Onboard AWS Organizations

  • Latest Dynatrace
  • Explanation
  • Published Nov 20, 2025

This is an overview of how to integrate and connect your AWS Organizations to the Dynatrace AWS Platform Monitoring. The guide is intended for a Dynatrace Admin and a delegated administrator for AWS Organizations.

High-level setup

  1. AWS Organizations monitoring configuration: The Dynatrace admin uses Settings Settings to create an organization monitoring configuration template, targeted for specific AWS organization Id. The configuration acts as the initial monitoring setting blueprint for all newly joined AWS member accounts.
  2. Assets sharing: The Dynatrace admin shares the monitoring configuration metadata as part of a broader set of instructions within the AWS Organizations delegated admin.
  3. Foundational StackSet: From the delegated administrator member account, the AWS Organizations delegated admin creates the foundational StackSet and deploys stack instances into the AWS account hosting the Dynatrace secrets, across each AWS region where member accounts will send logs and/or events to Dynatrace.
  4. Core StackSet: From the delegated administrator member account, the AWS Organizations delegated admin creates the core StackSet. Then, they choose the scope of deployment (entire Organizations or specific OU/OUs) for the stack instances, then deploys the StackSet instances.

What does a successful onboarding look like?

  • An immediate deployment of the core CFN stack instances into AWS member accounts.
  • The Healthy status AWS connection (per AWS member account) in Settings Settings.

The new integration does not deploy or use ActiveGate compute resources in your AWS member accounts to poll or push telemetry.

The experience is transparent and fully managed by the Dynatrace platform.

Limitations

  • GovCloud and China partitions are not supported.
  • If you plan to enable Amazon EventBridge events ingest, validate the Regions you opt-in during the stack instance deployments support the EventBridge API destinations.

A single Dynatrace environment allows up to 500 connections. If you need to exceed this, please contact Dynatrace support for more information.

General recommendations

  • We don't recommend onboarding AWS accounts that are actively monitored by our classic AWS integration. Onboarding such accounts might increase the likelihood of AWS APIs throttling, potentially resulting in service interruptions.
  • We recommend that the AWS admins review the CFN templates and make sure that potential SCPs does not prevent the stack instances from creating the needed AWS resources.

Concepts

Management region

The AWS management region is a Dynatrace setting (StackSets parameter) which is used to enforce a constraint where certain AWS resources will only get deployed within a single region boundary. You set this region and use it during all StackSets creations and stack instances creation.

It's mandatory to select/set the same management region during all StackSets creation and stack instances deployments.

Foundational StackSet

The foundational StackSet must be created as the first stack instance.

The foundational StackSet contains AWS resources that, when deployed as a stack instance, allow any member account to resolve the Dynatrace platform tokens shared across the organization via Dynatrace-specific IAM roles (created by the Core StackSet). The stack instance will deploy the following resources:

  • AWS resources:

    • Customer KMS key
    • AWS Secrets Manager secrets (storing Dynatrace tokens)
    • Secrets Manager resource policies to support secrets access from member accounts

  • Template: Foundational StackSet template

Stack instances: This StackSet supports single or multiple stack instance deployments (use-case depended) across multiple regions, targeting either the delegated administrator member account or the organization's shared services/management account. In simple words, only a single account (multiple regions) stack deployment is supported as the target foundational account.

For use cases where member accounts under specific OUs need their own dedicated secrets—separate from those used by accounts under other OUs—consult the step-by-step integration guide, paying close attention to the pDeploymentInstanceIdentifier parameter.

Core StackSet

You can create the core StackSet only after the foundational StackSet deployment has completed successfully.

The core StackSet contains AWS resources that, when deployed as a stack instance, are used to connect and register AWS member accounts to the Dynatrace platform.

Once the stack instance has been successfully deployed inside the AWS member account, the result is a Healthy AWS connection in Settings Settings > Accounts.

The stack instance will deploy the following AWS resources (per an AWS member account):

  • AWS Lambda deployment (management region only)

  • Dynatrace monitoring IAM role

  • IAM service roles

  • Conditional AWS resources (created based on the selected options per AWS member account):

    • Firehose delivery streams (if log ingest was enabled)
    • S3 bucket for failed delivery logs backup (if log ingest was enabled)
    • AWS EventBridge connection (if event ingest was enabled)
    • AWS EventBridge API destination (if event ingest was enabled)

    During the deployment of stack instances, additional AWS resources may be created.

  • Template: Core StackSet template

  • Stack instances: This StackSet is intented to be deployed as multiple stack instances on designated organization ID or organization unit ID, targeting AWS member accounts.

What's next?

Head over to How to integrate AWS Organizations to integrate your organization.

Related tags
Infrastructure Observability