How can we help?
Table of Contents
< All Topics
Print

Integrate AWS Accounts for Cloud Services Monitoring

Introduction

Customers can integrate AWS accounts with WatchMyDC® for observability and automation of cloud services & on-premise solutions together from a single dashboard. Integrating a cloud account or an organization, such as AWS, does not need a WatchMyDC® Collector deployed. Instead, WatchMyDC® communicates through AWS CloudWatch service through cloud-to-cloud communication to collect performance metrics of various services.

Dependencies

Since WatchMyDC® communicates through the AWS CloudWatch service, hence WatchMyDC® requires access through roles & permissions.

Known Limitations

For observability, AWS services managed by AWS CloudWatch are compatible. However, this is not a limitation for the automation feature.

watchmydc aws

Integration Methods

WatchMyD®C supports two different methods of AWS account integration. Customers can adopt any of these methods as per their industry & data compliance regulations.

  1. Role Delegation
  2. Access Keys

Both of the methods need a custom policy to attach which is described below:

  • Sign into AWS Console
  • Navigate to ‘IAM’
  • Click on ‘Policies’ from the left panel, this will open the page containing all policies
  • Click on ‘Create Policy
  • Select the ‘JSON‘ option
  • Copy and paste the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"ec2:DescribeRegions",
"cloudwatch:PutMetricAlarm",
"sns:GetTopicAttributes",
"sns:Subscribe",
"sns:CreateTopic"
],
"Resource": "*"
}
]
}
  • Click on ‘Next: Tags‘, this will load the page named ‘Add tags (optional)‘, this page can be left empty
  • Click on ‘Next: Review‘, this will load the page named ‘Review
  • Enter a proper name & description of the Policy.
    • Example ‘Policy name‘: watchmydc_policy
    • Example ‘Policy description‘: This policy is for WatchMyDC Observability & Automation
  • Click on ‘Create policy

Role Delegation

Through this method, the AWS admin needs to create a custom role dedicated to WatchMyDC. Below are steps that guide the process of Role Delegation process:

01: WatchMyDC Dashboard

  • Sign to WatchMyDC Dashboard
  • Navigate to ‘Operations‘ > ‘Configuration Center‘ > ‘Cloud Services
  • Enable ‘Role Delegation‘ by sliding the option on, this will lock the ‘Access Key‘ method
  • Generate a random ‘AWS External ID‘ from the option, and copy the key by clicking on the copy icon.

02: AWS Console

  • Sign into AWS Console
  • Navigate to ‘IAM’
  • Click on ‘Roles’ from the left panel, this will open the page containing all AWS Roles
  • Click on ‘Create role
  • From the list of ‘Select type of trust entity’, choose ‘Another AWS account
  • Provide the WatchMyDC Account ID: 123456789 in the field ‘Account ID’
  • Select ‘Require external ID (Best practice when a third party will assume this role)
  • Enter the ‘AWS External ID‘ on the field ‘External ID‘ as copied from the WatchMyDC Dashboard explained above
  • Click on ‘Next: Permissions‘ to move to the next page
  • Search for ‘watchmydc_policy‘, select the policy
  • Click on ‘Next: Tags‘, this will load the page named ‘Add tags (optional)‘, this page can be left empty
  • Click on ‘Next: Review‘, this will load the page named ‘Review
  • Enter a proper name & description of the Role.
    • Example ‘Role name‘: watchmydc_role
    • Example ‘Role description‘: This role is for WatchMyDC Observability & Automation
  • Click on ‘Create role

Here is an example of trust policy: 

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/organisations/aaaaaa-0000-b1b1-d1d1-12345678aaaa",
"arn:aws:iam::123456789012:root"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "edb46444cc84742aa793011e0ee6a56845dfe1741c7b94f4f66f04506924eb15"
}
}
}
]
}

Here:

– 123456789012 to be replaced by the WatchMyDC provided AWS Account Number 

– aaaaaa-0000-b1b1-d1d1-12345678aaaa to be replaced by the WatchMyDC customer Organization ID, which can be found on the ‘Organization Settings‘ page or on the ‘Configuration Center‘ > ‘Collector page‘.

03: WatchMyDC Dashboard

Assuming the user is on the ‘Operations‘ > ‘Configuration Center‘ > ‘Cloud Services‘ page fill the below fields on the ‘Role Delegation‘ method:

  • AWS Account ID‘: customer owns AWS Account ID
  • Enter AWS role name‘: enter the ‘Role name‘ as given in the previous section
  • Click on ‘Test Access
  • The dashboard will show the message ‘AWS role verified successfully
  • Click on ‘Save‘ to complete the integration
  • The dashboard will display ‘AWS account added successfully

Access Keys

In this simple method, the AWS Admin provides the Secret Key & the Access Key of an AWS user.

  • An existing user key can be provided for this method of integration, however, the watchmydc_policy must need to be attached with the user permission to allow WatchMyDC to observe the AWS services.
  • WatchMyDC Analytics suggests creating a new user, dedicated to this integration method.

The steps of integration are below:

01: AWS Console

  • Sign into the ‘AWS Console
  • Navigate to the ‘IAM‘ page
  • Click on ‘Users‘ from the left panel, this will open the page with all users and with their details
  • Click on ‘Add users
  • Provide the ‘User name‘ from the ‘Set user details‘ section
  • Select ‘Programmatic access‘ from the ‘Select AWS access type‘ section
  • Click on ‘Next: Permissions‘ to move to the page of setting permissions
  • Click on ‘Attach existing policies directly‘ from the ‘Set permissions‘ section
  • Search and select ‘watchmydc_policy‘ as created earlier
  • Click on ‘Next: Tags‘, this will load the page named ‘Add tags (optional)‘, this page can be left empty
  • Click on ‘Next: Review‘, this will load the page named ‘Review
  • Click on ‘Create user
  • Click on the ‘Download.csv‘ button to download the file which contains the ‘Access key ID‘ and ‘Secret access key‘ needed for integration

02: WatchMyDC Dashboard

  • Sign to WatchMyDC Dashboard
  • Navigate to ‘Operations‘ > ‘Configuration Center‘ > ‘Cloud Services
  • Enable ‘Access Keys‘ by sliding the option on, this will lock the ‘Role Delegation‘ method
  • Enter ‘Secret Key‘ as found on the ‘Download.csv‘ file as ‘Secret access key
  • Enter ‘Access Key‘ as found on the same file as ‘Access key ID
  • Click on ‘Validate
  • The dashboard will show the message ‘AWS account verified successfully
  • The dashboard will also display:
    • Discovered ‘Account Name/ID
    • Discovered ‘n regions(s) discovered
  • Click on ‘Save‘ to complete the integration
  • The dashboard will display ‘AWS account added successfully

Conclusion

Customer can observe and automate their AWS infrastructure from the WatchMyDC® Dashboard. This provides an absolution control of their on-premise and on-cloud infrastructure from a single place.