Get started with Amazon Web Services monitoring

You can integrate Dynatrace with Amazon Web Services (AWS) for intelligent monitoring of services running in the Amazon Cloud. AWS integration helps you stay on top of the dynamics of your data center in the cloud.

Amazon will charge about $0.01 per 1,000 metrics requested from the CloudWatch API and include the cost in the bill for the AWS account you use with Dynatrace.

Dynatrace makes Amazon API requests every 5 minutes. In addition to CloudWatch API calls, Dynatrace makes API calls to the monitored AWS services in order to learn about their instances, tags, etc. The list of called services and actions is available below in the Create the monitoring policy section. Here's a rough estimate of AWS monitoring costs:

AWS service Number of metrics Daily cost per instance (USD)
Elastic Compute Cloud (EC2) 7 $0.02016
Elastic Block Store (EBS) 8 $0.02304
Elastic Load Balancer (ELB) 11 $0.03168
Relational Database Service (RDS) 11 $0.03168
DynamoDB 15 $0.06912
Lambda 4 $0.01152

Create the monitoring policy

The AWS monitoring policy defines the minimal scope of permissions you need to give to Dynatrace to monitor the services running in your AWS account. Create it once and use anytime when enabling Dynatrace access to your AWS account.

Go to Identity and Access Management (IAM) in your Amazon Console.

Go to Policies and click Create policy.

Select the JSON tab, and paste the predefined policy from the box below.

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": [
      "Resource": "*"

Give the policy a name. For example Dynatrace_monitoring_policy. Type it in the Name field.

Click the Create policy button.

Enable access to your Amazon account

To get the information required for comprehensive AWS cloud-computing monitoring, Dynatrace needs to identify all the virtualized infrastructure components in your AWS environment and collect performance metrics related to those components. We use this information to understand the context of your applications, services, and hosts. For this to happen, you need to authorize Dynatrace to access your Amazon metrics.

You can enable Dynatrace access to your AWS metrics by either using a private access key (key-based access) or defining a special role for Dynatrace (role-based access). In all the cases, make sure that your Environment ActiveGate or Managed Server have a working connection to AWS. Configure your proxy for Managed or ActiveGate, or whitelist * in your firewall settings.

  • Key-based access works with all Dynatrace deployment types (SaaS and Managed). Select Keys.

  • Role-based access works with all Dynatrace deployment types (SaaS and Managed). See the prerequisites and further instructions for your setup in the table below.

    SaaS Managed
    Environment ActiveGate EnvAG needs to be hosted in AWS
    Select Roles for Managed/Env. ActiveGate
    EnvAG needs to be hosted in AWS
    Select Roles for Managed/Env. ActiveGate
    no Environment ActiveGate Select Roles for SaaS Dynatrace Managed Server needs to be hosted in AWS
    Select Roles for Managed/Env. ActiveGate

Dynatrace can use access keys to make secure REST or Query protocol requests to the AWS service API. You'll need to generate an Access key ID and a Secret access key that Dynatrace can use to get metrics from Amazon Web Services.

What you need

  • Rights to create a new AWS user
  • Your AWS account ID
  • Your Amazon Access key ID and Secret access key

Go to Users and click Add User.

Enter a name for the key you want to create (for example, Dynatrace_monitoring_user). In Select AWS access type, select the Programmatic access option and click Next:Permissions button.

Click Attach existing policies directly and choose the monitoring policy you defined, for example Dynatrace_monitoring_policy. Click Next: Review.

Review the user details and click the Create user button.

Store the Access Key ID name (AKID) and Secret access key values.
You can either download the user credentials or copy the credentials displayed online (click Show).

Connect your Amazon account to Dynatrace

Once you determine which access approach best serves your needs (role-based or key-based access) and you've granted AWS access to Dynatrace, it's time to connect Dynatrace to your Amazon AWS account.

  1. Go to Settings > Cloud and virtualization > AWS and click Connect new instance.
  2. Select either the Role based authentication or Key based authentication method.
  • Create a name for this connection. This is mandatory. Dynatrace needs this name to identify and display the connection.
  • In the Access key ID field, paste the identifier of the key you created in Amazon for Dynatrace access.
  • In the Secret access key field, paste the value of the key you created in Amazon for Dynatrace access.
  • Click Connect to verify and save the connection.
  1. Once the connection is successfully verified and saved, your AWS account will be listed in the Cloud and virtualization settings page. You should soon begin to see AWS cloud monitoring data.

Define AWS resource tagging

We recommend to limit the scope of your AWS monitoring and reduce the number API calls to Amazon. You can use the tagging to limit the AWS resources that are monitored by Dynatrace. For details see How do I tag AWS resources?


What if need to connect through proxy?

See Set up proxy authentication for ActiveGate

What if I have more than one ActiveGate?

Choose one ActiveGate you want to monitor your AWS account with. Any ActiveGate type will work as long as it can connect to AWS. On that ActiveGate edit the file and set the following property to true:

Version 1.159 or earlier

AWSAgentEnabled = true

ActiveGate version 1.161 or later

aws_monitoring_enabled = true

On all the other ActiveGates, set the property to false.

What if my ActiveGate is behind a firewall?

Add the * to the firewall whitelist.

What if I create and attach the role for ActiveGate, but it still can't assume the monitoring role?

An error may occur when attaching a role to an EC2 instance. In such cases, you can use curl to retrieve the instance metadata to verify if the role is listed there. Use the following command:


If the attached role is still not listed in the instance metadata, it often helps to reattach it again.

For more information, see Instance Metadata and User Data in AWS documentation.