A single Dynatrace environment allows up to 500 connections. If you require to exceed this, please contact Dynatrace support for more information.
Use this guide to create a new AWS connection using our public APIs when
Create the programmatic access permission policy, in the policy statement use this policy:
ALLOWsettings:objects:read,settings:objects:writeWHERE settings:schemaId = "builtin:hyperscaler-authentication.connections.aws";ALLOWextensions:definitions:read,extensions:configurations:read,extensions:configurations:writeWHERE extensions:extension-name = "com.dynatrace.extension.da-aws";
Create a service user, assign the above newly created policy to this service user.
Create a platform token for service user. Assign the below token scopes:
settings:objects:readsettings:objects:writeextensions:definitions:readextensions:configurations:readextensions:configurations:write
Run this command from your bastion:
curl -X 'POST' \'https://${your-environment-url}/platform/classic/environment-api/v2/settings/objects' \-H 'accept: application/json; charset=utf-8' \-H 'authorization: Bearer ${your-bearer-token}' \-H 'Content-Type: application/json; charset=utf-8' \-d '[{"schemaId": "builtin:hyperscaler-authentication.connections.aws","value": {"name": "${connection-name}","type": "awsRoleBasedAuthentication","awsRoleBasedAuthentication": {"roleArn": "","consumers": ["SVC:com.dynatrace.da"]}}}]'
Do not set any value for "roleArn": "" at this point.
| Placeholder | Description |
|---|---|
| Your full Dynatrace environment URL, for example, |
| Set the platform settings token you have created as part of the prerequisites. |
| Set the connection name, for example, |
The response should look similar to this:
[{"code": 200,"objectId": "vu9U3hXa3q0AAAABADJidWlsdGluOmh5cGVyc2NhbGVyLWF1dGhlbnRpY2F0aW9uLmNvbm5lY3Rpb25zLmF3cwAGdGVuYW50AAZ0ZW5hbnQAJDMwZTg0YzgyLWNhYm05tYE2Mi1hNDg2LWJhYmFiY2ZlM2NiML7vVN4V2t6t"}]
Capture the dynamically generated objectId value. We'll use this as the value for the IAM monitoring ExternalId within the role's trust policy.
If the API call fails, validate that
The IAM monitoring role consists of the following:
| Construct | Description |
|---|---|
| First IAM managed policy: AWS service API enumeration for rich metadata (topology) and CloudWatch API permissions. |
| Second IAM managed policy: Additional AWS service API enumeration for rich metadata (topology). |
| Cross-account IAM role that Dynatrace must assume in order for the connection to remain in |
DynatraceMonitoringPolicy IAM policyFollow the AWS documentation to create the (managed) policy.
Paste this entire JSON block into the policy editor:
{"Version": "2012-10-17","Statement": [{"Sid": "TopologyInventory","Effect": "Allow","Action": ["account:GetAccountInformation","acm-pca:ListCertificateAuthorities","aoss:BatchGetCollection","aoss:ListCollections","apigateway:GET","apprunner:DescribeAutoScalingConfiguration","apprunner:DescribeService","apprunner:DescribeVpcConnector","apprunner:DescribeVpcIngressConnection","apprunner:ListAutoScalingConfigurations","apprunner:ListServices","apprunner:ListTagsForResource","apprunner:ListVpcConnectors","apprunner:ListVpcIngressConnections","athena:GetWorkGroup","athena:ListWorkGroups","autoscaling:DescribeAutoScalingGroups","autoscaling:DescribeWarmPool","bedrock:GetAgent", "bedrock:GetAgentAlias","bedrock:GetGuardrail", "bedrock:GetKnowledgeBase","bedrock:ListAgentAliases", "bedrock:ListAgents","bedrock:ListGuardrails", "bedrock:ListKnowledgeBases","cloudfront:GetDistribution", "cloudfront:ListDistributions","cloudfront:ListTagsForResource","cloudhsm:DescribeClusters","cloudtrail:GetEventSelectors", "cloudtrail:GetTrail","cloudtrail:GetTrailStatus", "cloudtrail:ListTrails","cloudtrail:LookupEvents","dax:DescribeClusters", "dax:DescribeSubnetGroups","directconnect:DescribeConnections","directconnect:DescribeVirtualInterfaces","dms:DescribeReplicationInstances","dynamodb:DescribeContinuousBackups","dynamodb:DescribeKinesisStreamingDestination","dynamodb:DescribeTable", "dynamodb:DescribeTimeToLive","dynamodb:ListTables","ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones","ec2:DescribeClientVpnEndpoints","ec2:DescribeCustomerGateways", "ec2:DescribeDhcpOptions","ec2:DescribeEgressOnlyInternetGateways","ec2:DescribeIamInstanceProfileAssociations","ec2:DescribeInstances", "ec2:DescribeInternetGateways","ec2:DescribeLaunchTemplateVersions","ec2:DescribeLaunchTemplates", "ec2:DescribeNatGateways","ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces","ec2:DescribeRegions", "ec2:DescribeRouteTables","ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots","ec2:DescribeSubnets","ec2:DescribeTransitGatewayAttachments","ec2:DescribeTransitGatewayConnects","ec2:DescribeTransitGatewayMulticastDomains","ec2:DescribeTransitGatewayRouteTables","ec2:DescribeTransitGateways", "ec2:DescribeVolumes","ec2:DescribeVpcEndpointServiceConfigurations","ec2:DescribeVpcEndpoints","ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs","ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways","ecr-public:DescribeRepositories","ecr-public:GetRepositoryPolicy","ecr:DescribeRepositories", "ecr:GetRepositoryPolicy","ecs:DescribeCapacityProviders", "ecs:DescribeClusters","ecs:DescribeContainerInstances", "ecs:DescribeServices","ecs:DescribeTaskDefinition", "ecs:DescribeTasks","ecs:ListClusters", "ecs:ListContainerInstances","ecs:ListServices", "ecs:ListTaskDefinitions","ecs:ListTasks","eks:DescribeCluster", "eks:DescribeNodegroup","eks:ListClusters", "eks:ListNodegroups","elasticache:DescribeCacheClusters","elasticache:DescribeCacheParameterGroups","elasticache:DescribeCacheParameters","elasticache:DescribeCacheSubnetGroups","elasticache:DescribeServerlessCaches","elasticbeanstalk:DescribeApplications","elasticbeanstalk:DescribeEnvironmentResources","elasticbeanstalk:DescribeEnvironments","elasticfilesystem:DescribeAccessPoints","elasticfilesystem:DescribeFileSystems","elasticfilesystem:DescribeMountTargets","elasticloadbalancing:DescribeListeners","elasticloadbalancing:DescribeLoadBalancerAttributes","elasticloadbalancing:DescribeLoadBalancerPolicies","elasticloadbalancing:DescribeLoadBalancers","elasticloadbalancing:DescribeRules","elasticloadbalancing:DescribeTargetGroupAttributes","elasticloadbalancing:DescribeTargetGroups","elasticloadbalancing:DescribeTargetHealth","es:DescribeDomains", "es:ListDomainNames","events:DescribeEventBus", "events:ListEventBuses","firehose:DescribeDeliveryStream","firehose:ListDeliveryStreams","iam:GenerateCredentialReport","iam:GetAccountAuthorizationDetails","iam:GetAccountPasswordPolicy","iam:GetAccountSummary", "iam:GetCredentialReport","iam:ListAccountAliases", "iam:ListInstanceProfiles","iam:ListMFADevices", "iam:ListServerCertificates","kafka:ListClustersV2","kms:DescribeKey", "kms:GetKeyRotationStatus","kms:ListAliases", "kms:ListKeys","lambda:GetAlias", "lambda:GetFunction","lambda:GetPolicy", "lambda:ListAliases","lambda:ListEventSourceMappings","lambda:ListFunctions","logs:DescribeLogGroups","logs:DescribeSubscriptionFilters","mq:DescribeBroker", "mq:DescribeConfiguration","mq:ListBrokers", "mq:ListConfigurations","organizations:DescribeOrganization","rds:DescribeOptionGroups", "rds:ListTagsForResource","redshift-serverless:ListNamespaces","redshift-serverless:ListWorkgroups","redshift:DescribeClusterSubnetGroups","redshift:DescribeClusters","redshift:DescribeLoggingStatus","route53:GetHostedZone", "route53:ListHealthChecks","route53:ListHostedZones","s3:GetAccelerateConfiguration", "s3:GetBucketAcl","s3:GetBucketLogging", "s3:GetBucketNotification","s3:GetBucketPolicy","s3:GetBucketPublicAccessBlock","s3:GetBucketRequestPayment","s3:GetBucketVersioning","s3:GetEncryptionConfiguration","s3:ListAllMyBuckets","sns:GetTopicAttributes", "sns:ListTopics","sqs:GetQueueAttributes", "sqs:ListQueues","states:DescribeStateMachine","states:ListStateMachines","storagegateway:DescribeGatewayInformation","storagegateway:ListGateways","tag:GetResources", "tag:GetTagKeys","tag:GetTagValues","wafv2:GetWebACL", "wafv2:ListWebACLs"],"Resource": "*"},{"Sid": "CloudWatchMonitoring","Effect": "Allow","Action": ["cloudwatch:GetMetricData","cloudwatch:ListMetrics"],"Resource": "*"}]}
DynatraceMonitoringPolicy-2 IAM policyFollow the AWS documentation to create the (managed) policy.
Paste this entire JSON block into the policy editor:
{"Version": "2012-10-17","Statement": [{"Sid": "TopologyInventory","Effect": "Allow","Action": ["acm:ListCertificates","airflow:GetEnvironment", "airflow:ListEnvironments","apigateway:GetStage","appstream:DescribeFleets","appstream:ListTagsForResource","appsync:ListGraphqlApis","backup:GetBackupPlan","backup:GetBackupVaultNotifications","backup:ListBackupPlans", "backup:ListBackupVaults","cassandra:GetKeyspace", "cassandra:GetTable","cassandra:ListKeyspaces", "cassandra:ListTables","cassandra:ListTagsForResource", "cassandra:Select","codebuild:BatchGetProjects", "codebuild:ListProjects","cognito-idp:DescribeUserPool","cognito-idp:ListUserPools","connect:DescribeInstance","connect:ListInstanceStorageConfigs","connect:ListInstances","datasync:DescribeTask", "datasync:ListTasks","ec2:DescribeFlowLogs","ec2:DescribeIpamPools", "ec2:DescribeIpamScopes","ec2:DescribeIpams","elasticmapreduce:DescribeCluster","emr-containers:DescribeManagedEndpoint","emr-containers:DescribeVirtualCluster","emr-serverless:GetApplication","events:ListRules","execute-api:GetStage","fsx:DescribeFileSystems","fsx:DescribeStorageVirtualMachines","fsx:DescribeVolumes","globalaccelerator:ListAccelerators","globalaccelerator:ListTagsForResource","glue:GetJobs","kafka:DescribeClusterV2","kafka:DescribeConfiguration","kafka:DescribeVpcConnection","kafka:ListConfigurations","kafka:ListVpcConnections","kafkaconnect:DescribeConnector","kafkaconnect:ListConnectors","kinesis:DescribeStreamSummary", "kinesis:ListStreams","kinesisanalytics:DescribeApplication","kinesisanalytics:ListApplications","kinesisanalytics:ListTagsForResource","logs:DescribeDeliveryDestinations","network-firewall:DescribeFirewall","network-firewall:DescribeFirewallPolicy","network-firewall:ListFirewallPolicies","network-firewall:ListFirewalls","rds:DescribeDBClusterSnapshots","rds:DescribeDBClusters", "rds:DescribeDBInstances","rds:DescribeDBSnapshots","rds:DescribeDBSubnetGroups","route53:GetHealthCheck","route53resolver:ListResolverEndpoints","s3:ListBuckets","sagemaker:DescribeEndpoint","sagemaker:DescribeFeatureGroup","sagemaker:DescribeInferenceComponent","sagemaker:DescribeLabelingJob","sagemaker:DescribePipeline","sagemaker:ListEndpoints","sagemaker:ListFeatureGroups","sagemaker:ListInferenceComponents","sagemaker:ListLabelingJobs","sagemaker:ListPipelines"],"Resource": "*"}]}
DynatraceMonitoringRole) IAM monitoring roleIn the AWS Console, create a cross account IAM role (another AWS account as the trusted entity type).
In the Account ID (the originating account, which is the Dynatrace account), set the ID to: 314146291599.
Check Require External ID and set the ID to the {objectId} value you captured earlier (make sure that you set the entire string).
For permissions, search for DynatraceMonitoringPolicy and add the two created (managed) policies (DynatraceMonitoringPolicy, DynatraceMonitoringPolicy-2).
We recommend tagging the role with Dynatrace:EnvironmentID (your Dynatrace environment ID).
Create the role and capture the Role ARN to complete the connection creation.
The role trust policy JSON should look like this example:
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"AWS": "arn:aws:iam::314146291599:root"},"Action": "sts:AssumeRole","Condition": {"StringEquals": {"sts:ExternalId": "${objectId}"}}}]}
Run this command from your bastion:
curl -X 'POST' \'https://${your-environment-url}/platform/classic/environment-api/v2/settings/objects' \-H 'accept: application/json; charset=utf-8' \-H 'authorization: Bearer ${your-bearer-token}' \-H 'Content-Type: application/json; charset=utf-8' \-d '[{"objectId": "${objectId}""schemaId": "builtin:hyperscaler-authentication.connections.aws","value": {"name": "${connection-name}","type": "awsRoleBasedAuthentication","awsRoleBasedAuthentication": {"roleArn": "${monitoring-role-arn}","consumers": ["SVC:com.dynatrace.da"]}}}]'
| Placeholder | Description |
|---|---|
| Your full Dynatrace environment URL (for example, |
| Set the Platform Settings token you have created as part of the prerequisites. |
| Set the monitoring role ARN name captured on the IAM Role creation step (for example, |
| Set the value of the |
| Set to the same connection name used when creating the connection. |
The response should look similar to this:
[{"code": 200,"objectId": "vu9U3hXa3q0AAAABADJidWlsdGluOmh5cGVyc2NhbGVyLWF1dGhlbnRpY2F0aW9uLmNvbm5lY3Rpb25zLmF3cwAGdGVuYW50AAZ0ZW5hbnQAJDMwZTg0YzgyLWNhYm05tYE2Mi1hNDg2LWJhYmFiY2ZlM2NiML7vVN4V2t6t"}]
If the API call fails, verify the following:
objectId string used in the request is identical to the one set as the role trust policy external ID.The monitoring configuration API schema is versioned, which allows our platform to introduce new features and improve your experience.
To construct a valid API call, run this API request to get your current active ${APISchemaVersion}:
curl -X GET \"https://${your-environment-url}/platform/extensions/v2/extensions?filter=name='com.dynatrace.extension.da-aws'&add-fields=activeVersion" \-H "Accept: application/json" \-H "Authorization: Bearer ${your-bearer-token}"
| Placeholder | Description |
|---|---|
| Your full Dynatrace environment URL (for example, |
| Set the platform settings token you have created as part of the prerequisites. |
The response should look similar to this:
{"items": [{"extensionName": "com.dynatrace.extension.da-aws","version": "1.0.5","activeVersion": "1.0.0"}],"totalCount": 1}
Use the activeVersion value as the value for ${APISchemaVersion} in the next step.
Next, run this command from your bastion:
curl -X POST "https://${your-environment-url}/platform/extensions/v2/extensions/com.dynatrace.extension.da-aws/monitoring-configurations" \-H "accept: application/json" \-H "Authorization: Bearer ${your-bearer-token}" \-H "Content-Type: application/json; charset=utf-8" \-d '{"scope": "integration-aws","value": {"enabled": true,"description": "${configuration-name}","version": "${APISchemaVersion}","featureSets": ["ApplicationELB_essential","AutoScaling_essential","CloudFront_essential","DynamoDB_essential","EBS_essential","EC2_essential","ECS_essential","Firehose_essential","Lambda_essential","NetworkELB_essential","RDS_essential","Route53_essential","S3_essential","SQS_essential"],"aws": {"smartscapeConfiguration": {"enabled": true},"deploymentRegion": "${deployment-region}","credentials": [{"enabled": true,"description": "my connection name","connectionId": "${connectionId}","accountId": "${aws-account-id}"}],"regionFiltering": ["${monitored-region-a}","${monitored-region-b}","${monitored-region-n}"],"metricsConfiguration": {"enabled": true,"regions": ["${monitored-region-a}","${monitored-region-b}","${monitored-region-n}"]},"cloudWatchLogsConfiguration": {"enabled": false,"regions": []},"configurationMode": "QUICK_START","deploymentScope": "SINGLE_ACCOUNT","deploymentMode": "MANUAL","manualDeploymentStatus": "COMPLETE","automatedDeploymentStatus": "NA"}}}'
| Placeholder | Description |
|---|---|
| Your full Dynatrace environment URL (for example, |
| Set the platform settings token you have created as part of the prerequisites. |
| Name of the new monitoring configuration. Use only letters, numbers, and hyphens. It must start with a letter. |
| Use the latest API schema version. |
| The value fo the |
| Numeric AWS account ID to monitor (for example, |
| AWS Regions from which you poll CloudWatch metrics and topology (monitored regions) (for example, |
| Forward-compatibility field. This region list must be identical to |
| Keep |
| Deployment region for CloudFormation stack. Value cannot be empty but is ignored as CloudFormation deployment is not used for this scenario - set value to either |
The response should look similar to this:
{"objectId": "5c1337ed-ewd9-34e8-9309-f8a20f99cade","code": 201}
For both regionFiltering and metricsConfiguration, the us-east-1 region must always be set, as the topology service polls for global AWS resources that reside only on us-east-1.