Integrate AWS Accounts for Cloud Services Monitoring
Introduction
Customers can integrate AWS accounts with WatchMyDC® for observability and automation of cloud services & on-premise solutions together from a single dashboard. Integrating a cloud account or an organization, such as AWS, does not need a WatchMyDC® Collector deployed. Instead, WatchMyDC® communicates through AWS CloudWatch service through cloud-to-cloud communication to collect performance metrics of various services.
Dependencies
Since WatchMyDC® communicates through the AWS CloudWatch service, hence WatchMyDC® requires access through roles & permissions.
Known Limitations
For observability, AWS services managed by AWS CloudWatch are compatible. However, this is not a limitation for the automation feature.
Integration Methods
WatchMyD®C supports two different methods of AWS account integration. Customers can adopt any of these methods as per their industry & data compliance regulations.
- Role Delegation
- Access Keys
Both of the methods need a custom policy to attach which is described below:
- Sign into AWS Console
- Navigate to ‘IAM’
- Click on ‘Policies’ from the left panel, this will open the page containing all policies
- Click on ‘Create Policy‘
- Select the ‘JSON‘ option
- Copy and paste the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"ec2:DescribeRegions",
"cloudwatch:PutMetricAlarm",
"sns:GetTopicAttributes",
"sns:Subscribe",
"sns:CreateTopic"
],
"Resource": "*"
}
]
}
- Click on ‘Next: Tags‘, this will load the page named ‘Add tags (optional)‘, this page can be left empty
- Click on ‘Next: Review‘, this will load the page named ‘Review‘
- Enter a proper name & description of the Policy.
- Example ‘Policy name‘: watchmydc_policy
- Example ‘Policy description‘: This policy is for WatchMyDC Observability & Automation
- Click on ‘Create policy‘
Role Delegation
Through this method, the AWS admin needs to create a custom role dedicated to WatchMyDC. Below are steps that guide the process of Role Delegation process:
01: WatchMyDC Dashboard
- Sign to WatchMyDC Dashboard
- Navigate to ‘Operations‘ > ‘Configuration Center‘ > ‘Cloud Services‘
- Enable ‘Role Delegation‘ by sliding the option on, this will lock the ‘Access Key‘ method
- Generate a random ‘AWS External ID‘ from the option, and copy the key by clicking on the copy icon.
02: AWS Console
- Sign into AWS Console
- Navigate to ‘IAM’
- Click on ‘Roles’ from the left panel, this will open the page containing all AWS Roles
- Click on ‘Create role‘
- From the list of ‘Select type of trust entity’, choose ‘Another AWS account‘
- Provide the WatchMyDC Account ID: 123456789 in the field ‘Account ID’
- Select ‘Require external ID (Best practice when a third party will assume this role)‘
- Enter the ‘AWS External ID‘ on the field ‘External ID‘ as copied from the WatchMyDC Dashboard explained above
- Click on ‘Next: Permissions‘ to move to the next page
- Search for ‘watchmydc_policy‘, select the policy
- Click on ‘Next: Tags‘, this will load the page named ‘Add tags (optional)‘, this page can be left empty
- Click on ‘Next: Review‘, this will load the page named ‘Review‘
- Enter a proper name & description of the Role.
- Example ‘Role name‘: watchmydc_role
- Example ‘Role description‘: This role is for WatchMyDC Observability & Automation
- Click on ‘Create role‘
Here is an example of trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/organisations/aaaaaa-0000-b1b1-d1d1-12345678aaaa",
"arn:aws:iam::123456789012:root"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "edb46444cc84742aa793011e0ee6a56845dfe1741c7b94f4f66f04506924eb15"
}
}
}
]
}
Here:
– 123456789012 to be replaced by the WatchMyDC provided AWS Account Number
– aaaaaa-0000-b1b1-d1d1-12345678aaaa to be replaced by the WatchMyDC customer Organization ID, which can be found on the ‘Organization Settings‘ page or on the ‘Configuration Center‘ > ‘Collector page‘.
03: WatchMyDC Dashboard
Assuming the user is on the ‘Operations‘ > ‘Configuration Center‘ > ‘Cloud Services‘ page fill the below fields on the ‘Role Delegation‘ method:
- ‘AWS Account ID‘: customer owns AWS Account ID
- ‘Enter AWS role name‘: enter the ‘Role name‘ as given in the previous section
- Click on ‘Test Access‘
- The dashboard will show the message ‘AWS role verified successfully‘
- Click on ‘Save‘ to complete the integration
- The dashboard will display ‘AWS account added successfully‘
Access Keys
In this simple method, the AWS Admin provides the Secret Key & the Access Key of an AWS user.
- An existing user key can be provided for this method of integration, however, the watchmydc_policy must need to be attached with the user permission to allow WatchMyDC to observe the AWS services.
- WatchMyDC Analytics suggests creating a new user, dedicated to this integration method.
The steps of integration are below:
01: AWS Console
- Sign into the ‘AWS Console‘
- Navigate to the ‘IAM‘ page
- Click on ‘Users‘ from the left panel, this will open the page with all users and with their details
- Click on ‘Add users‘
- Provide the ‘User name‘ from the ‘Set user details‘ section
- Select ‘Programmatic access‘ from the ‘Select AWS access type‘ section
- Click on ‘Next: Permissions‘ to move to the page of setting permissions
- Click on ‘Attach existing policies directly‘ from the ‘Set permissions‘ section
- Search and select ‘watchmydc_policy‘ as created earlier
- Click on ‘Next: Tags‘, this will load the page named ‘Add tags (optional)‘, this page can be left empty
- Click on ‘Next: Review‘, this will load the page named ‘Review‘
- Click on ‘Create user‘
- Click on the ‘Download.csv‘ button to download the file which contains the ‘Access key ID‘ and ‘Secret access key‘ needed for integration
02: WatchMyDC Dashboard
- Sign to WatchMyDC Dashboard
- Navigate to ‘Operations‘ > ‘Configuration Center‘ > ‘Cloud Services‘
- Enable ‘Access Keys‘ by sliding the option on, this will lock the ‘Role Delegation‘ method
- Enter ‘Secret Key‘ as found on the ‘Download.csv‘ file as ‘Secret access key‘
- Enter ‘Access Key‘ as found on the same file as ‘Access key ID‘
- Click on ‘Validate‘
- The dashboard will show the message ‘AWS account verified successfully‘
- The dashboard will also display:
- Discovered ‘Account Name/ID‘
- Discovered ‘n regions(s) discovered‘
- Click on ‘Save‘ to complete the integration
- The dashboard will display ‘AWS account added successfully‘
Conclusion
Customer can observe and automate their AWS infrastructure from the WatchMyDC® Dashboard. This provides an absolution control of their on-premise and on-cloud infrastructure from a single place.