Create an AWS connection

  • Latest Dynatrace
  • How-to guide
  • Published Aug 29, 2025
  • Preview

This is an overview of how to onboard your AWS account in few steps that will generate a deployable CloudFormation template.

The CloudFormation stack will deploy core mandatory resources inside your AWS account (Dynatrace SaaS IAM Monitoring Role, AWS Secrets, Dynatrace API integration Lambda Function).

After a successful deployment, a connection from Dynatrace SaaS to your AWS account will be created. Dynatrace SaaS will then perform API calls to your AWS account to poll and push telemetry into your Dynatrace environment.

The new integration does not deploy nor use ActiveGate compute resources inside your AWS account to poll or push telemetry, the experience is transparent and fully managed by Dynatrace SaaS.

Preview limitations

  • Only standalone AWS accounts are supported. AWS Organization Ooboarding of AWS member accounts (using StackSets) is planned for future releases.
  • During the Preview, we don't recommend onboarding AWS accounts with business-critical workloads.
  • AWS commercial partition Regions are supported; GovCloud and China are not supported.
  • When deleting CloudFormation stacks (failed stack deployments, cleanups), the AWS connection must be deleted manually within Settings Settings.
  • Deleting an existing AWS connection within Dynatrace permanently deletes its associated monitoring configuration; there is no way to restore it.
  • We highly discourage onboarding AWS accounts that are actively monitored by our classic AWS integration. Onboarding such accounts might increase the likelihood of AWS APIs throttling, potentially resulting in service interruptions.

Prerequisites

Only a Dynatrace administrator and an AWS Admin can successfully complete the initial prerequisites.

AWS IAM baseline

All necessary AWS permissions must be granted to successfully deploy the CloudFormation stacks and associated AWS resources.

In environments where full duty separation is practiced, it's recommended that the Dynatrace administrator shares the template with the platform team/AWS administrators.

Core templates:

Conditional templates (deployed based on user opt-in during onboarding):

AWS IAM permission policy for deploying the CloudFormation stacks

Make sure that an AWS user, or a role, used for the CloudFormation stacks deployment is granted with the following (minimum) permission policies.

Replace all placeholder text enclosed in angle brackets (<your_value_here>) with your actual values.

The value for <Deployment-Stack-Name-Prefix> should be derived from the connection friendly name specified by the user.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "cloudformation0",
      "Effect": "Allow",
      "Action": [
        "cloudformation:CreateStack",
        "cloudformation:DescribeStacks",
        "cloudformation:UpdateStack",
        "cloudformation:ListStacks",
        "cloudformation:DescribeStackResources",
        "cloudformation:DeleteStack",
        "cloudformation:CreateChangeSet",
        "cloudformation:DescribeChangeSet",
        "cloudformation:ExecuteChangeSet",
        "cloudformation:CreateStackInstances",
        "cloudformation:ListStackInstances",
        "cloudformation:DescribeStackInstance",
        "cloudformation:DeleteStackInstances",
        "cloudformation:CreateStackSet",
        "cloudformation:UpdateStackSet",
        "cloudformation:DescribeStackSet",
        "cloudformation:DescribeStackSetOperation",
        "cloudformation:ListStackSetOperationResults",
        "cloudformation:DeleteStackSet",
        "cloudformation:TagResource",
        "cloudformation:UntagResource"
      ],
      "Resource": [
        "arn:aws:cloudformation:*:<AWS-Account-ID>:stackset-target/*",
        "arn:aws:cloudformation:<Deployment-Region>:<AWS-Account-ID>:stackset/Dynatrace*:*",
        "arn:aws:cloudformation:<Deployment-Region>:<AWS-Account-ID>:stack/<Deployment-Stack-Name-Prefix>*/*",
        "arn:aws:cloudformation:*:<AWS-Account-ID>:stack/StackSet-Dynatrace*/*",
        "arn:aws:cloudformation:*:<AWS-Account-ID>:type/resource/*"
      ]
    },
    {
      "Sid": "cloudformation1",
      "Effect": "Allow",
      "Action": [
        "cloudformation:GetTemplate",
        "cloudformation:ValidateTemplate",
        "cloudformation:GetTemplateSummary"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "kms0",
      "Effect": "Allow",
      "Action": [
        "kms:CreateGrant",
        "kms:RevokeGrant"
      ],
      "Resource": [
        "arn:aws:kms:<Deployment-Region>:<AWS-Account-ID>:key/*"
      ]
    },
    {
      "Sid": "lambda",
      "Effect": "Allow",
      "Action": [
        "lambda:CreateFunction",
        "lambda:UpdateFunctionCode",
        "lambda:GetFunction",
        "lambda:InvokeFunction",
        "lambda:DeleteFunction",
        "lambda:TagResource",
        "lambda:UntagResource"
      ],
      "Resource": [
        "arn:aws:lambda:<Deployment-Region>:<AWS-Account-ID>:function:<Deployment-Stack-Name-Prefix>*"
      ]
    },
    {
      "Sid": "iam",
      "Effect": "Allow",
      "Action": [
        "iam:CreatePolicy",
        "iam:CreatePolicyVersion",
        "iam:SetDefaultPolicyVersion",
        "iam:DeletePolicyVersion",
        "iam:DeletePolicy",
        "iam:CreateRole",
        "iam:UpdateRole",
        "iam:DeleteRole",
        "iam:PassRole",
        "iam:AttachRolePolicy",
        "iam:PutRolePolicy",
        "iam:DetachRolePolicy",
        "iam:DeleteRolePolicy",
        "iam:GetRole",
        "iam:GetPolicy",
        "iam:ListPolicyVersions",
        "iam:TagPolicy",
        "iam:TagRole",
        "iam:UntagPolicy",
        "iam:UntagRole",
        "iam:GetRolePolicy",
        "iam:UpdateAssumeRolePolicy"
      ],
      "Resource": [
        "arn:aws:iam::<AWS-Account-ID>:policy/<Deployment-Stack-Name-Prefix>*",
        "arn:aws:iam::<AWS-Account-ID>:role/<Deployment-Stack-Name-Prefix>*"
      ]
    },
    {
      "Sid": "s3",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::dynatrace-data-acquisition/aws/deployment/cfn/*"
      ]
    },
    {
      "Sid": "secretsmanager",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:CreateSecret",
        "secretsmanager:DescribeSecret",
        "secretsmanager:UpdateSecret",
        "secretsmanager:GetSecretValue",
        "secretsmanager:PutSecretValue",
        "secretsmanager:TagResource",
        "secretsmanager:DeleteSecret"
      ],
      "Resource": [
        "arn:aws:secretsmanager:<Deployment-Region>:<AWS-Account-ID>:secret:DynatraceAPIAccessToken*",
        "arn:aws:secretsmanager:<Deployment-Region>:<AWS-Account-ID>:secret:DynatraceAPIPlatformToken*"
      ]
    },
    {
      "Sid": "kms1",
      "Effect": "Allow",
      "Action": [
        "kms:CreateKey",
        "kms:DescribeKey",
        "kms:GetKeyPolicy",
        "kms:PutKeyPolicy",
        "kms:ScheduleKeyDeletion",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:CreateAlias",
        "kms:DeleteAlias",
        "kms:UpdateAlias"
      ],
      "Resource": "*"
    },
    {
      "Sid": "logs",
      "Effect": "Allow",
      "Action": [
        "logs:DeleteLogGroup",
        "logs:CreateLogGroup",
        "logs:DeleteLogStream",
        "logs:CreateLogStream",
        "logs:DescribeLogStreams",
        "logs:PutRetentionPolicy",
        "logs:TagResource",
        "logs:ListTagsForResource",
        "logs:DescribeIndexPolicies",
        "logs:DescribeLogStreams",
        "logs:AssociateKmsKey",
        "logs:DisassociateKmsKey"
      ],
      "Resource": [
        "arn:aws:logs:<Deployment-Region>:<AWS-Account-ID>:log-group:/aws/lambda/<Deployment-Stack-Name-Prefix>*"
      ]
    }
  ]
}

Create the Dynatrace IAM baseline

The new AWS Platform Monitoring has been integrated with the core Dynatrace Identity & access managment design.

In case you're not familiar with the Dynatrace IAM concept, you can learn more about the basic concepts on the following pages:

In this documentation section context:

  • Dynatrace Account Admin: A user with View and manage users and groups permission that can create the initial IAM permissions configuration setup to allow the CloudsAdmins sucessfully manage AWS connections and ingest telemetery from AWS.

  • CloudsAdmin: A member of the CloudsAdmins group, the group that has all the required permissions to sucessfully manage AWS connections in Fleet Management Fleet Management and to setup telemetery ingest, programmatically manage AWS connections using platform tokens for the service users.

  • Platform token: The authentication and authotization secret used to establish secure communication with the Dynatrace APIs.

    In our context, two platform tokens are to be created:

    • Settings PT—allows the programmatic creation of an AWS connection.
    • Ingest PT—allows the programmatic ingest of push-based telemetry from AWS.

  • Service user: A non-interactive identity, against which a platform tokens will be created.

  • CloudConnectionServiceUser group: A group in which all its (service users) members inherit all the required tokens permission scopes.

Only a Dynatrace Account Admin, or a user belonging to a group with View and manage users and groups permission, can perform the following initial setup.

  1. Create the CloudsAdminWrite permission policy:

    1. Go to Account Management and navigate to the desired Dynatrace account.

    2. On the top menu, select Identity & access management > Policy management.

    3. In the upper-right corner, select Create policy.

      Policy name: CloudsAdminWrite

      Policy description: Allow the Clouds Admins users or groups to fully admin (read and write) all Clouds Connections, from creation to deletion

    4. Copy and paste the policy statement below:

      ALLOW environment:roles:manage-settings, settings:objects:read,
      extensions:configurations:read, extensions:configurations:write,
      extensions:definitions:read, data-acquisition:events:ingest,
      data-acquisition:logs:ingest, data-acquisition:metrics:ingest,
      storage:logs:read,storage:metrics:read, storage:smartscape:read,
      storage:events:read, storage:buckets:read, iam:service-users:use;

    5. Select Save.

  2. Create the CloudsAdmins group.

    Once created, select Permissions > Scope and add the CloudsAdminWrite and Standard User policies.

    Apply Account-Wide or Environment-Wide, then select Save.

    Validation: The CloudsAdmins Permissions section should show:

    • CloudsAdminWrite
    • Standard User

  3. Invite the CloudsAdmin user.

    In the Select groups step, find the CloudsAdmins group and check the Status checkbox, then select Save.

At that point, you can also use any existing IAM user and assign them to the CloudsAdmins group.

  1. Create the CloudsServiceUserPolicy permission policy:

    1. Go to Account Management and navigate to the desired Dynatrace account.

    2. On the top menu, select Identity & access management > Policy management.

    3. In the upper-right corner, select Create policy.

      Policy name: CloudsServiceUserPolicy

      Policy description: Allow the service user linked platform tokens to create/manage AWS Connections and ingest telemety from AWS

    4. Copy and paste the policy statement below:

      ALLOW settings:objects:read, settings:objects:write, extensions:definitions:read,
      extensions:configurations:read, extensions:configurations:write,
      data-acquisition:logs:ingest, data-acquisition:metrics:ingest, data-acquisition:events:ingest;

    5. Select Save.

  2. Create a service user.

    Use a meaningful name which will allow others to get the initial context, for example: aws-east25-prod-aws-connections-tokens-perm.

    In step 3, Assign permissions, choose Directly and on the "Permissions" choose the CloudsServiceUserPolicy policy, choose the proper scope and click Create.

At this point all the Dynatrace IAM baseline (one-off) prerequisites have been completed.

Onboarding

Before you start onboarding, make sure the Dynatrace Account Admin have completed all prerequisites.

  1. Log in to the Dynatrace platform as a CloudsAdmin (or any other user member of the CloudsAdmins group) and open Settings Settings.
  2. Go to Collect and capture > Cloud and virtualization > AWS (Preview) and select New connection.

If the button is greyed out, it means you do not have the proper permissions to create a connection. Please, contact your administrator.

  1. Enter a friendly connection name that is unique, for example: MyEastProd3Account.

  2. Enter the AWS Account ID where you intend to deploy the connection.

  3. Choose the Deployment region.

    The deployment region is the AWS Region in which the CloudFormation stack will be deployed from.

  4. Select Next.

  1. Choose the Recommended observability flow (see the observability options to learn more).

  2. Choose the monitored AWS Regions you want to monitor. The Monitored Regions are the AWS Regions in which Dynatrace can securely poll metrics, topology and push logs from.

    It's mandatory to enable us-east-1 regardless of your desired monitored regions since global AWS resources reside in us-east-1.

  3. Select Next.

After a successful onboarding, you will be able to customize monitored AWS Regions and all other supported monitoring settings.

Dynatrace settings token

The Dynatrace settings token interacts with the Dynatrace API and allows to create an AWS connection.

  1. Select Platform tokens, to open a new window redirecting to the platform tokens.

  2. Follow the step by step instructions on how to create a new platform token.

    Generate the token for the Service user.

    Browse the drop down list and choose the relevant service user, in our example: aws-east25-prod-aws-connections-tokens-perm.

While it's possible to create a platform token and link it to your own Dynatrace IAM identity (Myself option), we strongly recommend NOT to take this apporach.

Dynatrace IAM (interactive users) may get deleted, when deleted all their linked platform tokens are also deleted, causing a potential service interruption.

You can't locate the service user on the drop down list? The Service user option is greyed out? Head over to the Troubleshooting section.

  1. Select the following token scopes: 
    settings:objects:read
    settings:objects:write
    extensions:configurations:read
    extensions:configurations:Write
    extensions:definitions:read
  2. Paste the newly created token into the Dynatrace settings token field.

Dynatrace ingest token

The Dynatrace ingest token interacts with the Dynatrace telemetry ingest APIs to allow: logs ingest (push-based) and AWS EventBridge Event publish (push-based).

  1. Repeat steps 1 and 2 above and enable the following scopes:

    data-acquisition:logs:ingest
    data-acquisition:events:ingest
    data-acquisition:metrics:ingest

  2. Copy and paste the newly created platfom token into the Dynatrace ingest token field.

  3. Finally, Select Download and Next.

If the download button is greyed out, that means that the Dynatrace token fields are not populated with platform tokens.

Generating the platform tokens and granting permission scopes will not be effective if the platform tokens linked service user is not added to the CloudConnectionServiceUser group as instructed in prerequisites.

Rotating Dynatrace tokens

To rotate Dynatrace tokens update the CloudFormation stack specifying new values of pDtApiToken and pDtIngestToken parameters.

When using older CloudFormation stack template version (< 0.8.3), you need to manually update secrets in the AWS SecretsManager:

  • Dynatrace API access token: (in deployment region) arn:aws:secretsmanager:*:*:secret:DynatraceAPIAccessToken*
  • Dynatrace ingest token (in each region configured for logs ingest): arn:aws:secretsmanager:*:*:secret:DynatraceLogsIngestPlatformToken*
  • Dynatrace ingest token (in each region configured for events ingest): arn:aws:secretsmanager:*:*:secret:events!connection/DynatraceEventBusConnection*

  1. Head over to the AWS Console and log into the designated AWS account with an AWS IAM user that has all the needed permissions to deploy the CloudFormation stack.

  2. Once logged in, select Deploy the CloudFormation in AWS Console.

If you practice roles duty seperation the Dynatrace admin may have no access/permissions to the AWS environment.

In this case, select the Copy Deployment Link.

Share this deeplink and the downloaded platform tokens CSV file with your platform team and/or AWS Admins.

This will allow them to deploy the CloudFormation stack with the wizard configurations that you have set.

Note that we recommend that the Dynatrace settings token will be set to expire 30 minutes since creation.

If the CloudFormation deployment is planned to later stage, create a new token. Otherwise, using an expired token will fail the deployment.

  1. Copy the settings and ingest tokens from the downloaded CSV file (the file name will follow the connection friendly name) and paste them into the corresponding CloudFormation parameters (settings token, ingest token).

  2. Deploy the stack.

  3. When the CloudFormation stacks deployment finishes successfully (which can take up to 15 minutes), head back to the wizard and confirm.

CloudFormation stack deployment failed? Head over to the Troubleshooting section.

Successful onboarding involves two elements:

  • In Settings Settings > Collect and capture > Cloud and virtualization > AWS (Preview), the new AWS connection is Healthy.
  • In AWS, the CloudFormation stacks are all in CREATE_COMPLETE status.

What's next?

  • Head over to Clouds Clouds and AWS resources with telemetry should start to appear shortly.

  • Configure CloudWatch log groups subscriptions if Logs Ingest option was enabled.

  • Access our new launchpad that helps you get started with the new AWS Platform Monitoring.

    To do that, open Launcher, select Browse all, and select PREVIEW—AWS Cloud Platform Monitoring.

Onboarding observability options

For now, the onboarding wizard supports two flows:

  • Recommended: The default and fastest way to onboard your AWS account. The monitoring configuration is an opinionated (immutable) settings flow—only monitored regions are customizable. This flow provides:

    • AWS account resources inventory using Clouds Clouds (for supported AWS services).

    • AWS account resources topology, depicted as rich resource entities using Clouds Clouds (for supported AWS services).

    • Amazon CloudWatch API metric polling (per enabled region) for common services and their essential metric collection set.

    • Amazon Data Firehose stream (per enabled region), no auto-log-group subscription.

    Metric collection set is a group of metrics assigned to a supported AWS service. Once assigned, all metrics on this collection set will be scheduled for polling. for more information on service and metrics refer to the Cloud Metrics page.

  • Advanced: The most fine-grained path to onboard an AWS account. Allows you to fully customize the monitoring configuration to meet any advanced use-cases.

    Regardless of the selected path, customizing all the supported monitoring settings is possible post-onboarding.

    The topology signal is an auto-enabled signal, it's not possible to disable it.

Troubleshooting

Make sure that your Dynatrace IAM user has the proper permission scopes to create and manage a connection. See the Create the Dynatrace IAM baseline section for more details.

If your CloudFormation deployment fails, it's often related to lack of AWS IAM permissions, AWS Service limits being hit, or Service Control Policies configured in your AWS Organization. You can run our troubleshooting helper script to find out the root cause:

  1. Open AWS CloudShell in the AWS Management Console.

    Alternatively, you can run bash with AWS CLI installed.

  2. Download the script:

    wget -q https://dynatrace-data-acquisition.s3.us-east-1.amazonaws.com/aws/deployment/cfn/da-activation-check.sh -O da-activation-check.sh && chmod +x ./da-activation-check.sh

  3. Run the script to analyze the failure reason and script output ./da-activation-check.sh --stack-name <activation-stack-name>.

    The activation main stack name follows the AWS connection name specified the Dynatrace connections list, for example, connection name: MyEastProd3Account

To find the failure reason manually:

  1. Go to the AWS Management Console > CloudFormation stack events and search for the root cause.
  2. Search also nested stacks and stackset instances (if logs/events ingest was enabled) for failed events.

If you encounter an error that you cannot resolve on your own, please contact us at: awscloudmonitoring-preview@dynatrace.com or alternatively open a Dynatrace support ticket providing the script output.

The best way to solve this issue is to delete the failed stack and repeat the deployment specifying valid tokens as parameters. You can start the deployment from Dynatrace Settings UI to generate a new API token that will be valid for 30 minutes only.

If you can see in the CloudFormation stack error messages such as: "User: arn:aws: <...> is not authorized to perform: <...> on resource: <...>" it's because you haven't included the proper user/role permissions required from our policy. Update the setup by adding the required AWS permissions, clean the current setup and restart the process again.

To learn how to clean the current setup, see the "The CloudFormation stack did not complete successfully, I fixed the issue. How do I clean the current setup and start over?" section below.

If you can see in the CloudFormation stack error messages such as: "Account XXX has not enabled [region-XYZ]: ..." clean the current setup, enable that region or remove it from the deployment parameters and restart the process again.

To learn how to clean the current setup, see the "The CloudFormation stack did not complete successfully, I fixed the issue. How do I clean the current setup and start over?" section below.

If you can see in the CloudFormation stack error messages such as: "You are not subscribed to this service" or "The AWS Access key Id needs a subscription for the service (Service Firehose)" is because new services, such as Firehose, require it to be enabled on some new accounts. See how to resolve problems when accessing a service in the AWS Management Console

After enabling it, clean the current setup and restart the process again.

To learn how to clean the current setup, see the "The CloudFormation stack did not complete successfully, I fixed the issue. How do I clean the current setup and start over?" section below.

Please contact us at: awscloudmonitoring-preview@dynatrace.com or alternatively open a Dynatrace support ticket sharing the errors you experienced.

In the AWS CloudFormation console, delete the master Dynatrace stack, the main stack name follows the connection name in our example MyEastProd3Account. Follow the AWS guidelines on deleting stacks.

Once the stack and its nested stacks are (completely) deleted

  1. In Dynatrace, go to Settings Settings > Cloud and virtualization > AWS (Preview).
  2. Find and select the connection action menu on the right .
  3. Select Delete.
  4. You are now able to start the wizard and create a new connection.

Even if your organization enforces tagging via Service Control Policies or IAM, some of the resources created by CloudFormation do not support tag propagation. For more details, please check AWS CloudFormation resource tagging.

Looking at the Destination error logs tab (AWS Firehose console) I get this message:

Delivery to the endpoint was unsuccessful. See Troubleshooting HTTP Endpoints in the Firehose documentation for more information. Response received with status code. 403: "requestId":"xxxx,"errorMessage":"The authorization token does not provide the necessary permissions. details: missing_scopes=[data-acquisition:logs:ingest]

How can I solve this?

Validate that

  1. The platform ingest token is assigned with the correct permission scope (data-acquisition:logs:ingest).
  2. The Dynatrace service user linked to the token is also assigned with same token permission scope (data-acquisition:logs:ingest).
  3. The platform ingest token has not expired.
  4. The service user has not been deleted.
  5. The platform token environment scope is adjusted to the correct Dynatrace environment.

Your IAM user may have no permission to Create platform tokens for (existing) service users, Contact you DT Admin to learn if the Prerequisites were followed. in this case a specific permission scope must be granted

Share your feedback

The onboarding experience is an evolving core product feature. We are constantly working to collect feedback.

During the Preview we will reach out and ask for feedback. We highly appreciate your willingness to share any suggestions. You can also share your feedback anytime by writing us an email: awscloudmonitoring-preview@dynatrace.com.

Related tags
Infrastructure Observability