How do I start Amazon Web Services monitoring?

You can integrate Dynatrace with Amazon Web Services (AWS) for intelligent monitoring of services running in the Amazon Cloud. AWS integration helps you stay on top of the dynamics of your data center in the cloud.

Amazon will charge about $0.01 per 1,000 requests to CloudWatch API and include the cost in the bill for the AWS account you use with Dynatrace.

Dynatrace makes Amazon API requests every 5 minutes. We make one API call per metric. Here's a rough estimate of AWS monitoring costs:

AWS service Number of metrics Daily cost per instance (USD)
Elastic Compute Cloud (EC2) 7 $0.02016
Elastic Block Store (EBS) 8 $0.02304
Elastic Load Balancer (ELB) 11 $0.03168
Relational Database Service (RDS) 11 $0.03168
DynamoDB 15 $0.06912
Lambda 4 $0.01152

Create the monitoring policy

The AWS monitoring policy defines the minimal scope of permissions you need to give to Dynatrace to monitor the services running in your AWS account. Create it once and use anytime when enabling Dynatrace access to your AWS account.

Go to Identity and Access Management (IAM) in your Amazon Console.

Go to Policies and click Create policy.

Select the JSON tab, and paste the predefined policy from the box below.

Download
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:DescribeAutoScalingGroups",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeInstances",     
        "ec2:DescribeVolumes",             
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTags",
        "elasticloadbalancing:DescribeInstanceHealth",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:DescribeRules",
        "elasticloadbalancing:DescribeTargetHealth",
        "rds:DescribeDBInstances",
        "rds:DescribeEvents",
        "rds:ListTagsForResource",
        "dynamodb:ListTables",
        "dynamodb:ListTagsOfResource",
        "lambda:ListFunctions",
        "lambda:ListTags",
        "elasticbeanstalk:DescribeEnvironments",
        "elasticbeanstalk:DescribeEnvironmentResources",
        "s3:ListAllMyBuckets",
        "sts:GetCallerIdentity",
        "cloudformation:ListStackResources"
      ],
      "Resource": "*"
    }
  ]
}

Give the policy a name. For example Dynatrace-monitoring-policy. Type it in the Name field.

Click the Create policy button.

Enable access to your Amazon account

To get the information required for comprehensive AWS cloud-computing monitoring, Dynatrace needs to identify all the virtualized infrastructure components in your AWS environment and collect performance metrics related to those components. We use this information to understand the context of your applications, services, and hosts. For this to happen, you need to authorize Dynatrace to access your Amazon metrics.

You can enable Dynatrace access to your AWS metrics by either using a private access key (key-based access) or defining a special role for Dynatrace (role-based access):

  • Key-based access works with all Dynatrace deployment types (SaaS and Managed). Select Keys.
  • Role-based access works with all the Dynatrace SaaS environments that don't have an Environment ActiveGate. Select Roles for SaaS.
  • Role-based access for Dynatrace SaaS or Managed environments that have an Environment ActiveGate is supported only if you host the ActiveGate in AWS. Select Roles for Managed/Env ActiveGate.
  • Role-based access for Dynatrace Managed environments that don't have an Environment ActiveGate is supported only if you host the Dynatrace Managed Server in AWS. Select Roles for Managed/Env ActiveGate.

Dynatrace can use access keys to make secure REST or Query protocol requests to the AWS service API. You'll need to generate an Access key ID and a Secret access key that Dynatrace can use to get metrics from Amazon Web Services.

What you need

  • Rights to create a new AWS user
  • Your AWS account ID
  • Your Amazon Access key ID and Secret access key

Go to Users and click Add User.

Enter a name for the key you want to create (for example, Dynatrace_monitoring_user). In Select AWS access type, select the Programmatic access option and click Next:Permissions button.

Click Attach existing policies directly and choose the monitoring policy you defined, for example Dynatrace_monitoring_policy. Click Next: Review.

Review the user details and click the Create user button.

Store the Access Key ID name (AKID) and Secret access key values.
You can either download the user credentials or copy the credentials displayed online (click Show).

Connect your Amazon account to Dynatrace

Once you determine which access approach best serves your needs (role-based or key-based access) and you've granted AWS access to Dynatrace, it's time to connect Dynatrace to your Amazon AWS account.

  1. Go to Settings > Cloud and virtualization > AWS and click Connect new instance.
  2. Select either the Role based authentication or Key based authentication method.
  • Create a name for this connection. This is mandatory. Dynatrace needs this name to identify and display the connection.
  • In the Access key ID field, paste the key you created in Amazon for Dynatrace access.
  • In the Secret access key field, paste the key you created in Amazon for Dynatrace access.
  • Click Connect to verify and save the connection.
  1. Once the connection is successfully verified and saved, your AWS account will be listed in the Cloud and virtualization settings page. You should soon begin to see AWS cloud monitoring data.

Define AWS resource tagging

We recommend to limit the scope of your AWS monitoring and reduce the number API calls to Amazon. You can use the tagging to limit the AWS resources that are monitored by Dynatrace. For details see How do I tag AWS resources?

Troubleshooting

What if need to connect through proxy?

See Set up proxy authentication for ActiveGate

What if I have more than one ActiveGate?

Choose one ActiveGate you want to monitor your AWS account with. Any ActiveGate type will work as long as it can connect to AWS. On that ActiveGate edit the custom.properties file and set the following property to true:

Version 1.159 or earlier

[collector]
AWSAgentEnabled = true

ActiveGate version 1.161 or later

[aws_monitoring]
aws_monitoring_enabled = true

On all the other ActiveGates, set the property to false.

What if my ActiveGate is behind a firewall?

Add the AWS endpoints to the firewall whitelist.

What if I create and attach the role for ActiveGate, but it still can't assume the monitoring role?

An error may occur when attaching a role to an EC2 instance. In such cases, you can use curl to retrieve the instance metadata to verify if the role is listed there. Use the following command:

curl http://169.254.169.254/latest/meta-data/iam/info

If the attached role is still not listed in the instance metadata, it often helps to reattach it again.

For more information, see Instance Metadata and User Data in AWS documentation.