Try it free

Update AWS connections

  • Latest Dynatrace
  • How-to guide

Dynatrace regularly expands its AWS resource type coverage for topology monitoring. This means we periodically make additional AWS API calls to collect topology data for newly supported resource types.

Because the AWS IAM policy for the Dynatrace Integration IAM role is scoped to only the permissions required (following AWS IAM security best practices), you’ll need to update the CloudFormation stack over time to grant this role any new IAM permissions in your AWS account(s).

To ensure you receive topology data for all supported resource types, please update your CloudFormation stacks to the latest version. When we release an update, we will include the release notes and instructions on how to update.

Standalone (single) AWS accounts

Latest templates set v1.0.7

Core CFN stacks

  • Main deployment stack
    • Nested API client stack
    • Nested integration stack
    • Nested Monitoring IAM role stack

Conditional (nested) CFN stacks

Deployed based on user opt-in during onboarding

  • Nested StackSet roles
  • Nested Firehose Log streams stack
  • Nested AWS EventBridge integration stack
AWS resources created by the CloudFormation templates
Level 1: Main template resources (da-aws-activation.yaml)

Direct resources created in deployment region:

  1. DynatraceApiClientStack (AWS::CloudFormation::Stack)

    • Nested stack that creates API client function (Dynatrace API interaction, create/delete connection)
    • Reference: da-aws-nested-dt-api-function.yaml

  2. ReportStartedStatusResource (Custom::DynatraceApiAccessFunction)

    • Custom resource to report deployment start status to Dynatrace

  3. DynatraceIntegrationStack (AWS::CloudFormation::Stack)

    • Nested stack for core integration
    • Reference: da-aws-nested-integration.yaml

  4. DynatraceStackSetRoleStack (AWS::CloudFormation::Stack)

    • Conditional: Only created if log or event ingest is enabled
    • Creates StackSet administration and execution roles
    • Reference: da-aws-nested-stackset-role.yaml

  5. DynatraceLogIngestStackSet (AWS::CloudFormation::StackSet)

    • Conditional: Only if pDtLogsIngestEnabled = 'TRUE'
    • Deploys log ingestion infrastructure to specified regions
    • Reference: da-aws-stack-logs.yaml

  6. DynatraceEventIngestStackSet (AWS::CloudFormation::StackSet)

    • Conditional: Only if pDtEventsIngestEnabled = 'TRUE'
    • Deploys event ingestion infrastructure to specified regions
    • Reference: da-aws-stack-events.yaml

  7. ReportCompleteStatusResource (Custom::DynatraceApiAccessFunction)

    • Custom resource to report deployment completion status to Dynatrace
Level 2: Nested stack resources

From DynatraceApiClientStack (da-aws-nested-dt-api-function.yaml)—expected resources:

  • Lambda Function: Dynatrace API client function
  • IAM Role: Lambda execution role
  • Secrets Manager Secret: Storage for Dynatrace API token
  • KMS Key (Conditional): Customer Managed Key if pUseCMK = 'TRUE'
  • KMS Alias (Conditional): Alias for the CMK
  • Lambda Log Group: CloudWatch Logs for the Lambda function

From DynatraceIntegrationStack (da-aws-nested-integration.yaml)—expected resources:

  • IAM Role: Dynatrace monitoring role with trust relationship to Dynatrace account
  • IAM Policy: Monitoring permissions policy
  • Custom Resource: To establish connection with Dynatrace

From DynatraceStackSetRoleStack (da-aws-nested-stackset-role.yaml)—expected resources:

  • IAM Role: StackSet administration role
  • IAM Role: StackSet execution role
  • IAM Policies: Attached to both roles
Level 3: Deployed core resources (management region)

Minimum resources (no log/event ingest enabled), deployed only on a single region (management region):

  • Two custom resources: Report deployment start and finish status
  • Lambda function + IAM roles + Secrets Manager: Created/delete connection, store dynatrace platform tokens in Secret Manager
  • Dynatrace monitoring IAM role: Dynatrace monitoring role with trust relationship to Dynatrace account

Level 4: StackSet-deployed resources (conditional per region)

From DynatraceLogIngestStackSet (da-aws-stack-logs.yaml); deployed to each region in pDtLogsIngestRegions list. Expected resources per region:

  • Kinesis Data Firehose Delivery Stream: For log forwarding to Dynatrace
  • IAM Role: Firehose delivery role
  • S3 Bucket: Backup/buffer bucket for failed deliveries
  • Secrets Manager Secret: Dynatrace ingest token storage
  • KMS Key (conditional): If pUseCMK = 'TRUE'

From DynatraceEventIngestStackSet (da-aws-stack-events.yaml); deployed to each region in pDtEventsIngestRegions list. Expected resources per region:

  • EventBridge Rule: To capture AWS events
  • EventBridge API Destination: Dynatrace endpoint
  • EventBridge Connection: Authentication for API destination
  • IAM Role: EventBridge execution role
  • Secrets Manager Secret: Dynatrace ingest token storage

CloudFormation template set major versions

v0.x.x: Introduced at the release of the AWS Platform Monitoring Preview Program and is no longer supported.

v1.x.x: v1 is a long-term supported version, considered the default for all newly created AWS connections as of the General Avaliability of the AWS Cloid Platform Monitoring.

How do I get the template set version?

  1. Open the CloudFormation console https://awsRegion.console.aws.amazon.com/cloudformation/home?region=awsRegion#/stacks.

    Make sure to change awsRegion to the region where your current connection's CloudFormation stacks are deployed.

  2. Locate the (root) stack. The stack name should be identical as the connection name, for example, MyEastProd3Account.

  3. Select the Template tab to locate the Metadata/Version/Number and examine the value, for example, v1.0.0.

    AWS connections which are deployed with template set version v0.x.x are no longer supported nor support an in-place upgrade. In those cases we recommend to delete the connection and recreate it which will pick up the current latest version.

Release notes (standalone AWS accounts CFN template sets)

Template set version 1.0.7

Core CFN stacks v1.0.7

Fixed the bug that caused KMS permission being insufficient to be used by the Firehose logs integration:

  • Main deployment stack
    • Nested API client stack
    • Nested integration stack
    • Nested Monitoring IAM role stack

Conditional (nested) CFN stacks v1.0.7

Deployed based on user opt-in during onboarding:

  • Nested StackSet roles
  • Nested Firehose Log streams stack
  • Nested AWS EventBridge integration stack
Template set version 1.0.6

Core CFN stacks v1.0.6

Fixed issue when stack fails to roll back due to invalid settings token:

  • Main deployment stack
    • Nested API client stack
    • Nested integration stack
    • Nested Monitoring IAM role stack

Conditional (nested) CFN stacks v1.0.6

Deployed based on user opt-in during onboarding:

  • Nested StackSet roles
  • Nested Firehose Log streams stack
  • Nested AWS EventBridge integration stack
Template set version 1.0.5

Core CFN stacks v1.0.5

Removed unused IAM permissions:

  • Main deployment stack
    • Nested API client stack
    • Nested integration stack
    • Nested Monitoring IAM role stack

Conditional (nested) CFN stacks v1.0.5

Deployed based on user opt-in during onboarding:

  • Nested StackSet roles
  • Nested Firehose Log streams stack
  • Nested AWS EventBridge integration stack
Template set version 1.0.4

Core CFN stacks v1.0.4

Removed unused IAM permissions:

  • Main deployment stack
    • Nested API client stack
    • Nested integration stack
    • Nested Monitoring IAM role stack

Conditional (nested) CFN stacks v1.0.4

Deployed based on user opt-in during onboarding:

  • Nested StackSet roles
  • Nested Firehose Log streams stack
  • Nested AWS EventBridge integration stack
Template set version 1.0.3

Added URL validation in Lambda function:

Core CFN stacks v1.0.3

  • Main deployment stack
    • Nested API client stack
    • Nested integration stack
    • Nested Monitoring IAM role stack

Conditional (nested) CFN stacks v1.0.3

Deployed based on user opt-in during onboarding:

  • Nested StackSet roles
  • Nested Firehose Log streams stack
  • Nested AWS EventBridge integration stack
Template set version 1.0.2

Updated parameter description:

Core CFN stacks v1.0.2

  • Main deployment stack
    • Nested API client stack
    • Nested integration stack
    • Nested Monitoring IAM role stack

Conditional (nested) CFN stacks v1.0.2

Deployed based on user opt-in during onboarding:

  • Nested StackSet roles
  • Nested Firehose Log streams stack
  • Nested AWS EventBridge integration stack
Template set version 1.0.1

Changed Dynatrace monitoring configuration API to v2:

Core CFN stacks v1.0.1

  • Main deployment stack
    • Nested API client stack
    • Nested integration stack
    • Nested Monitoring IAM role stack

Conditional (nested) CFN stacks v1.0.1

Deployed based on user opt-in during onboarding:

  • Nested StackSet roles
  • Nested Firehose Log streams stack
  • Nested AWS EventBridge integration stack
Template set version 1.0.0

Changes:

  • General Availability version, cleaned and secured.

  • Changed resource, condition and output names.

  • Scoped down deployment permissions.

  • New IAM permissions to support CloudTrail API calls for topology changes for the following AWS resources:

    AWS::Route53::HostedZone
    AWS::Route53::HealthCheck
    AWS::ApiGateway::Stage
    AWS::ApiGatewayV2::Stage
    AWS::EFS::FileSystem
    AWS::EFS::AccessPoint
    AWS::EFS::MountTarget
    AWS::ECR::Repository
    AWS::ElastiCache::CacheCluster
    AWS::ElastiCache::ServerlessCache
    AWS::Elasticache::ReplicationGroup
    AWS::Elasticache::SubnetGroup
    AWS::MSK::Configuration
    AWS::MSK::VpcConnection
    AWS::SNS::Topic
    AWS::SQS::Queue
    AWS::ElasticBeanstalk::Environment
    AWS::Firehose::DeliveryStream
    AWS::Logs::LogGroup
    AWS::ElasticBeanstalk::Application
    AWS::S3::Bucket

Core CFN stacks v1.0.0

  • Main deployment stack
    • Nested API client stack
    • Nested integration stack
    • Nested Monitoring IAM role stack

Conditional (nested) CFN stacks v1.0.0

Deployed based on user opt-in during onboarding

  • Nested StackSet roles
  • Nested Firehose Log streams stack
  • Nested AWS EventBridge integration stack

Update the CloudFormation stack

If you have adjusted the provided templates to align with internal standards or policies (changed the CloudFormation code) do not follow this update, see FAQ.

  1. In the AWS CloudFormation console: Locate the root stack in the deployment region. The root stack name will follow the connection name, for example: MyEastProd3Account.

  2. Follow a direct update.

    It is always recommended to first update a non-business critical connection and gradually update the rest. We also recommend to use AWS best practices for CFN direct updates.

  3. In Replace existing template, choose the latest 1.x.x version. The update failed? Check out AWS CloudFormation troubleshooting guide.

AWS Organizations

Latest templates set v1.0.7

Foundational

Latest

Core

Latest

CloudFormation template set major versions

v1.x.x: v1 is a long-term supported version.

How do I get the template set version?

  1. Locate the stack
  2. Select the Template tab to locate the Metadata/Version/Number and examine the value, for example, v1.0.2.

Version history (AWS Organization CFN template sets)

Use the single (standalone) account release notes for track changes.

Template set version 1.0.7

Foundational Core

Template set version 1.0.6

Foundational Core

Template set version 1.0.5

Foundational Core

Template set version 1.0.4

Foundational Core

Template set version 1.0.3

Foundational Core

Template set version 1.0.2

Foundational Core

Template set version 1.0.1

Foundational Core

Template set version 1.0.0

Foundational Core

Update the CloudFormation StackSets

If you have adjusted the provided templates to align with internal standards or policies (changed the Cloudformation code) do not follow this update, see FAQ.

We always release a new version for both the foundational and core StackSets to keep the update consistent, we also require (and only support) the update both StackSets.

Update (and deploy) the foundational StackSet

  1. From the delegated administrator member account, locate the foundational StackSet and initiate an update.

  2. Replace existing template, choose the latest 1.x.x version.

  3. In Deployment Targets keep the Target Account ID.

If you have created multiple foundational StackSets targeting the same AWS Account to support secret duty seperation use-cases, make sure that all StackSets follow the update.

Do not update the core StackSet if the foundational StackSet updated was not successful.

Update (and deploy) the core StackSet

  1. From the delegated administrator member account, locate the core StackSet and initiate an update.

  2. Replace existing template, choose the latest 1.x.x version.

  3. In Deployment Targets, choose the targets AWS Accounts/OUs.

We recommend to first evaluate the update with a dev/test/non-business critical OU(s) as the initial Deployment Targets.

FAQ

I have modified the official Dynatrace template(s) to meet internal organizational policies. Will Dynatrace support my modified templates?, and can I still update to a newer version?

We completely understand that adjusting the provided templates to align with your organization's internal standards or policies is sometimes a requirement rather than a choice.

However, there are two important implications to be aware of once a template has been customized:

1. Version updates

Customized templates follow a custom update path, which means they fall outside of the standard (Dynatrace-curated) vetted process.

Because modifications alter the underlying CloudFormation (known) state, applying a newer version of the template on top of a customized one, may lead to unexpected behavior including service interruptions.

2. Dynatrace Support

Custom update paths are not supported by Dynatrace.

Our support team's ability to assist with customized templates is very limited, as we cannot account for the impact of changes made outside of the official template structure. You can log a support ticket where our team will focus on investigating our SaaS APIs side. Note that as part of the troubleshooting process, you may be asked to revert to a supported version of the template.

For more tailored assistance, we recommend reaching out to your Dynatrace Account Team, who can walk you through our available Professional Services offerings and help determine the best path forward for your specific setup, supporting custom update paths.

I am following the custom update path. is there a way to learn which updates were released for the new templates?

For each release, we provide detailed release notes outlining the changes and enhancements included. We recommend reviewing these notes and selectively incorporating the relevant updates into your customized templates as part of your own update process.

Can I upgrade directly to the latest version?

Yes, minor version upgrade should always use the latest, for example: deployed: 1.0.1 can upgrade to latest.

I learned that only the IAM stack has been updated, can I directly update this stack?

At present we do not support individual stack(s) direct update, each update must be done from the root stack, regadless of the actual changes.

Related tags
Infrastructure Observability