Manage your AWS connections

  • Latest Dynatrace
  • How-to guide
  • Published Aug 29, 2025

Once you have successfully onboarded your AWS environments, it becomes a Healthy AWS connection.

Manage an existing AWS connection

The AWS connections table in Settings Settings > Cloud and virtualization > AWS is your cockpit for managing all the AWS connections. The Filter all columns field allows you to swiftly filter connections. Example: enter Healthy and it will retrieve all connections with Healthy status. Select a connection to explore it further by accessing the details window with the Overview and Health tabs.

Overview tab

The Overview tab allows you to explore the following:

  • Telemetry signal charts that showcase the status of signal ingest over time (simple count). Example: you’ve just enabled new AWS services for metric ingest, the expected result should be an increase in the metrics count over the last hour.
  • The AWS connection metadata in the form of a "properties" field-based table. It also allows you to rename the connection name to meet naming convention policies.
  • Fully manage the connection’s monitoring configuration settings.

Customize your monitoring settings

To customize your monitoring settings, select Manage in the upper-right corner of the overview window.

Your current settings depend on your onboarding path.

In this window, you can customize the supported settings to reach your desired state:

  • Monitored Regions: select single/multiple region(s) to poll metrics and topology from.
Required

The us-east-1 region must be selected. The topology service polls for global AWS resources which only reside on us-east-1.

  • CloudWatch metrics: opt-in/out for CloudWatch metric polling from native AWS services and set their metric collection sets.

    • Enabling services will schedule our metric poller to fetch CloudWatch metrics (at 5-minute intervals).

  • Advanced Settings unlock advanced metric ingest use-cases.

  • CloudWatch Logs (ingested via Amazon Data Firehose): The changes to push-based signals can only be made by updating the primary CloudFormation stack in the AWS Console.

  • Tag enrichment: Set AWS tags (only key names) that will be used to enrich entities (nodes) and signals (max length for tag key name is 23 charecters)

Tag key names will be tranformed and stored using the following platform logic:

  • Tag key names: will use the following naming convention for metadata enrichment: aws.tags.<tag key name>:<tag value>. Example: aws.tags.env:prod.
  • Tag key names: the key will be lowercased. Example: My ENV:Prod 5 changes into my_env:Prod 5.
  • Tag key names: any character that are not digits, ASCII letters, dots or underscores will be stripped. Example: $pec!@l_ch@R@ct3r$[&]:Prod 5 changes into aws.tags.pecl_chrct3r:Prod 5
  • Tag key names: Whitespace in key will be converted to underscore. Example: My ENV:Prod 5 changes into my_env:Prod 5.
  • Tag values: are not effected and should be stored and accessed as originally set.
Tags propagation time
  • Changes in tag enrichment settings can take up to 15 minutes to propagate. Consider the propogation times when using tags for business, operational, or governance use cases.
  • Max of 20 Tag keys are currently supported.

  • Tag-based filters: Filter metrics and topology signals using AWS tag pairs (key + value). Tag-based filters instruct our telemetry poll services (metrics, topology) to filter in/out signals for ingest. effective filtered signals are only ones which are signals in context (linkable to their entity).

    Example: adding monitoring==no (where '==' acts as the key/value seperator) as an exclude filter, will attempt to filter out all signals which its linked AWS resources are tagged with monitoring==no. This allows a fine-grained control for telemetry signal ingest, and may also support governance and compliance use-cases.

Filter implication
  • Tag-based filters apply to both metric ingest and topology ingest signals.
  • Max of 5 Tag key pairs are currently supported for include or exclude.

  • Dynatrace attribute enrichment: This feature unlocks advanced platform (current and future) use cases. It allows the enriching of signals with well-known Dynatrace attributes that will support use cases such as fine-grained permissions.

    In addition to literal values (custom arbitrary user tags), the integration supports the setting of an AWS tag key name, which will resolve to the tag value at runtime. Those capabilities are powered by primary Grail tags.

Tags/literals propagation time

When setting a literal or an AWS tag, changes can take up to 15 minutes to propagate.

Health tab

Select a connection to access the details window and switch to the Health tab.

Connection status types

The connection Health tab provides a quick view on the connection health status. The purpose of this tab is to allow rapid troubleshooting for connection service interruptions. There are several connection status types:

  • Pending: During onboarding, the connection will be in the Pending status. Pending means that the connection awaits an acknowledgment from the CloudFormation deployment. The ACK can mark the connection as either Healthy or Unhealthy.
  • Healthy: This status reflects that the Dynatrace SaaS platform was able to successfully assume the AWS IAM role inside the connection’s AWS account. It does not necessarily mean that signals are successfully polled/pushed/ingested.
  • Unhealthy: This status reflects that the Dynatrace SaaS platform was/is unable to successfully assume the AWS IAM role inside the connection’s AWS account. This status means that the connection is not functioning correctly.

    Push-based telemetry (Firehose Logs, EventBridge Events) might still work in this case, as they do not depend on AWS IAM permission.

  • Inactive: This is a user-generated status; connections can be disabled by the user. When a connection transitions to Inactive status, all poll-based signals ingest is suspended. It is not possible to change any monitoring settings or gauge the current Health status of a connection while in this status.

Push-based signals will still get pushed, ingest and stored in this case, as they do not depend on the AWS IAM Monitoring role.

AWS IAM authentication and authorization

A Healthy connection is defined as a success to assume the connection’s monitoring IAM role. When transitioning to Unhealthy status, the errors count are depicted on the relevant IAM chart, error events are logged (as grail events) into the log section (below the graphs).

At times, the monitoring AWS IAM role may drift from our latest IAM policy permissions requirements. We have designed the integration to depict #Warning on the relevant IAM chart and log Warning event to the log section.

Missing IAM policy permissions do not impact the connection status, but will impact functionality.

The warning events are verbose in nature and will allow you to learn which IAM policy permission(s) are missing, It is recommended not to add those manually. Priodically, check the our connection update page to learn if new cloudformation stack is available, allowing you to update the stack.

If an AWS resource has an explicit deny in an IAM resource-based policy, you can see warning events even if the IAM role has all the required permissions.

Delete a connection

AWS Organizations

Follow this section steps only if you have onboarded your AWS accounts as standalone (single) accounts.

Organization member connections type AWS accounts should not delete the CloudFormation stack nor the connection record in Settings Settings.

Any changes to member account should always carried out by the AWS Organizations delegated admin.

Connections may need to be deleted and/or re-created. To completely delete a connection:

In the AWS Console

  1. Log in to your AWS CloudFormation Console and identify the main deployed stack—this can be done with filtering the stack using the connection name (the connection name will be the primary stack name).
  2. Make sure that you only delete the main stack (MyEastProd3Account in our example); the linked nested stacks should be deleted automatically. At times, you may need to "hard" delete; follow the AWS recommendations.

In Dynatrace

  1. Go to Settings Settings > Cloud and virtualization > AWS to access all the AWS connections.
  2. Find and select the connection action menu on the right.
  3. Select Delete.
Cleanup

Deleted connection from the Dynatrace Settings Settings does not delete any AWS resources created during our onboarding process. To avoid charges from AWS, follow the instructions from the In the AWS Console section above on how to complete the cleanup of any remaining AWS resources.

Disable a connection

You might face use cases that require disabling a connection:

  • Sudden API throttling due to multiple AWS API consumers.
  • Sudden rise in signals ingest count that cannot be attributed to configuration changes.
  • Request from a Dynatrace support specialist, for troubleshooting purposes.
  • Suspend the connection due to maintenance work on the AWS account.

If you disable a connection, its status will change into Inactive. A disabled connection in Inactive status does NOT delete existing data points or any configurations. It only suspends the connection.

To disable a connection:

  1. Go to Settings Settings > Cloud and virtualization > AWS to access all AWS connections.
  2. Find and select the connection action menu on the right.
  3. Select Disable.

To resume the suspended connection

  1. Go to Settings Settings > Cloud and virtualization > AWS to access all AWS connections.
  2. Find and select the connection action menu on the right.
  3. Select Enable.

Connections that are in an Inactive status are still subject to the ingest of push-based telemetry (such as Firehose Logs, EventBridge events).

Paths and customizations

Applicable: Auto-enabled (not possible to disable/configure)

Can be configured in Dynatrace: Fully customizable

Path/Signal

Onboarding2/Recommended path

Onboarding3/Advanced path

Management path4

CloudWatch metrics (poll-based)

Applicable

Can be configured in Dynatrace

Can be configured in Dynatrace

CloudWatch Logs (push-based)

Applicable

Can be configured in Dynatrace

Can be configured in Dynatrace

AWS events (push-based, EventBridge)

Not applicable

Not applicable

Can be configured in Dynatrace

Topology1 (poll-based)

Applicable

Applicable

Applicable

Monitoring settings customization

AWS Regions only

Can be configured in Dynatrace

Can be configured in Dynatrace

1

Topology is core auto-enabled signal in all paths; it's not possible to disable it.

2

The Recommended path auto-enables signals with customizations possible after a successful onboarding.

3

The Advanced path allows you to customize most of the signals as well as monitoring settings while onboarding.

4

In connection management, it's possible to customize all supported monitoring settings features.

Related tags
Infrastructure Observability