Security best practices for AWS Connector

1min
Published Apr 06, 2025

The AWS Connector is a powerful tool; you need to ensure you use it securely by following our recommendations.

Prerequisite

Set up AWS Connector

Recommendations

We collected a few recommendations for you to use the AWS Connector securely.

Define minimal privileges

To define minimal privileges for your AWS IAM role you need to

Define what AWS resources you want to manage with the AWS actions in Workflows .
Define what AWS actions you want to use on those resources.
Create an AWS IAM role with only the permissions you need.

Define different roles for different user groups

We recommend creating different AWS IAM roles if you want different user groups to manage different AWS resources with AWS Connector AWS Connector.

To define different AWS IAM roles for different user groups

Create additional AWS IAM roles.
In Trusted relationships, set the connection you want to use for every IAM role.

Add the Dynatrace connection in the subject field in the Condition section of the Trust entity in your role:


{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "Federated": "arn:aws:iam::000000000000:oidc-provider/token.dynatrace.com"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
            "StringEquals": {
                "token.dynatrace.com:aud": "<your-tenant>/app-id/dynatrace.aws.connector",
                "token.dynatrace.com:sub": "dtid:connection/<your-connection-name>"
            }
        }
    }
  ]
}

Monitor your AWS account activities

You can use AWS CloudTrail to monitor and log your AWS account activities. To analyze these logs, you can import them into Dynatrace with Stream logs via Amazon Data Firehose.