Follow this guide to start ingesting data remotely from Amazon CloudWatch.
Its main focus is on infrastructure monitoring of AWS services: Dynatrace monitoring AWS services via CloudWatch.
See What's next? for Full-Stack and Log Monitoring of your AWS services.
After you have established the initial monitoring, you can add, remove, or modify service monitoring using the Dynatrace web UI, at scale, or using the Dynatrace API.
To learn the measurements collected for each of the AWS services, see:
The Amazon Web Services infrastructure monitoring provides metrics from CloudWatch, infrastructure data available via public AWS API, and specific events. The data is collected in five-minute intervals.
Each service monitored by Dynatrace through CloudWatch, as well as log processing and analysis, consumes DDUs.
Amazon may charge you extra for CloudWatch metric queries. For details on these additional costs, please consult Amazon CloudWatch pricing online documentation.
There are three prerequisites for the AWS monitoring setup:
To manage AWS monitoring configuration, you need permissions to read and modify the builtin:cloud.aws
schema.
settings:objects:read
and settings:objects:write
are required.See Manage user permissions with roles for details on how to manage and set permissions.
To monitor Amazon Web services, Dynatrace needs to be able to connect to the Amazon CloudWatch API and query it periodically. At least one ActiveGate needs to be able to connect to Amazon CloudWatch to perform the monitoring tasks. Your ActiveGate needs to be deployed on an EC2 instance and be able to connect to the endpoints listed below.
From Dynatrace version 1.267+, only role-based access can be used. Key-based authorization is no longer available for new credentials. For existing key-based credentials, you can keep using keys indefinitely. We recommend switching to role-based authentication using the dedicated button on the configuration page. Dynatrace automatically checks the configuration to ensure the correct configuration of roles.
Key-based authentication is allowed only for AWS GovCloud and China partitions.
If you're a SaaS customer, an ActiveGate capable of monitoring your AWS account for classic (built-in) supported services is already provided and available within the Dynatrace AWS account.
However, to monitor specific non-default AWS Cloud services or if your AWS account exceeds 2,000 AWS resources, you must install and configure an Environment ActiveGate. Follow the ActiveGate installation guide and resume this guide when done.
You must install and configure an Environment ActiveGate if you want to monitor either or both of the following:
The integration accesses the following AWS API endpoints, so they must be accessible from your ActiveGate:
AWS Security Token Service (AWS STS)
https://sts.amazonaws.com/
AWS STS is a global endpoint by default. When using a regional endpoint, sts.<REGION>.amazonaws.com
needs to be accessible.
See AWS STS Regionalized endpoints in AWS official documentation for the recommended regional STS endpoint configuration.
recommended Use the AWS config
file to configure regional STS endpoint.
AWS Resource Groups Tagging
https://tagging.<REGION>.amazonaws.com/
Amazon CloudWatch
https://monitoring.<REGION>.amazonaws.com/
Amazon EC2
ec2.<REGION>.amazonaws.com
Other endpoints may be required depending on the services you need to monitor.
Consult the tables below for endpoints specific to each service you might want to monitor and for AWS regions supported by Dynatrace AWS Monitoring.
Endpoint | Service |
---|---|
autoscaling.<REGION>.amazonaws.com | Amazon EC2 Auto Scaling (built-in), Amazon EC2 Auto Scaling |
lambda.<REGION>.amazonaws.com | AWS Lambda (built-in), AWS Lambda |
elasticloadbalancing.<REGION>.amazonaws.com | Amazon Application and Network Load Balancer (built-in), Amazon Elastic Load Balancer (ELB) (built-in) |
dynamodb.<REGION>.amazonaws.com | Amazon DynamoDB (built-in), Amazon DynamoDB |
ec2.<REGION>.amazonaws.com | Amazon EBS (built-in), Amazon EC2 (built-in), Amazon EBS, Amazon EC2 Spot Fleet, Amazon VPC NAT Gateways, AWS Transit Gateway, AWS Site-to-Site VPN |
rds.<REGION>.amazonaws.com | Amazon RDS (built-in), Amazon Aurora, Amazon DocumentDB, Amazon Neptune, Amazon RDS |
s3.<REGION>.amazonaws.com | Amazon S3 (built-in) |
acm-pca.<REGION>.amazonaws.com | AWS Certificate Manager Private Certificate Authority |
apigateway.<REGION>.amazonaws.com | Amazon API Gateway |
apprunner.<REGION>.amazonaws.com | AWS App Runner |
appstream2.<REGION>.amazonaws.com | Amazon AppStream |
appsync.<REGION>.amazonaws.com | AWS AppSync |
athena.<REGION>.amazonaws.com | Amazon Athena |
cloudfront.amazonaws.com | Amazon CloudFront |
cloudhsmv2.<REGION>.amazonaws.com | AWS CloudHSM |
cloudsearch.<REGION>.amazonaws.com | Amazon CloudSearch |
codebuild.<REGION>.amazonaws.com | AWS CodeBuild |
datasync.<REGION>.amazonaws.com | AWS DataSync |
dax.<REGION>.amazonaws.com | Amazon DynamoDB Accelerator (DAX) |
dms.<REGION>.amazonaws.com | AWS Database Migration Service (AWS DMS) |
directconnect.<REGION>.amazonaws.com | AWS Direct Connect |
ecs.<REGION>.amazonaws.com | Amazon Elastic Container Service (ECS), Amazon ECS Container Insights |
elasticfilesystem.<REGION>.amazonaws.com | Amazon Elastic File System (EFS) |
eks.<REGION>.amazonaws.com | Amazon Elastic Kubernetes Service (EKS) |
elasticache.<REGION>.amazonaws.com | Amazon ElastiCache (EC) |
elasticbeanstalk.<REGION>.amazonaws.com | AWS Elastic Beanstalk |
elastictranscoder.<REGION>.amazonaws.com | Amazon Elastic Transcoder |
es.<REGION>.amazonaws.com | Amazon Elasticsearch Service (ES) |
events.<REGION>.amazonaws.com | Amazon EventBridge |
fsx.<REGION>.amazonaws.com | Amazon FSx |
gamelift.<REGION>.amazonaws.com | Amazon GameLift |
glue.<REGION>.amazonaws.com | AWS Glue |
inspector.<REGION>.amazonaws.com | Amazon Inspector |
kafka.<REGION>.amazonaws.com | Amazon Managed Streaming for Kafka |
models.lex.<REGION>.amazonaws.com | Amazon Lex |
logs.<REGION>.amazonaws.com | Amazon CloudWatch Logs |
api.mediatailor.<REGION>.amazonaws.com | AWS Elemental MediaTailor |
mediaconnect.<REGION>.amazonaws.com | AWS Elemental MediaConnect |
mediapackage.<REGION>.amazonaws.com | AWS Elemental MediaPackage Live |
mediapackage-vod.<REGION>.amazonaws.com | AWS Elemental MediaPackage Video on Demand |
opsworks.<REGION>.amazonaws.com | AWS OpsWorks |
qldb.<REGION>.amazonaws.com | Amazon QLDB |
redshift.<REGION>.amazonaws.com | Amazon Redshift |
robomaker.<REGION>.amazonaws.com | AWS RoboMaker |
route53.amazonaws.com | Amazon Route 53 |
route53resolver.<REGION>.amazonaws.com | Amazon Route 53 Resolver |
api.sagemaker.<REGION>.amazonaws.com | Amazon SageMaker Endpoints, Amazon SageMaker Endpoint Instances |
sns.<REGION>.amazonaws.com | Amazon Simple Notification Service (SNS) |
sqs.<REGION>.amazonaws.com | Amazon Simple Queue Service (SQS) |
storagegateway.<REGION>.amazonaws.com | AWS Storage Gateway |
swf.<REGION>.amazonaws.com | Amazon SWF |
transfer.<REGION>.amazonaws.com | AWS Transfer Family |
workmail.<REGION>.amazonaws.com | Amazon WorkMail |
workspaces.<REGION>.amazonaws.com | Amazon WorkSpaces |
Region | Region name |
---|---|
us-gov-west-1 | AWS GovCloud (US) |
us-gov-east-1 | AWS GovCloud (US-East) |
us-east-1 | US East (N. Virginia) |
us-east-2 | US East (Ohio) |
us-west-1 | US West (N. California) |
us-west-2 | US West (Oregon) |
eu-west-1 | EU (Ireland) |
eu-west-2 | EU (London) |
eu-west-3 | EU (Paris) |
eu-central-1 | EU (Frankfurt) |
eu-central-2 | EU (Zurich) |
eu-north-1 | EU (Stockholm) |
eu-south-1 | EU (Milan) |
eu-south-2 | EU (Spain) |
ap-east-1 | Asia Pacific (Hong Kong) |
ap-south-1 | Asia Pacific (Mumbai) |
ap-south-2 | Asia Pacific (Hyderabad) |
ap-southeast-1 | Asia Pacific (Singapore) |
ap-southeast-2 | Asia Pacific (Sydney) |
ap-southeast-3 | Asia Pacific (Jakarta) |
ap-southeast-4 | Asia Pacific (Melbourne) |
ap-northeast-1 | Asia Pacific (Tokyo) |
ap-northeast-2 | Asia Pacific (Seoul) |
ap-northeast-3 | Asia Pacific (Osaka) |
sa-east-1 | South America (Sao Paulo) |
cn-north-1 | China (Beijing) |
cn-northwest-1 | China (Ningxia) |
ca-central-1 | Canada (Central) |
ca-west-1 | Canada West (Calgary) |
il-central-1 | Israel (Tel Aviv) |
me-central-1 | Middle East (UAE) |
me-south-1 | Middle East (Bahrain) |
af-south-1 | Africa (Cape Town) |
us-iso-east-1 | US ISO East |
us-isob-east-1 | US ISOB East (Ohio) |
us-iso-west-1 | US ISO West |
The most frequent cause of certificate issues with the TLS interception proxy is a missing proxy's CA certificate in the ActiveGate truststore.
If you're still having proxy issues, see:
Make sure that the URLs are whitelisted. Otherwise, you might get communication or timeout errors.
To perform these steps, you need to have AWS admin privileges.
The AWS monitoring policy defines the minimal scope of permissions you need to give to Dynatrace to monitor the services running in your AWS account. Create it once and use it any time when enabling Dynatrace access to your AWS account. If you don't want to add permissions to all services, and just select permissions for certain services, consult the table below. The table contains a set of permissions that are required for all AWS cloud services, a list of optional permissions specific to that service.
"cloudwatch:GetMetricData"
"cloudwatch:GetMetricStatistics"
"cloudwatch:ListMetrics"
"sts:GetCallerIdentity"
"tag:GetResources"
"tag:GetTagKeys"
"ec2:DescribeAvailabilityZones"
Name | Permissions |
---|---|
All monitored Amazon services required | cloudwatch:GetMetricData ,cloudwatch:GetMetricStatistics ,cloudwatch:ListMetrics ,sts:GetCallerIdentity ,tag:GetResources ,tag:GetTagKeys ,ec2:DescribeAvailabilityZones |
AWS Certificate Manager Private Certificate Authority | acm-pca:ListCertificateAuthorities |
Amazon MQ | |
Amazon API Gateway | apigateway:GET |
AWS App Runner | apprunner:ListServices |
Amazon AppStream | appstream:DescribeFleets |
AWS AppSync | appsync:ListGraphqlApis |
Amazon Athena | athena:ListWorkGroups |
Amazon Aurora | rds:DescribeDBClusters |
Amazon EC2 Auto Scaling | autoscaling:DescribeAutoScalingGroups |
Amazon EC2 Auto Scaling (built-in) | autoscaling:DescribeAutoScalingGroups |
AWS Billing | |
Amazon Keyspaces | |
AWS Chatbot | |
Amazon CloudFront | cloudfront:ListDistributions |
AWS CloudHSM | cloudhsm:DescribeClusters |
Amazon CloudSearch | cloudsearch:DescribeDomains |
AWS CodeBuild | codebuild:ListProjects |
Amazon Cognito | |
Amazon Connect | |
Amazon Elastic Kubernetes Service (EKS) | eks:ListClusters |
AWS DataSync | datasync:ListTasks |
Amazon DynamoDB Accelerator (DAX) | dax:DescribeClusters |
AWS Database Migration Service (AWS DMS) | dms:DescribeReplicationInstances |
Amazon DocumentDB | rds:DescribeDBClusters |
AWS Direct Connect | directconnect:DescribeConnections |
Amazon DynamoDB | dynamodb:ListTables |
Amazon DynamoDB (built-in) | dynamodb:ListTables ,dynamodb:ListTagsOfResource |
Amazon EBS | ec2:DescribeVolumes |
Amazon EBS (built-in) | ec2:DescribeVolumes |
Amazon EC2 API | |
Amazon EC2 (built-in) | ec2:DescribeInstances |
Amazon EC2 Spot Fleet | ec2:DescribeSpotFleetRequests |
Amazon Elastic Container Service (ECS) | ecs:ListClusters |
Amazon ECS Container Insights | ecs:ListClusters |
Amazon ElastiCache (EC) | elasticache:DescribeCacheClusters |
AWS Elastic Beanstalk | elasticbeanstalk:DescribeEnvironments |
Amazon Elastic File System (EFS) | elasticfilesystem:DescribeFileSystems |
Amazon Elastic Inference | |
Amazon Elastic Map Reduce (EMR) | elasticmapreduce:ListClusters |
Amazon Elasticsearch Service (ES) | es:ListDomainNames |
Amazon Elastic Transcoder | elastictranscoder:ListPipelines |
Amazon Elastic Load Balancer (ELB) (built-in) | elasticloadbalancing:DescribeInstanceHealth ,elasticloadbalancing:DescribeListeners ,elasticloadbalancing:DescribeLoadBalancers ,elasticloadbalancing:DescribeRules ,elasticloadbalancing:DescribeTags ,elasticloadbalancing:DescribeTargetHealth |
Amazon EventBridge | events:ListEventBuses |
Amazon FSx | fsx:DescribeFileSystems |
Amazon GameLift | gamelift:ListFleets |
AWS Glue | glue:GetJobs |
Amazon Inspector | inspector:ListAssessmentTemplates |
AWS Internet of Things (IoT) | |
AWS IoT Analytics | |
Amazon Managed Streaming for Kafka | kafka:ListClusters |
Amazon Kinesis Data Analytics | kinesisanalytics:ListApplications |
Amazon Data Firehose | firehose:ListDeliveryStreams |
Amazon Kinesis Data Streams | kinesis:ListStreams |
Amazon Kinesis Video Streams | kinesisvideo:ListStreams |
AWS Lambda | lambda:ListFunctions |
AWS Lambda (built-in) | lambda:ListFunctions ,lambda:ListTags |
Amazon Lex | lex:GetBots |
Amazon Application and Network Load Balancer (built-in) | elasticloadbalancing:DescribeInstanceHealth ,elasticloadbalancing:DescribeListeners ,elasticloadbalancing:DescribeLoadBalancers ,elasticloadbalancing:DescribeRules ,elasticloadbalancing:DescribeTags ,elasticloadbalancing:DescribeTargetHealth |
Amazon CloudWatch Logs | logs:DescribeLogGroups |
AWS Elemental MediaConnect | mediaconnect:ListFlows |
AWS Elemental MediaConvert | mediaconvert:DescribeEndpoints |
AWS Elemental MediaPackage Live | mediapackage:ListChannels |
AWS Elemental MediaPackage Video on Demand | mediapackage-vod:ListPackagingConfigurations |
AWS Elemental MediaTailor | mediatailor:ListPlaybackConfigurations |
Amazon VPC NAT Gateways | ec2:DescribeNatGateways |
Amazon Neptune | rds:DescribeDBClusters |
AWS OpsWorks | opsworks:DescribeStacks |
Amazon Polly | |
Amazon QLDB | qldb:ListLedgers |
Amazon RDS | rds:DescribeDBInstances |
Amazon RDS (built-in) | rds:DescribeDBInstances ,rds:DescribeEvents ,rds:ListTagsForResource |
Amazon Redshift | redshift:DescribeClusters |
Amazon Rekognition | |
AWS RoboMaker | robomaker:ListSimulationJobs |
Amazon Route 53 | route53:ListHostedZones |
Amazon Route 53 Resolver | route53resolver:ListResolverEndpoints |
Amazon S3 | s3:ListAllMyBuckets |
Amazon S3 (built-in) | s3:ListAllMyBuckets |
Amazon SageMaker Batch Transform Jobs | |
Amazon SageMaker Endpoint Instances | sagemaker:ListEndpoints |
Amazon SageMaker Endpoints | sagemaker:ListEndpoints |
Amazon SageMaker Ground Truth | |
Amazon SageMaker Processing Jobs | |
Amazon SageMaker Training Jobs | |
AWS Service Catalog | |
Amazon Simple Email Service (SES) | |
Amazon Simple Notification Service (SNS) | sns:ListTopics |
Amazon Simple Queue Service (SQS) | sqs:ListQueues |
AWS Systems Manager - Run Command | |
AWS Step Functions | |
AWS Storage Gateway | storagegateway:ListGateways |
Amazon SWF | swf:ListDomains |
Amazon Textract | |
AWS IoT Things Graph | |
AWS Transfer Family | transfer:ListServers |
AWS Transit Gateway | ec2:DescribeTransitGateways |
Amazon Translate | |
AWS Trusted Advisor | |
AWS API Usage | |
AWS Site-to-Site VPN | ec2:DescribeVpnConnections |
AWS WAF Classic | |
AWS WAF | |
Amazon WorkMail | workmail:ListOrganizations |
Amazon WorkSpaces | workspaces:DescribeWorkspaces |
To get the information required for comprehensive AWS cloud-computing monitoring, you have to authorize Dynatrace to access your Amazon metrics. Dynatrace will identify all the virtualized infrastructure components in your AWS environment and collect performance metrics related to those components.
Next, select the deployment model that best describes your environment and follow the procedure for that model.
Dynatrace SaaS needs a role-based monitoring access to your AWS account.
You won't be able to monitor non-default AWS cloud services without an AWS-hosted Environment ActiveGate.
You will need:
To create role-based access
Download a YAML file with CloudFormation template from cloud-snippets/role_based_access_no_AG_template.yml.
Create the stack in your Amazon Console:
To create the stack using the CLI, run the command below, making sure to replace the parameter values with your actual values.
You also need to remove the angle brackets (<
and >
).
aws cloudformation create-stack \--capabilities CAPABILITY_NAMED_IAM \--stack-name <stack_name> \--template-body <file:///home/user/template_file.yaml> \--parameters ParameterKey=ExternalID,ParameterValue=<external_id> ParameterKey=RoleName,ParameterValue=<role_name> ParameterKey=PolicyName,ParameterValue=<policy_name>
Only for AWS GovCloud and China partitions is key-based authentication allowed.
In this scenario you have to create an AWS monitoring policy and generate a key pair with that policy.
AWS Identity and Access Management (IAM) permission boundaries may deny AWS actions required by Dynatrace. If you use IAM permission boundary on your AWS account, make sure that actions from policy are allowed in all AWS regions within permission boundary.
To create the AWS monitoring policy
{"Version": "2012-10-17","Statement": [{"Sid": "VisualEditor0","Effect": "Allow","Action": ["acm-pca:ListCertificateAuthorities","apigateway:GET","apprunner:ListServices","appstream:DescribeFleets","appsync:ListGraphqlApis","athena:ListWorkGroups","autoscaling:DescribeAutoScalingGroups","cloudformation:ListStackResources","cloudfront:ListDistributions","cloudhsm:DescribeClusters","cloudsearch:DescribeDomains","cloudwatch:GetMetricData","cloudwatch:GetMetricStatistics","cloudwatch:ListMetrics","codebuild:ListProjects","datasync:ListTasks","dax:DescribeClusters","directconnect:DescribeConnections","dms:DescribeReplicationInstances","dynamodb:ListTables","dynamodb:ListTagsOfResource","ec2:DescribeAvailabilityZones","ec2:DescribeInstances","ec2:DescribeNatGateways","ec2:DescribeSpotFleetRequests","ec2:DescribeTransitGateways","ec2:DescribeVolumes","ec2:DescribeVpnConnections","ecs:ListClusters","eks:ListClusters","elasticache:DescribeCacheClusters","elasticbeanstalk:DescribeEnvironmentResources","elasticbeanstalk:DescribeEnvironments","elasticfilesystem:DescribeFileSystems","elasticloadbalancing:DescribeInstanceHealth","elasticloadbalancing:DescribeListeners","elasticloadbalancing:DescribeLoadBalancers","elasticloadbalancing:DescribeRules","elasticloadbalancing:DescribeTags","elasticloadbalancing:DescribeTargetHealth","elasticmapreduce:ListClusters","elastictranscoder:ListPipelines","es:ListDomainNames","events:ListEventBuses","firehose:ListDeliveryStreams","fsx:DescribeFileSystems","gamelift:ListFleets","glue:GetJobs","inspector:ListAssessmentTemplates","kafka:ListClusters","kinesis:ListStreams","kinesisanalytics:ListApplications","kinesisvideo:ListStreams","lambda:ListFunctions","lambda:ListTags","lex:GetBots","logs:DescribeLogGroups","mediaconnect:ListFlows","mediaconvert:DescribeEndpoints","mediapackage-vod:ListPackagingConfigurations","mediapackage:ListChannels","mediatailor:ListPlaybackConfigurations","opsworks:DescribeStacks","qldb:ListLedgers","rds:DescribeDBClusters","rds:DescribeDBInstances","rds:DescribeEvents","rds:ListTagsForResource","redshift:DescribeClusters","robomaker:ListSimulationJobs","route53:ListHostedZones","route53resolver:ListResolverEndpoints","s3:ListAllMyBuckets","sagemaker:ListEndpoints","sns:ListTopics","sqs:ListQueues","storagegateway:ListGateways","sts:GetCallerIdentity","swf:ListDomains","tag:GetResources","tag:GetTagKeys","transfer:ListServers","workmail:ListOrganizations","workspaces:DescribeWorkspaces"],"Resource": "*"}]}
You'll need to generate an Access key and a Secret access key that Dynatrace can use to get metrics from Amazon Web Services.
Terraform templates are an alternative way of creating and configuring AWS roles. For detailed instructions on how to create AWS roles with Terraform, see Configuring AWS role-based access with Terraform
You can create, activate, and manage multiple monitoring connections. Each connection is defined by the credentials and/or access tokens required for Dynatrace to be able to pull in the data.
Allowing for multiple connections and configurations makes it possible to monitor even extremely complex environments. With such an approach, you don't need to configure everything at once. Instead, you can gradually add monitoring configurations to your existing setup. Such an architecture also makes it easy to react to the dynamic changes of the monitored environment, without needing to reconfigure the unaffected elements.
If you've followed all the prior steps, you're ready to configure Amazon Web Services monitoring.
To add a new AWS connection
After Dynatrace connects to your AWS environment, it immediately starts monitoring selected AWS services. Classic (formerly "built-in") AWS metrics lists the metrics of AWS cloud services monitored by default.
In addition to AWS services, it's also possible to monitor all other AWS cloud services. AWS cloud services are enabled for monitoring per AWS connection.
To add a service to monitoring:
You can add multiple cloud services by repeating the steps above.
After you add a service, Dynatrace automatically starts collecting a set of metrics for this particular service.
Recommended metrics:
Apart from the recommended metrics, most services have the possibility of enabling optional metrics that can be added and configured manually.
To see the complete list of AWS cloud services and learn about the metrics collected for each of them, see All AWS cloud services.
Alternatively, you can check the list of supported AWS Services within in-product Dynatrace Hub (search for AWS) or in the web version of Dynatrace Hub.
After you select the cloud services and save your changes, monitoring of the newly added services starts automatically.
Within minutes, you'll see the data on your dashboards.
To see the core measurements per each of the AWS connections
You can also build your own dashboard from the metrics collected for your AWS instances. For details on building dashboards, see Dashboards Classic.
Dynatrace OneAgent offers unparalleled depth of insight into hosts, containers, and code. To learn more, see Set up Dynatrace on Amazon Web Services.
After you set up AWS monitoring, you can:
This method of monitoring does not require an ActiveGate. Dynatrace integration with Amazon CloudWatch Metric Streams provides a simple and safe way to ingest AWS metrics. Amazon CloudWatch Metric Streams allows all metrics issued in a given AWS region to be streamed through Kinesis Firehose to the Dynatrace API. For details, see Amazon CloudWatch Metric Streams.
It is also possible to trace AWS Lambda .NET Core functions with OpenTelemetry .NET.