Onboard AWS Organizations

  • Latest Dynatrace
  • Explanation
  • Published Nov 20, 2025

This is an overview of how to integrate and connect your AWS Organizations to the Dynatrace AWS Platform Monitoring. The guide is intended for a Dynatrace Admin and a delegated administrator for AWS Organizations.

High-level setup

  1. AWS Organizations monitoring configuration: The Dynatrace admin uses Settings Settings to create an organization monitoring configuration, targeted for specific AWS organization Id. The configuration acts as the initial monitoring setting blueprint for all newly joined AWS member accounts.
  2. Assets sharing: The Dynatrace admin shares the monitoring configuration metadata as part of a broader set of instructions within the AWS Organizations delegated admin.
  3. Foundational StackSet: From the delegated administrator member account, the AWS Organizations delegated admin creates the foundational StackSet. Then, they deploy a stack instance(s) (an actual CFN stack(s)) into the delegated administrator member account, known as the Foundational Account ID.
  4. Core StackSet: From the delegated administrator member account, the AWS Organizations delegated admin creates the core StackSet. Then, they choose the scope of deployment (entire Organizations or specific OU/OUs) for the stack instances, then deploys the StackSet instances.

What does a successful onboarding look like?

  • An immediate deployment of the core CFN stack instances into AWS member accounts.
  • The Healthy status AWS connection (per AWS member account) in Settings Settings.

The new integration does not deploy or use ActiveGate compute resources in your AWS member accounts to poll or push telemetry.

The experience is transparent and fully managed by the Dynatrace platform.

Limitations

  • GovCloud and China partitions are not supported.
  • Dynatrace SaaS is designed to support large and complex AWS environments. By default, a Dynatrace environment can accommodate up to 3,000 AWS connections (each connection representing a single AWS account). This is a soft limit If you plan to exceed this (per dynatrace environment) we kindly ask you to open a support request so we can proactively increase this limit, ensuring a smooth experience.
  • If you plan to enable Amazon EventBridge events ingest, validate the Regions you opt-in during the stack instance deployments support the EventBridge API destinations.

General recommendations

  • We don't recommend onboarding AWS accounts that are actively monitored by our classic AWS integration. Onboarding such accounts might increase the likelihood of AWS APIs throttling, potentially resulting in service interruptions.
  • We recommend that the AWS admins review the CFN templates and make sure that potential SCPs does not prevent the stack instances from creating the needed AWS resources.

Concepts

Management region

The AWS management region is a Dynatrace setting (StackSets parameter) which is used to enforce a constraint where certain AWS resources will only get deployed within a single region boundary. You set this region and use it during all StackSets creations and stack instances creation.

It's mandatory to select/set the same management region during all StackSets creation and stack instances deployments.

Foundational StackSet

The foundational StackSet must be created as the first stack instance.

The foundational StackSet contains AWS resources that, when deployed as a stack instance, allow any member account to resolve the Dynatrace platform tokens from any opted-in AWS account (using a secure cross-account IAM role assumption).

The stack instance will deploy the following resources:

  • AWS resources:

    • Customer KMS key
    • AWS Secrets Manager secrets (storing Dynatrace tokens)
    • Secrets Manager resource policies to support secrets access from member accounts

  • Template: Foundational StackSet template

  • Stack instances: This StackSet should only deploy a single stack instance(s) on a single designated AWS account. We recommend using the registered delegated administrator account.

Core StackSet

You can create the core StackSet only after the foundational StackSet deployment has completed successfully.

The core StackSet contains AWS resources that, when deployed as a stack instance, are used to connect and register AWS member accounts to the Dynatrace platform.

Once the stack instance has been successfully deployed inside the AWS member account, the result is a Healthy AWS connection in Settings Settings > Accounts.

The stack instance will deploy the following AWS resources (per an AWS member account):

  • AWS Lambda deployment (management region only)

  • Dynatrace monitoring IAM role

  • IAM service roles

  • Conditional AWS resources (created based on the selected options per AWS member account):

    • Firehose delivery streams (if log ingest was enabled)
    • S3 bucket for failed delivery logs backup (if log ingest was enabled)
    • AWS EventBridge connection (if event ingest was enabled)
    • AWS EventBridge API destination (if event ingest was enabled)

During the deployment of stack instances, additional AWS resources may be created.

  • Template: Core StackSet template

  • Stack instances: This StackSet is intented to be deployed as multiple stack instances on designated organization ID or organization unit ID, targeting AWS member accounts.

What's next?

Head over to How to integrate AWS Organizations to integrate your organization.

Related tags
Infrastructure Observability