Try it free

Manage your AWS connections via API

  • Latest Dynatrace
  • How-to guide

The Dynatrace REST API enables you to create, update, retrieve, and delete both AWS connections and their associated monitoring configurations.

An AWS connection is the foundational link between Dynatrace and your AWS account, using a dedicated AWS IAM monitoring role for authentication and authorization. Each connection is paired one-to-one with a monitoring configuration—the blueprint that governs all monitoring behavior for that account, such as which AWS services to poll for metrics and which regions to target.

Once an AWS connection is in place, you can use the REST API to fully manage its linked monitoring configuration.

Recommended To delete an AWS connection, delete its associated monitoring configuration. This automatically triggers the removal of the underlying connection in the background.

To learn how to create an AWS connection via the REST API, see Create AWS connection via API.

Delete a monitoring configuration

This action is immediate and irreversible. Deleting a monitoring configuration will cause telemetry polling downtime and automatically remove its mapped AWS connection.

We recommend thorough testing of any automation scripts before running them in production—particularly scripts that iterate over and delete multiple monitoring configurations and their associated AWS connections.

1. List the monitoring configurations

  1. Prepare this command:

    curl -s -X GET \
    "https://${your_environment_url}/platform/extensions/v2/extensions/com.dynatrace.extension.da-aws/monitoring-configurations" \
    -H "Accept: application/json" \
    -H "Authorization: Bearer ${your_bearer_token}"
  2. Replace the following placeholders with your values and then run the command:

    • ${your_environment_url}: Your full Dynatrace environment URL, for example, xyz12345.apps.dynatrace.com.

    • ${your_bearer_token}: Set the platform settings token you have created as part of the prerequisites.

  3. The response should look similar to this:

    {
    "items": [
    {
    "objectId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "scope": "integration-aws",
    "value": {
    "enabled": true,
    "description": "test-aws-monitoring-east",
    ...
    ...
    ...
    "objectId": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyy",
    "scope": "integration-aws",
    "value": {
    "enabled": true,
    "description": "prod-aws-monitoring-east",
    ...
    ...
    ...
  4. The objectId is the monitoring configuration unique identifier and is used across all DELETE/PUT/GET API calls.

    Locate the monitoring configuration that you wish to delete and save its objectId as it will be needed for deleting the monitoring configuration.

    If the API call fails, validate that

    1. You have the needed service user permissions and platform token permissions to access (read) the Monitoring Configuration (Extensions) API.
    2. Your settings platform token is valid, and assigned to the correct Dynatrace account/environment.

2. Delete the monitoring configuration

To delete a specific monitoring configuration:

  1. Use the saved objectId or go to Settings Settings and capture the connection's Configuration ID property (connection Overview tab).

  2. Prepare this command:

    curl -X DELETE "https://${your_environment_url}/platform/extensions/v2/extensions/com.dynatrace.extension.da-aws/monitoring-configurations/${objectId}" \
    -H "Accept: application/json" \
    -H "Content-Type: application/json; charset=utf-8" \
    -H "Authorization: Bearer ${your_bearer_token}" -v
  3. Replace the following placeholders with your values and run the command:

    • ${your_environment_url}: Your full Dynatrace environment URL, for example, xyz12345.apps.dynatrace.com.
    • ${your_bearer_token}: Set the platform settings token you have created as part of the prerequisites.
    • ${objectId}: Set the captured objectId which identified the specific monitoring configuration (for example, xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).
  4. Because the -v flag is included, the command prints the full request/response trace (not just a status code). A successful deletion returns an empty body with a 204 status, shown here at the end of the trace:

    > Host: xyz12345.apps.dynatrace.com
    > User-Agent: curl/8.7.1
    > Accept: application/json
    > Content-Type: application/json; charset=utf-8
    > Authorization: Bearer ${your_bearer_token}
    >
    * Request completely sent off
    < HTTP/2 204

    If the API call fails with errors (4xx), validate that:

    1. You have the needed service user permissions and platform token permissions to write to (delete from) the Monitoring Configuration (Extensions) API.
    2. Your settings platform token is valid, and assigned to the correct Dynatrace account/environment.
    3. The monitoring configuration exists and the objectId is the correct one.
    AWS resources cleanup

    Deleting a monitoring configuration from the API does not delete any AWS resources.

    To avoid charges from AWS, delete all created AWS resources.

Modify monitoring settings for a monitoring configuration

Modifying a monitoring configuration is an atomic API call and will be effective immediately. The only supported method is the following steps:

  1. Monitoring configuration GET
  2. Monitoring settings changes
  3. Monitoring configuration PUT

The PUT endpoint requires the full configuration object—partial payloads are not supported. This is why the workflow below always starts with a GET—you modify only the fields you need on top of the full object returned, then submit the whole thing back.

Remember: Modification support varies across monitoring configuration fields. Certain fields are read-only, while others are not currently eligible for modification. See the monitoring configuration fields reference before proceeding.

1. Get the current monitoring configuration

Before modifying a monitoring configuration, retrieve its current settings so you can update only the fields you need without overwriting others.

  1. Use the saved objectId or go to Settings Settings, and capture the connection's Configuration ID property (connection Overview tab).

  2. Prepare this command:

    curl -X GET \
    "https://${your_environment_url}/platform/extensions/v2/extensions/com.dynatrace.extension.da-aws/monitoring-configurations/${objectId}" \
    -H "Accept: application/json" \
    -H "Authorization: Bearer ${your_bearer_token}" | tee ${objectId}.json
  3. Replace the following placeholders with your values and run the command:

    • ${your_environment_url}: Your full Dynatrace environment URL, for example, xyz12345.apps.dynatrace.com.
    • ${your_bearer_token}: Set the platform settings token you have created as part of the prerequisites.
    • ${objectId}: Set the captured objectId which identifies the specific monitoring configuration (for example, xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).
  4. The response should look similar to this:

    {
    "objectId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "scope": "integration-aws",
    "value": {
    "enabled": true,
    "description": "test-aws-monitoring-east",
    "version": "1.0.0",
    "featureSets": [
    "ApplicationELB_essential",
    "AutoScaling_essential",
    "CloudFront_essential",
    "DynamoDB_essential",
    "EBS_essential",
    "EC2_essential",
    "ECR_essential",
    "ECS_ContainerInsights_essential",
    "ECS_essential",
    "EFS_essential",
    "ELB_essential",
    "ElastiCache_essential",
    "Firehose_essential",
    "Lambda_essential",
    "NATGateway_essential",
    "NetworkELB_essential",
    "PrivateLinkEndpoints_essential",
    "PrivateLinkServices_essential",
    "RDS_essential",
    "Route53_essential",
    "S3_essential",
    "SNS_essential",
    "SQS_essential"
    ],
    "activationContext": "DATA_ACQUISITION",
    "aws": {
    "deploymentRegion": "us-east-1",
    "credentials": [
    {
    "description": "HAS connection",
    "enabled": true,
    "connectionId": "[REDACTED]",
    "accountId": "[REDACTED]",
    "rootOrganizationId": "[REDACTED]",
    "parentConfigurationId": "[REDACTED]"
    }
    ],
    "regionFiltering": [
    "us-east-1",
    "us-east-2"
    ],
    "tagFiltering": [],
    "tagEnrichment": [
    "test",
    "appid",
    "group",
    "center"
    ],
    "smartscapeConfiguration": {
    "enabled": true
    },
    "metricsConfiguration": {
    "enabled": true,
    "regions": [
    "us-east-1",
    "us-east-2"
    ]
    },
    "cloudWatchLogsConfiguration": {
    "enabled": true,
    "regions": [
    "us-east-1",
    "us-east-2"
    ]
    },
    "namespaces": [],
    "configurationMode": "QUICK_START",
    "deploymentMode": "AUTOMATED",
    "deploymentScope": "SINGLE_ACCOUNT",
    "manualDeploymentStatus": "NA",
    "automatedDeploymentStatus": "COMPLETE",
    "automatedDeploymentTemplateVersion": "v1.0.6"
    }
    },
    "modificationInfo": {
    "createdTime": "[REDACTED]",
    "createdBy": "[REDACTED]",
    "lastModifiedTime": "[REDACTED]",
    "lastModifiedBy": "[REDACTED]"
    }
    }
  5. The response is also saved into a local file named: ${objectId}.json.

    If the API call fails, validate that:

    1. You have the needed service user permissions and platform token permissions to access (read) the Monitoring Configuration (Extensions) API.
    2. Your settings platform token is valid, and assigned to the correct Dynatrace account/environment.
    3. The objectId is correct and the monitoring configuration exists.

2. Modify monitoring settings

  1. Patch your local ${objectId}.json file with the new settings and save the file. In this example, the tag costgroup is added to tagEnrichment:

    {
    "objectId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "scope": "integration-aws",
    "value": {
    "enabled": true,
    "description": "test-aws-monitoring-east",
    "version": "1.0.0",
    "featureSets": [
    "ApplicationELB_essential",
    "AutoScaling_essential",
    "CloudFront_essential",
    "DynamoDB_essential",
    "EBS_essential",
    "EC2_essential",
    "ECR_essential",
    "ECS_ContainerInsights_essential",
    "ECS_essential",
    "EFS_essential",
    "ELB_essential",
    "ElastiCache_essential",
    "Firehose_essential",
    "Lambda_essential",
    "NATGateway_essential",
    "NetworkELB_essential",
    "PrivateLinkEndpoints_essential",
    "PrivateLinkServices_essential",
    "RDS_essential",
    "Route53_essential",
    "S3_essential",
    "SNS_essential",
    "SQS_essential"
    ],
    "activationContext": "DATA_ACQUISITION",
    "aws": {
    "deploymentRegion": "us-east-1",
    "credentials": [
    {
    "description": "HAS connection",
    "enabled": true,
    "connectionId": "[REDACTED]",
    "accountId": "[REDACTED]",
    "rootOrganizationId": "[REDACTED]",
    "parentConfigurationId": "[REDACTED]"
    }
    ],
    "regionFiltering": [
    "us-east-1",
    "us-east-2"
    ],
    "tagFiltering": [],
    "tagEnrichment": [
    "test",
    "appid",
    "group",
    "center",
    "costgroup"
    ],
    "smartscapeConfiguration": {
    "enabled": true
    },
    "metricsConfiguration": {
    "enabled": true,
    "regions": [
    "us-east-1",
    "us-east-2"
    ]
    },
    "cloudWatchLogsConfiguration": {
    "enabled": true,
    "regions": [
    "us-east-1",
    "us-east-2"
    ]
    },
    "namespaces": [],
    "configurationMode": "QUICK_START",
    "deploymentMode": "AUTOMATED",
    "deploymentScope": "SINGLE_ACCOUNT",
    "manualDeploymentStatus": "NA",
    "automatedDeploymentStatus": "COMPLETE",
    "automatedDeploymentTemplateVersion": "v1.0.6"
    }
    },
    "modificationInfo": {
    "createdTime": "[REDACTED]",
    "createdBy": "[REDACTED]",
    "lastModifiedTime": "[REDACTED]",
    "lastModifiedBy": "[REDACTED]"
    }
    }

    The PUT endpoint requires the full configuration object. Partial payloads are not supported. Always base your payload on the GET response from the previous step.

  2. Submit the patched monitoring configuration to the REST API:

    curl -X PUT \
    "https://${your_environment_url}/platform/extensions/v2/extensions/com.dynatrace.extension.da-aws/monitoring-configurations/${objectId}" \
    -H "Accept: application/json" \
    -H "Content-Type: application/json; charset=utf-8" \
    -H "Authorization: Bearer ${your_bearer_token}" \
    -d @${objectId}.json
  3. Replace the following placeholders with your values and run the command:

    • ${your_environment_url}: Your full Dynatrace environment URL, for example, xyz12345.apps.dynatrace.com.
    • ${your_bearer_token}: Set the platform settings token you have created as part of the prerequisites.
    • ${objectId}: Set the captured objectId which identifies the specific monitoring configuration (for example, xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).
  4. A successful response returns the updated objectId:

    [
    {
    "objectId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "code": 200
    }
    ]

    If the API call fails with errors (4xx), validate that:

    1. You have the needed service user permissions and platform token permissions to write to the Monitoring Configuration (Extensions) API.
    2. Your settings platform token is valid, and assigned to the correct Dynatrace account/environment.
    3. The request body is the complete configuration object, not a partial update.
Related tags
Infrastructure Observability