Dynatrace is designed to support large and complex AWS environments. By default, a Dynatrace environment can accommodate up to 3,000 AWS connections (each connection representing a single AWS account).
This is a soft limit. If you plan to exceed it (per Dynatrace environment), please open a support request to increase this limit.
Use this guide to create a new AWS connection using our public APIs when
Run this command from your bastion:
curl -X 'POST' \'https://${your-environment-url}/platform/classic/environment-api/v2/settings/objects' \-H 'accept: application/json; charset=utf-8' \-H 'authorization: Bearer ${your-bearer-token}' \-H 'Content-Type: application/json; charset=utf-8' \-d '[{"schemaId": "builtin:hyperscaler-authentication.connections.aws","value": {"name": "${connection-name}","type": "awsRoleBasedAuthentication","awsRoleBasedAuthentication": {"roleArn": "","consumers": ["SVC:com.dynatrace.da"]}}}]'
Do not set any value for "roleArn": "" at this point.
| Placeholder | Description |
|---|---|
| Your full Dynatrace environment URL, for example, |
| Set the platform settings token you have created as part of the prerequisites. |
| Set the connection name, for example, |
The response should look similar to this:
[{"code": 200,"objectId": "vu9U3hXa3q0AAAABADJidWlsdGluOmh5cGVyc2NhbGVyLWF1dGhlbnRpY2F0aW9uLmNvbm5lY3Rpb25zLmF3cwAGdGVuYW50AAZ0ZW5hbnQAJDMwZTg0YzgyLWNhYm05tYE2Mi1hNDg2LWJhYmFiY2ZlM2NiML7vVN4V2t6t"}]
Capture the dynamically generated objectId value. We'll use this as the value for the IAM monitoring ExternalId within the role's trust policy.
If the API call fails, validate that
The IAM monitoring role consists of the following:
| Construct | Description |
|---|---|
| First IAM managed policy: AWS service API enumeration for rich metadata (topology) and CloudWatch API permissions. |
| Second IAM managed policy: Additional AWS service API enumeration for rich metadata (topology). |
| Cross-account IAM role that Dynatrace must assume in order for the connection to remain in |
DynatraceMonitoringPolicy IAM policyFollow the AWS documentation to create the (managed) policy.
Paste this entire JSON block into the policy editor:
{"Version": "2012-10-17","Statement": [{"Sid": "TopologyInventory","Effect": "Allow","Action": ["account:GetAccountInformation","acm-pca:ListCertificateAuthorities","aoss:BatchGetCollection","aoss:ListCollections","apigateway:GET","apprunner:DescribeAutoScalingConfiguration","apprunner:DescribeService","apprunner:DescribeVpcConnector","apprunner:DescribeVpcIngressConnection","apprunner:ListAutoScalingConfigurations","apprunner:ListServices","apprunner:ListTagsForResource","apprunner:ListVpcConnectors","apprunner:ListVpcIngressConnections","athena:GetWorkGroup","athena:ListWorkGroups","autoscaling:DescribeAutoScalingGroups","autoscaling:DescribeWarmPool","bedrock:GetAgent", "bedrock:GetAgentAlias","bedrock:GetGuardrail", "bedrock:GetKnowledgeBase","bedrock:ListAgentAliases", "bedrock:ListAgents","bedrock:ListGuardrails", "bedrock:ListKnowledgeBases","cloudfront:GetDistribution", "cloudfront:ListDistributions","cloudfront:ListTagsForResource","cloudhsm:DescribeClusters","cloudtrail:GetEventSelectors", "cloudtrail:GetTrail","cloudtrail:GetTrailStatus", "cloudtrail:ListTrails","cloudtrail:LookupEvents","dax:DescribeClusters", "dax:DescribeSubnetGroups","directconnect:DescribeConnections","directconnect:DescribeVirtualInterfaces","dms:DescribeReplicationInstances","dynamodb:DescribeContinuousBackups","dynamodb:DescribeKinesisStreamingDestination","dynamodb:DescribeTable", "dynamodb:DescribeTimeToLive","dynamodb:ListTables","ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones","ec2:DescribeClientVpnEndpoints","ec2:DescribeCustomerGateways", "ec2:DescribeDhcpOptions","ec2:DescribeEgressOnlyInternetGateways","ec2:DescribeIamInstanceProfileAssociations","ec2:DescribeInstances", "ec2:DescribeInternetGateways","ec2:DescribeLaunchTemplateVersions","ec2:DescribeLaunchTemplates", "ec2:DescribeNatGateways","ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces","ec2:DescribeRegions", "ec2:DescribeRouteTables","ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots","ec2:DescribeSubnets","ec2:DescribeTransitGatewayAttachments","ec2:DescribeTransitGatewayConnects","ec2:DescribeTransitGatewayMulticastDomains","ec2:DescribeTransitGatewayRouteTables","ec2:DescribeTransitGateways", "ec2:DescribeVolumes","ec2:DescribeVpcEndpointServiceConfigurations","ec2:DescribeVpcEndpoints","ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs","ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways","ecr-public:DescribeRepositories","ecr-public:GetRepositoryPolicy","ecr:DescribeRepositories", "ecr:GetRepositoryPolicy","ecs:DescribeCapacityProviders", "ecs:DescribeClusters","ecs:DescribeContainerInstances", "ecs:DescribeServices","ecs:DescribeTaskDefinition", "ecs:DescribeTasks","ecs:ListClusters", "ecs:ListContainerInstances","ecs:ListServices", "ecs:ListTaskDefinitions","ecs:ListTasks","eks:DescribeCluster", "eks:DescribeNodegroup","eks:ListClusters", "eks:ListNodegroups","elasticache:DescribeCacheClusters","elasticache:DescribeCacheParameterGroups","elasticache:DescribeCacheParameters","elasticache:DescribeCacheSubnetGroups","elasticache:DescribeServerlessCaches","elasticbeanstalk:DescribeApplications","elasticbeanstalk:DescribeEnvironmentResources","elasticbeanstalk:DescribeEnvironments","elasticfilesystem:DescribeAccessPoints","elasticfilesystem:DescribeFileSystems","elasticfilesystem:DescribeMountTargets","elasticloadbalancing:DescribeListeners","elasticloadbalancing:DescribeLoadBalancerAttributes","elasticloadbalancing:DescribeLoadBalancerPolicies","elasticloadbalancing:DescribeLoadBalancers","elasticloadbalancing:DescribeRules","elasticloadbalancing:DescribeTargetGroupAttributes","elasticloadbalancing:DescribeTargetGroups","elasticloadbalancing:DescribeTargetHealth","es:DescribeDomains", "es:ListDomainNames","events:DescribeEventBus", "events:ListEventBuses","firehose:DescribeDeliveryStream","firehose:ListDeliveryStreams","iam:GenerateCredentialReport","iam:GetAccountAuthorizationDetails","iam:GetAccountPasswordPolicy","iam:GetAccountSummary", "iam:GetCredentialReport","iam:ListAccountAliases", "iam:ListInstanceProfiles","iam:ListMFADevices", "iam:ListServerCertificates","kafka:ListClustersV2","kms:DescribeKey", "kms:GetKeyRotationStatus","kms:ListAliases", "kms:ListKeys","lambda:GetAlias", "lambda:GetFunction","lambda:GetPolicy", "lambda:ListAliases","lambda:ListEventSourceMappings","lambda:ListFunctions","logs:DescribeLogGroups","logs:DescribeSubscriptionFilters","mq:DescribeBroker", "mq:DescribeConfiguration","mq:ListBrokers", "mq:ListConfigurations","organizations:DescribeOrganization","rds:DescribeOptionGroups", "rds:ListTagsForResource","redshift-serverless:ListNamespaces","redshift-serverless:ListWorkgroups","redshift:DescribeClusterSubnetGroups","redshift:DescribeClusters","redshift:DescribeLoggingStatus","route53:GetHostedZone", "route53:ListHealthChecks","route53:ListHostedZones","s3:GetAccelerateConfiguration", "s3:GetBucketAcl","s3:GetBucketLogging", "s3:GetBucketNotification","s3:GetBucketPolicy","s3:GetBucketPublicAccessBlock","s3:GetBucketRequestPayment","s3:GetBucketVersioning","s3:GetEncryptionConfiguration","s3:ListAllMyBuckets","sns:GetTopicAttributes", "sns:ListTopics","sqs:GetQueueAttributes", "sqs:ListQueues","states:DescribeStateMachine","states:ListStateMachines","storagegateway:DescribeGatewayInformation","storagegateway:ListGateways","tag:GetResources", "tag:GetTagKeys","tag:GetTagValues","wafv2:GetWebACL", "wafv2:ListWebACLs"],"Resource": "*"},{"Sid": "CloudWatchMonitoring","Effect": "Allow","Action": ["cloudwatch:GetMetricData","cloudwatch:ListMetrics"],"Resource": "*"}]}
DynatraceMonitoringPolicy-2 IAM policyFollow the AWS docs to create the (managed) policy.
Paste this entire JSON block into the policy editor:
{"Version": "2012-10-17","Statement": [{"Sid": "TopologyInventory","Effect": "Allow","Action": ["acm:ListCertificates","airflow:GetEnvironment", "airflow:ListEnvironments","apigateway:GetStage","appstream:DescribeFleets","appstream:ListTagsForResource","appsync:ListGraphqlApis","backup:GetBackupPlan","backup:GetBackupVaultNotifications","backup:ListBackupPlans", "backup:ListBackupVaults","cassandra:GetKeyspace", "cassandra:GetTable","cassandra:ListKeyspaces", "cassandra:ListTables","cassandra:ListTagsForResource", "cassandra:Select","codebuild:BatchGetProjects", "codebuild:ListProjects","cognito-idp:DescribeUserPool","cognito-idp:ListUserPools","connect:DescribeInstance","connect:ListInstanceStorageConfigs","connect:ListInstances","datasync:DescribeTask", "datasync:ListTasks","ec2:DescribeFlowLogs","ec2:DescribeIpamPools", "ec2:DescribeIpamScopes","ec2:DescribeIpams","elasticmapreduce:DescribeCluster","emr-containers:DescribeManagedEndpoint","emr-containers:DescribeVirtualCluster","emr-serverless:GetApplication","events:ListRules","execute-api:GetStage","fsx:DescribeFileSystems","fsx:DescribeStorageVirtualMachines","fsx:DescribeVolumes","globalaccelerator:ListAccelerators","globalaccelerator:ListTagsForResource","glue:GetJobs","kafka:DescribeClusterV2","kafka:DescribeConfiguration","kafka:DescribeVpcConnection","kafka:ListConfigurations","kafka:ListVpcConnections","kafkaconnect:DescribeConnector","kafkaconnect:ListConnectors","kinesis:DescribeStreamSummary", "kinesis:ListStreams","kinesisanalytics:DescribeApplication","kinesisanalytics:ListApplications","kinesisanalytics:ListTagsForResource","logs:DescribeDeliveryDestinations","network-firewall:DescribeFirewall","network-firewall:DescribeFirewallPolicy","network-firewall:ListFirewallPolicies","network-firewall:ListFirewalls","rds:DescribeDBClusterSnapshots","rds:DescribeDBClusters", "rds:DescribeDBInstances","rds:DescribeDBSnapshots","rds:DescribeDBSubnetGroups","route53:GetHealthCheck","route53resolver:ListResolverEndpoints","s3:ListBuckets","sagemaker:DescribeEndpoint","sagemaker:DescribeFeatureGroup","sagemaker:DescribeInferenceComponent","sagemaker:DescribeLabelingJob","sagemaker:DescribePipeline","sagemaker:ListEndpoints","sagemaker:ListFeatureGroups","sagemaker:ListInferenceComponents","sagemaker:ListLabelingJobs","sagemaker:ListPipelines"],"Resource": "*"}]}
DynatraceMonitoringRole) IAM monitoring roleIn the AWS Console, create a cross account IAM role (another AWS account as the trusted entity type).
In the Account ID (the originating account, which is the Dynatrace account), set the ID to: 314146291599.
Check Require External ID and set the ID to the {objectId} value you captured earlier (make sure that you set the entire string).
For permissions, search for DynatraceMonitoringPolicy and add the two created (managed) policies (DynatraceMonitoringPolicy, DynatraceMonitoringPolicy-2).
We recommend tagging the role with Dynatrace:EnvironmentID (your Dynatrace environment ID).
Create the role and capture the Role ARN to complete the connection creation.
The role trust policy JSON should look like this example:
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"AWS": "arn:aws:iam::314146291599:root"},"Action": "sts:AssumeRole","Condition": {"StringEquals": {"sts:ExternalId": "${objectId}"}}}]}
Run this command from your bastion:
curl -X 'POST' \'https://${your-environment-url}/platform/classic/environment-api/v2/settings/objects' \-H 'accept: application/json; charset=utf-8' \-H 'authorization: Bearer ${your-bearer-token}' \-H 'Content-Type: application/json; charset=utf-8' \-d '[{"objectId": "${objectId}""schemaId": "builtin:hyperscaler-authentication.connections.aws","value": {"name": "${connection-name}","type": "awsRoleBasedAuthentication","awsRoleBasedAuthentication": {"roleArn": "${monitoring-role-arn}","consumers": ["SVC:com.dynatrace.da"]}}}]'
| Placeholder | Description |
|---|---|
| Your full Dynatrace environment URL (for example, |
| Set the Platform Settings token you have created as part of the prerequisites. |
| Set the monitoring role ARN name captured on the IAM Role creation step (for example, |
| Set the value of the |
| Set to the same connection name used when creating the connection. |
The response should look similar to this:
[{"code": 200,"objectId": "vu9U3hXa3q0AAAABADJidWlsdGluOmh5cGVyc2NhbGVyLWF1dGhlbnRpY2F0aW9uLmNvbm5lY3Rpb25zLmF3cwAGdGVuYW50AAZ0ZW5hbnQAJDMwZTg0YzgyLWNhYm05tYE2Mi1hNDg2LWJhYmFiY2ZlM2NiML7vVN4V2t6t"}]
If the API call fails, verify the following:
objectId string used in the request is identical to the one set as the role trust policy external ID.The monitoring configuration API schema is versioned, which allows our platform to introduce new features and improve your experience.
To construct a valid API call, run this API request to get your current active ${APISchemaVersion}:
curl -X GET \"https://${your-environment-url}/platform/extensions/v2/extensions?filter=name='com.dynatrace.extension.da-aws'&add-fields=activeVersion" \-H "Accept: application/json" \-H "Authorization: Bearer ${your-bearer-token}"
| Placeholder | Description |
|---|---|
| Your full Dynatrace environment URL (for example, |
| Set the platform settings token you have created as part of the prerequisites. |
The response should look similar to this:
{"items": [{"extensionName": "com.dynatrace.extension.da-aws","version": "1.0.5","activeVersion": "1.0.0"}],"totalCount": 1}
Use the activeVersion value as the value for ${APISchemaVersion} in the next step.
Next, run this command from your bastion:
curl -X POST "https://${your-environment-url}/platform/extensions/v2/extensions/com.dynatrace.extension.da-aws/monitoring-configurations" \-H "accept: application/json" \-H "Authorization: Bearer ${your-bearer-token}" \-H "Content-Type: application/json; charset=utf-8" \-d '{"scope": "integration-aws","value": {"enabled": true,"description": "${configuration-name}","version": "${APISchemaVersion}","featureSets": ["ApplicationELB_essential","AutoScaling_essential","CloudFront_essential","DynamoDB_essential","EBS_essential","EC2_essential","ECS_essential","Firehose_essential","Lambda_essential","NetworkELB_essential","RDS_essential","Route53_essential","S3_essential","SQS_essential"],"aws": {"smartscapeConfiguration": {"enabled": true},"deploymentRegion": "${deployment-region}","credentials": [{"enabled": true,"description": "my connection name","connectionId": "${connectionId}","accountId": "${aws-account-id}"}],"regionFiltering": ["${monitored-region-a}","${monitored-region-b}","${monitored-region-n}"],"metricsConfiguration": {"enabled": true,"regions": ["${monitored-region-a}","${monitored-region-b}","${monitored-region-n}"]},"cloudWatchLogsConfiguration": {"enabled": false,"regions": []},"configurationMode": "QUICK_START","deploymentScope": "SINGLE_ACCOUNT","deploymentMode": "MANUAL","manualDeploymentStatus": "COMPLETE","automatedDeploymentStatus": "NA"}}}'
| Placeholder | Description |
|---|---|
| Your full Dynatrace environment URL (for example, |
| Set the platform settings token you have created as part of the prerequisites. |
| Name of the new monitoring configuration. Use only letters, numbers, and hyphens. It must start with a letter. |
| Use the latest API schema version. |
| The value fo the |
| Numeric AWS account ID to monitor (for example, |
| AWS Regions from which you poll CloudWatch metrics and topology (monitored regions) (for example, |
| Forward-compatibility field. This region list must be identical to |
| Keep |
| Deployment region. |
The response should look similar to this:
{"objectId": "5c1337ed-ewd9-34e8-9309-f8a20f99cade","code": 201}
For both regionFiltering and metricsConfiguration, the us-east-1 region must always be set, as the topology service polls for global AWS resources that reside only on us-east-1.