems",
           "elasticloadbalancing:DescribeInstanceHealth",
           "elasticloadbalancing:DescribeListeners",
           "elasticloadbalancing:DescribeLoadBalancers",
           "elasticloadbalancing:DescribeRules",
           "elasticloadbalancing:DescribeTags",
           "elasticloadbalancing:DescribeTargetHealth",
           "elasticmapreduce:ListClusters",
           "elastictranscoder:ListPipelines",
           "es:ListDomainNames",
           "events:ListEventBuses",
           "firehose:ListDeliveryStreams",
           "fsx:DescribeFileSystems",
           "gamelift:ListFleets",
           "glue:GetJobs",
           "inspector:ListAssessmentTemplates",
           "kafka:ListClusters",
           "kinesis:ListStreams",
           "kinesisanalytics:ListApplications",
           "kinesisvideo:ListStreams",
           "lambda:ListFunctions",
           "lambda:ListTags",
           "lex:GetBots",
           "logs:DescribeLogGroups",
           "mediaconnect:ListFlows",
           "mediaconvert:DescribeEndpoints",
           "mediapackage-vod:ListPackagingConfigurations",
           "mediapackage:ListChannels",
           "mediatailor:ListPlaybackConfigurations",
           "opsworks:DescribeStacks",
           "qldb:ListLedgers",
           "rds:DescribeDBClusters",
           "rds:DescribeDBInstances",
           "rds:DescribeEvents",
           "rds:ListTagsForResource",
           "redshift:DescribeClusters",
           "robomaker:ListSimulationJobs",
           "route53:ListHostedZones",
           "route53resolver:ListResolverEndpoints",
           "s3:ListAllMyBuckets",
           "sagemaker:ListEndpoints",
           "sns:ListTopics",
           "sqs:ListQueues",
           "storagegateway:ListGateways",
           "sts:GetCallerIdentity",
           "swf:ListDomains",
           "tag:GetResources",
           "tag:GetTagKeys",
           "transfer:ListServers",
           "workmail:ListOrganizations",
           "workspaces:DescribeWorkspaces"
         ],
         "Resource": "*"
       }
     ]
   }
   

4. Give the policy a name. For example Dynatrace_monitoring_policy. Type it in the Name field.

5. Select Create policy.

Access methods

To get the information required for comprehensive AWS cloud-computing monitoring, Dynatrace needs to identify all the virtualized infrastructure components in your AWS environment and collect performance metrics related to those components. We use this information to understand the context of your applications, services, and hosts. For this to happen, you need to authorize Dynatrace to access your Amazon metrics.

You can enable Dynatrace access to your AWS metrics by either using a private access key (key-based access) or defining a special role for Dynatrace (role-based access). In all the cases, make sure that your Environment ActiveGate has a working connection to AWS. Configure your proxy for ActiveGate, or allow access to *.amazonaws.com in your firewall settings.

As a best practice, use temporary security credentials (IAM roles) instead of access keys, and disable any AWS account root user access keys.

Key-based access

If you decide to use the key-based authentication, remember to rotate the keys periodically. Keep in mind that you need to perform this procedure each time you change the key.

Prerequisites for key-based access

• Rights to create a new AWS user
• Your AWS account ID
• Your Amazon Access key ID and Secret access key

Enable access to your Amazon account using key-based access

Dynatrace can use access keys to make secure REST or Query protocol requests to the AWS service API. You'll need to generate an Access key ID and a Secret access key that Dynatrace can use to get metrics from Amazon Web Services.

1. In your Amazon Console, go to Users and select Add User.

2. Enter a name for the key you want to create (for example, Dynatrace_monitoring_user). In Select AWS access type, select Programmatic access, and then select Next:Permissions.

3. Select Attach existing policies directly and choose the monitoring policy you defined (for example, Dynatrace_monitoring_policy), and then select Next: Review.

4. Review the user details and select Create user.

5. Store the Access Key ID name (AKID) and Secret access key values.
   You can either download the user credentials or copy the credentials displayed online (select Show).

Connect your Amazon account to Dynatrace using key-based access

Once you've granted AWS access to Dynatrace, it's time to connect Dynatrace to your Amazon AWS account.

1. In the Dynatrace menu, go to Settings > Cloud and virtualization > AWS and select Connect new instance.

2. Select Key-based authentication method.

   • Create a name for this connection. This is mandatory. Dynatrace needs this name to identify and display the connection.
   • In the Access key ID field, paste the identifier of the key you created in Amazon for Dynatrace access.
   • In the Secret access key field, paste the value of the key you created in Amazon for Dynatrace access.
   • Select Connect to verify and save the connection.

3. Once the connection is successfully verified and saved, your AWS account will be listed in the Cloud and virtualization settings page. You should soon begin to see AWS cloud monitoring data.

Role-based access

Dynatrace SaaS deployments might vary. Integrating Dynatrace SaaS with AWS is different when deployment includes an Environment ActiveGate. Select the appropriate set up procedure for your Dynatrace SaaS deployment scenario.

shellcopydownload
aws cloudformation create-stack \
--capabilities CAPABILITY_NAMED_IAM \
--stack-name <stack_name> \
--template-body <file:///home/user/template_file.yaml> \
--parameters ParameterKey=ActiveGateRoleName,ParameterValue=<role_name> ParameterKey=AssumePolicyName,ParameterValue=<policy_name> ParameterKey=MonitoringRoleName,ParameterValue=<monitoring_role_name> ParameterKey=MonitoredAccountID,ParameterValue=<monitored_account_id>

shellcopydownload
aws cloudformation create-stack \
--capabilities CAPABILITY_NAMED_IAM \
--stack-name <stack_name> \
--template-body <file:///home/user/template_file.yaml> \
--parameters ParameterKey=ExternalID,ParameterValue=<external_id> ParameterKey=ActiveGateRoleName,ParameterValue=<activegate_role_name> ParameterKey=ActiveGateAccountID,ParameterValue=<activegate_account_id>
ParameterKey=RoleName,ParameterValue=<role_name> ParameterKey=PolicyName,ParameterValue=<policy_name>

shellcopydownload
aws cloudformation create-stack \
--capabilities CAPABILITY_NAMED_IAM \
--stack-name <stack_name> \
--template-body <file:///home/user/template_file.yaml> \
--parameters ParameterKey=ExternalID,ParameterValue=<external_id> ParameterKey=RoleName,ParameterValue=<role_name> ParameterKey=PolicyName,ParameterValue=<policy_name>

Connect your Amazon account to Dynatrace using role-based access

After you've granted AWS access to Dynatrace, it's time to connect Dynatrace to your Amazon AWS account.

1. In Dynatrace, go to Settings > Cloud and virtualization > AWS and select Connect new instance.

2. Enter a name for this connection. If you leave it empty, the name Role will be used on Dynatrace pages to define this connection.

3. Select Role based authentication and enter configuration details:

   • Enter the name of the role you created in Amazon for Dynatrace (for example, Dynatrace_monitoring_role).
   • Enter your Amazon account ID (the account you want Dynatrace to pull metrics from).
   • Select Connect to verify and save the connection.

4. After the connection is verified and saved, your AWS account is listed on the Cloud and virtualization settings page. You should soon begin to see AWS cloud monitoring data.

Select your AWS partition

If your AWS account is on a different partition than the default aws partition, you can select it and Dynatrace will connect to it instead.

To change your AWS partition

1. In the Dynatrace menu, go to Settings and select Cloud and virtualization > AWS.
2. Find the instance where you want to change the partition and select to edit the instance.
3. In the AWS partition list, select your partition.
4. Select Save.

Define AWS resource tagging

We recommend to limit the scope of your AWS monitoring and reduce the number API calls to Amazon. You can use the tagging to limit the AWS resources that are monitored by Dynatrace. For details, see How do I tag AWS resources?

Set up metric events for alerting

To configure metric events for alerting

1. In the Dynatrace menu, go to Settings > Cloud and virtualization > AWS.
2. Under Metric events for alerting, select Manage alerting rules.
3. On the Metric events for alerting page, you can create, enable/disable, and configure recommended alerting rules.

For an overview of all recommended alerting rules for all supporting services, see the list below.

1. Create and enable alerting rules.

   To enable recommended alerting rules, you first need to create them. You can create alerting rules and automatically enable them, or (if you clear Automatically enable created rules) create them and manually enable them after possible configuration changes.

   

   For example, you can create and automatically enable a first batch of alerts. When you start monitoring new services, you can create alerts for these new services without automatically enabling them (because you want to configure them first).

2. Configure alerting rules. How you edit rules depends on whether you chose to automatically enable alerts.

   • If you chose to automatically enable alerts when creating them, go to Adjust recommended alerting rules, expand Enabled recommended alerting rules, and select any rule. This takes you to Edit custom event for alerting, where you can change the configuration rules for that specific service.

     

   • If you didn't choose to automatically enable alerts when creating them, go to Enable recommended alerting rules, expand Disabled recommended alerting rules, and select any of the disabled rules. This takes you to the same Edit custom event for alerting page.

     

3. Disable alerting rules.

4. You can disable all alerting rules, or disable or delete them selectively.

   

   • To disable all alerting rules, go to Adjust recommended alerting rules and select Disable all enabled recommended alerting rules.
   • To disable or delete alerting rules selectively, go to Adjust recommended alerting rules and select Custom events for alerting. On the Custom events for alerting page, you can disable an alert by turning it off in the On/Off column, or you can delete it by selecting x in the Delete column.

   

   Note: If you disable any or all of the alerting rules, you can always re-enable them.