AWS WAF Classic monitoring
Dynatrace ingests metrics for multiple preselected namespaces, including AWS WAF Classic. You can view metrics for each service instance, split metrics into multiple dimensions, and create custom charts that you can pin to your dashboards.
Prerequisites
To enable monitoring for this service, you need
-
ActiveGate version 1.197+, as follows:
-
For Dynatrace SaaS deployments, you need an Environment ActiveGate or a Multi-environment ActiveGate.
-
For Dynatrace Managed deployments, you can use any kind of ActiveGate.
For role-based access (whether in a SaaS or Managed deployment), you need an Environment ActiveGate installed on an Amazon EC2 host.
-
-
Dynatrace version 1.200+
-
An updated AWS monitoring policy to include the additional AWS services.
To update the AWS IAM policy, use the JSON below, containing the monitoring policy (permissions) for all supporting services.
1{2 "Version": "2012-10-17",3 "Statement": [4 {5 "Sid": "VisualEditor0",6 "Effect": "Allow",7 "Action": [8 "acm-pca:ListCertificateAuthorities",9 "apigateway:GET",10 "apprunner:ListServices",11 "appstream:DescribeFleets",12 "appsync:ListGraphqlApis",13 "athena:ListWorkGroups",14 "autoscaling:DescribeAutoScalingGroups",15 "cloudformation:ListStackResources",16 "cloudfront:ListDistributions",17 "cloudhsm:DescribeClusters",18 "cloudsearch:DescribeDomains",19 "cloudwatch:GetMetricData",20 "cloudwatch:GetMetricStatistics",21 "cloudwatch:ListMetrics",22 "codebuild:ListProjects",23 "datasync:ListTasks",24 "dax:DescribeClusters",25 "directconnect:DescribeConnections",26 "dms:DescribeReplicationInstances",27 "dynamodb:ListTables",28 "dynamodb:ListTagsOfResource",29 "ec2:DescribeAvailabilityZones",30 "ec2:DescribeInstances",31 "ec2:DescribeNatGateways",32 "ec2:DescribeSpotFleetRequests",33 "ec2:DescribeTransitGateways",34 "ec2:DescribeVolumes",35 "ec2:DescribeVpnConnections",36 "ecs:ListClusters",37 "eks:ListClusters",38 "elasticache:DescribeCacheClusters",39 "elasticbeanstalk:DescribeEnvironmentResources",40 "elasticbeanstalk:DescribeEnvironments",41 "elasticfilesystem:DescribeFileSystems",42 "elasticloadbalancing:DescribeInstanceHealth",43 "elasticloadbalancing:DescribeListeners",44 "elasticloadbalancing:DescribeLoadBalancers",45 "elasticloadbalancing:DescribeRules",46 "elasticloadbalancing:DescribeTags",47 "elasticloadbalancing:DescribeTargetHealth",48 "elasticmapreduce:ListClusters",49 "elastictranscoder:ListPipelines",50 "es:ListDomainNames",51 "events:ListEventBuses",52 "firehose:ListDeliveryStreams",53 "fsx:DescribeFileSystems",54 "gamelift:ListFleets",55 "glue:GetJobs",56 "inspector:ListAssessmentTemplates",57 "kafka:ListClusters",58 "kinesis:ListStreams",59 "kinesisanalytics:ListApplications",60 "kinesisvideo:ListStreams",61 "lambda:ListFunctions",62 "lambda:ListTags",63 "lex:GetBots",64 "logs:DescribeLogGroups",65 "mediaconnect:ListFlows",66 "mediaconvert:DescribeEndpoints",67 "mediapackage-vod:ListPackagingConfigurations",68 "mediapackage:ListChannels",69 "mediatailor:ListPlaybackConfigurations",70 "opsworks:DescribeStacks",71 "qldb:ListLedgers",72 "rds:DescribeDBClusters",73 "rds:DescribeDBInstances",74 "rds:DescribeEvents",75 "rds:ListTagsForResource",76 "redshift:DescribeClusters",77 "robomaker:ListSimulationJobs",78 "route53:ListHostedZones",79 "route53resolver:ListResolverEndpoints",80 "s3:ListAllMyBuckets",81 "sagemaker:ListEndpoints",82 "sns:ListTopics",83 "sqs:ListQueues",84 "storagegateway:ListGateways",85 "sts:GetCallerIdentity",86 "swf:ListDomains",87 "tag:GetResources",88 "tag:GetTagKeys",89 "transfer:ListServers",90 "workmail:ListOrganizations",91 "workspaces:DescribeWorkspaces"92 ],93 "Resource": "*"94 }95 ]96}
If you don't want to add permissions to all services, and just select permissions for certain services, consult the table below. The table contains a set of permissions that are required for all services (All monitored Amazon services) and, for each supporting service, a list of optional permissions specific to that service.
| Name | Additional permissions |
|---|---|
| AWS Certificate Manager Private Certificate Authority | "acm-pca:ListCertificateAuthorities" |
| All monitored Amazon services | "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "sts:GetCallerIdentity", "tag:GetResources", "tag:GetTagKeys", "ec2:DescribeAvailabilityZones" |
| Amazon MQ | |
| Amazon API Gateway | "apigateway:GET" |
| AWS App Runner | "apprunner:ListServices" |
| Amazon AppStream | "appstream:DescribeFleets" |
| AWS AppSync | "appsync:ListGraphqlApis" |
| Amazon Athena | "athena:ListWorkGroups" |
| Amazon Aurora | "rds:DescribeDBClusters" |
| Amazon EC2 Auto Scaling | "autoscaling:DescribeAutoScalingGroups" |
| Amazon EC2 Auto Scaling (built-in) | "autoscaling:DescribeAutoScalingGroups" |
| AWS Billing | |
| Amazon Keyspaces | |
| AWS Chatbot | |
| Amazon CloudFront | "cloudfront:ListDistributions" |
| AWS CloudHSM | "cloudhsm:DescribeClusters" |
| Amazon CloudSearch | "cloudsearch:DescribeDomains" |
| AWS CodeBuild | "codebuild:ListProjects" |
| Amazon Cognito | |
| Amazon Connect | |
| Amazon Elastic Kubernetes Service (EKS) | "eks:ListClusters" |
| AWS DataSync | "datasync:ListTasks" |
| Amazon DynamoDB Accelerator (DAX) | "dax:DescribeClusters" |
| Amazon Database Migration Service | "dms:DescribeReplicationInstances" |
| Amazon DocumentDB | "rds:DescribeDBClusters" |
| AWS Direct Connect | "directconnect:DescribeConnections" |
| Amazon DynamoDB | "dynamodb:ListTables" |
| Amazon DynamoDB (built-in) | "dynamodb:ListTables", "dynamodb:ListTagsOfResource" |
| Amazon EBS | "ec2:DescribeVolumes" |
| Amazon EBS (built-in) | "ec2:DescribeVolumes" |
| Amazon EC2 API | |
| Amazon EC2 (built-in) | "ec2:DescribeInstances" |
| Amazon EC2 Spot Fleet | "ec2:DescribeSpotFleetRequests" |
| Amazon Elastic Container Service (ECS) | "ecs:ListClusters" |
| Amazon ECS ContainerInsights | "ecs:ListClusters" |
| Amazon ElastiCache (EC) | "elasticache:DescribeCacheClusters" |
| AWS Elastic Beanstalk | "elasticbeanstalk:DescribeEnvironments" |
| Amazon Elastic File System (EFS) | "elasticfilesystem:DescribeFileSystems" |
| Amazon Elastic Inference | |
| Amazon Elastic Map Reduce (EMR) | "elasticmapreduce:ListClusters" |
| Amazon Elasticsearch Service (ES) | "es:ListDomainNames" |
| Amazon Elastic Transcoder | "elastictranscoder:ListPipelines" |
| AWS Elastic Load Balancing (ELB) (built-in) | "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetHealth" |
| Amazon EventBridge | "events:ListEventBuses" |
| Amazon FSx | "fsx:DescribeFileSystems" |
| Amazon GameLift | "gamelift:ListFleets" |
| AWS Glue | "glue:GetJobs" |
| Amazon Inspector | "inspector:ListAssessmentTemplates" |
| AWS Internet of Things (IoT) | |
| AWS IoT Analytics | |
| Amazon Managed Streaming for Kafka | "kafka:ListClusters" |
| Amazon Kinesis Data Analytics | "kinesisanalytics:ListApplications" |
| Amazon Kinesis Data Firehose | "firehose:ListDeliveryStreams" |
| Amazon Kinesis Data Streams | "kinesis:ListStreams" |
| Amazon Kinesis Video Streams | "kinesisvideo:ListStreams" |
| Amazon Lambda | "lambda:ListFunctions" |
| AWS Lambda (built-in) | "lambda:ListFunctions", "lambda:ListTags" |
| Amazon Lex | "lex:GetBots" |
| AWS Application and Network Load Balancer (built-in) | "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetHealth" |
| Amazon CloudWatch Logs | "logs:DescribeLogGroups" |
| AWS Elemental MediaConnect | "mediaconnect:ListFlows" |
| Amazon MediaConvert | "mediaconvert:DescribeEndpoints" |
| Amazon MediaPackage Live | "mediapackage:ListChannels" |
| Amazon MediaPackage Video on Demand | "mediapackage-vod:ListPackagingConfigurations" |
| Amazon MediaTailor | "mediatailor:ListPlaybackConfigurations" |
| Amazon VPC NAT Gateways | "ec2:DescribeNatGateways" |
| Amazon Neptune | "rds:DescribeDBClusters" |
| AWS OpsWorks | "opsworks:DescribeStacks" |
| Amazon Polly | |
| Amazon QLDB | "qldb:ListLedgers" |
| Amazon RDS | "rds:DescribeDBInstances" |
| Amazon RDS (built-in) | "rds:DescribeDBInstances", "rds:DescribeEvents", "rds:ListTagsForResource" |
| Amazon Redshift | "redshift:DescribeClusters" |
| Amazon Rekognition | |
| AWS RoboMaker | "robomaker:ListSimulationJobs" |
| Amazon Route 53 | "route53:ListHostedZones" |
| Amazon Route 53 Resolver | "route53resolver:ListResolverEndpoints" |
| Amazon S3 | "s3:ListAllMyBuckets" |
| Amazon S3 (built-in) | "s3:ListAllMyBuckets" |
| Amazon SageMaker Batch Transform Jobs | |
| Amazon SageMaker Endpoint Instances | "sagemaker:ListEndpoints" |
| Amazon SageMaker Endpoints | "sagemaker:ListEndpoints" |
| Amazon SageMaker Ground Truth | |
| Amazon SageMaker Processing Jobs | |
| Amazon SageMaker Training Jobs | |
| AWS Service Catalog | |
| Amazon Simple Email Service (SES) | |
| Amazon Simple Notification Service (SNS) | "sns:ListTopics" |
| Amazon Simple Queue Service (SQS) | "sqs:ListQueues" |
| AWS Systems Manager - Run Command | |
| AWS Step Functions | |
| AWS Storage Gateway | "storagegateway:ListGateways" |
| Amazon SWF | "swf:ListDomains" |
| Amazon Textract | |
| AWS IoT Things Graph | |
| Amazon Transfer Family | "transfer:ListServers" |
| AWS Transit Gateway | "ec2:DescribeTransitGateways" |
| Amazon Translate | |
| AWS Trusted Advisor | |
| AWS API Usage | |
| AWS Site-to-Site VPN | "ec2:DescribeVpnConnections" |
| Amazon WAF Classic | |
| Amazon WAF | |
| Amazon WorkMail | "workmail:ListOrganizations" |
| Amazon WorkSpaces | "workspaces:DescribeWorkspaces" |
Example of JSON policy for one single service.
1{2 "Version": "2012-10-17",3 "Statement": [4 {5 "Sid": "VisualEditor0",6 "Effect": "Allow",7 "Action": [8 "apigateway:GET",9 "cloudwatch:GetMetricData",10 "cloudwatch:GetMetricStatistics",11 "cloudwatch:ListMetrics",12 "sts:GetCallerIdentity",13 "tag:GetResources",14 "tag:GetTagKeys",15 "ec2:DescribeAvailabilityZones"16 ],17 "Resource": "*"18 }19 ]20}
In this example, from the complete list of permissions you need to select
"apigateway:GET"for Amazon API Gateway"cloudwatch:GetMetricData","cloudwatch:GetMetricStatistics","cloudwatch:ListMetrics","sts:GetCallerIdentity","tag:GetResources","tag:GetTagKeys", and"ec2:DescribeAvailabilityZones"for All monitored Amazon services.
Enable monitoring
To learn how to enable service monitoring, see Enable service monitoring.
View service metrics
You can view the service metrics in your Dynatrace environment either on the custom device overview page or on your Dashboards page.
View metrics on the custom device overview page
To access the custom device overview page
- In the Dynatrace menu, go to Technologies and processes.
Filter by service name and select the relevant custom device group.
- Once you select the custom device group, you're on the custom device group overview page.
- The custom device group overview page lists all instances (custom devices) belonging to the group. Select an instance to view the custom device overview page.
View metrics on your dashboard
After you add the service to monitoring, a preset dashboard containing all recommended metrics is automatically listed on your Dashboards page. To look for specific dashboards, filter by Preset and then by Name.
For existing monitored services, you might need to resave your credentials for the preset dashboard to appear on the Dashboards page. To resave your credentials, go to Settings > Cloud and virtualization > AWS, select the desired AWS instance, and then select Save.
You can't make changes on a preset dashboard directly, but you can clone and edit it. To clone a dashboard, open the browse menu (…) and select Clone.
To remove a dashboard from the dashboards page, you can hide it. To hide a dashboard, open the browse menu (…) and select Hide.
Hiding a dashboard doesn't affect other users.
To check the availability of preset dashboards for each AWS service, see the list below.
| AWS service | Preset dashboard |
|---|---|
| AWS Certificate Manager Private Certificate Authority | no |
| Amazon MQ | yes |
| Amazon API Gateway | no |
| AWS App Runner | no |
| Amazon AppStream | yes |
| AWS AppSync | yes |
| Amazon Athena | yes |
| Amazon Aurora | no |
| Amazon EC2 Auto Scaling | yes |
| Amazon EC2 Auto Scaling (built-in) | no |
| AWS Billing | yes |
| Amazon Keyspaces | yes |
| AWS Chatbot | yes |
| Amazon CloudFront | no |
| AWS CloudHSM | yes |
| Amazon CloudSearch | yes |
| AWS CodeBuild | yes |
| Amazon Cognito | no |
| Amazon Connect | yes |
| Amazon Elastic Kubernetes Service (EKS) | yes |
| AWS DataSync | yes |
| Amazon DynamoDB Accelerator (DAX) | yes |
| Amazon Database Migration Service | yes |
| Amazon DocumentDB | yes |
| AWS Direct Connect | yes |
| Amazon DynamoDB | no |
| Amazon DynamoDB (built-in) | no |
| Amazon EBS | no |
| Amazon EBS (built-in) | no |
| Amazon EC2 API | yes |
| Amazon EC2 (built-in) | no |
| Amazon EC2 Spot Fleet | no |
| Amazon Elastic Container Service (ECS) | no |
| Amazon ECS ContainerInsights | yes |
| Amazon ElastiCache (EC) | no |
| AWS Elastic Beanstalk | yes |
| Amazon Elastic File System (EFS) | no |
| Amazon Elastic Inference | yes |
| Amazon Elastic Map Reduce (EMR) | no |
| Amazon Elasticsearch Service (ES) | no |
| Amazon Elastic Transcoder | yes |
| AWS Elastic Load Balancing (ELB) (built-in) | no |
| Amazon EventBridge | yes |
| Amazon FSx | yes |
| Amazon GameLift | yes |
| AWS Glue | no |
| Amazon Inspector | yes |
| AWS Internet of Things (IoT) | no |
| AWS IoT Analytics | yes |
| Amazon Managed Streaming for Kafka | yes |
| Amazon Kinesis Data Analytics | no |
| Amazon Kinesis Data Firehose | no |
| Amazon Kinesis Data Streams | no |
| Amazon Kinesis Video Streams | no |
| Amazon Lambda | no |
| AWS Lambda (built-in) | no |
| Amazon Lex | yes |
| AWS Application and Network Load Balancer (built-in) | no |
| Amazon CloudWatch Logs | yes |
| AWS Elemental MediaConnect | yes |
| Amazon MediaConvert | yes |
| Amazon MediaPackage Live | yes |
| Amazon MediaPackage Video on Demand | yes |
| Amazon MediaTailor | yes |
| Amazon VPC NAT Gateways | no |
| Amazon Neptune | yes |
| AWS OpsWorks | yes |
| Amazon Polly | yes |
| Amazon QLDB | yes |
| Amazon RDS | no |
| Amazon RDS (built-in) | no |
| Amazon Redshift | no |
| Amazon Rekognition | yes |
| AWS RoboMaker | yes |
| Amazon Route 53 | yes |
| Amazon Route 53 Resolver | yes |
| Amazon S3 | no |
| Amazon S3 (built-in) | no |
| Amazon SageMaker Batch Transform Jobs | no |
| Amazon SageMaker Endpoint Instances | no |
| Amazon SageMaker Endpoints | no |
| Amazon SageMaker Ground Truth | no |
| Amazon SageMaker Processing Jobs | no |
| Amazon SageMaker Training Jobs | no |
| AWS Service Catalog | yes |
| Amazon Simple Email Service (SES) | no |
| Amazon Simple Notification Service (SNS) | no |
| Amazon Simple Queue Service (SQS) | no |
| AWS Systems Manager - Run Command | yes |
| AWS Step Functions | yes |
| AWS Storage Gateway | yes |
| Amazon SWF | yes |
| Amazon Textract | yes |
| AWS IoT Things Graph | yes |
| Amazon Transfer Family | yes |
| AWS Transit Gateway | yes |
| Amazon Translate | yes |
| AWS Trusted Advisor | yes |
| AWS API Usage | yes |
| AWS Site-to-Site VPN | yes |
| Amazon WAF Classic | yes |
| Amazon WAF | yes |
| Amazon WorkMail | yes |
| Amazon WorkSpaces | yes |
Available metrics
| Name | Description | Unit | Statistics | Dimensions | Recommended |
|---|---|---|---|---|---|
| AllowedRequests | The number of allowed web requests | Count | Sum | WebACL, Region, Rule |  |
| AllowedRequests | Count | Sum | WebACL, Region, RuleGroup | | |
| AllowedRequests | Count | Sum | Region, Rule, RuleGroup | | |
| AllowedRequests | Count | Sum | WebACL, Rule | | |
| AllowedRequests | Count | Sum | WebACL, RuleGroup | | |
| BlockedRequests | The number of blocked web requests | Count | Sum | WebACL, Region, Rule | |
| BlockedRequests | Count | Sum | WebACL, Region, RuleGroup | | |
| BlockedRequests | Count | Sum | Region, Rule, RuleGroup | | |
| BlockedRequests | Count | Sum | WebACL, Rule | | |
| BlockedRequests | Count | Sum | WebACL, RuleGroup | | |
| CountedRequests | The number of counted web requests | Count | Sum | WebACL, Region, Rule | |
| CountedRequests | Count | Sum | WebACL, Region, RuleGroup | | |
| CountedRequests | Count | Sum | Region, Rule, RuleGroup | | |
| CountedRequests | Count | Sum | WebACL, Rule | | |
| CountedRequests | Count | Sum | WebACL, RuleGroup | | |
| PassedRequests | The number of passed requests for a rule group | Count | Sum | WebACL, Region, Rule | |
| PassedRequests | Count | Sum | WebACL, Region, RuleGroup | | |
| PassedRequests | Count | Sum | Region, Rule, RuleGroup | | |
| PassedRequests | Count | Sum | WebACL, Rule | | |
| PassedRequests | Count | Sum | WebACL, RuleGroup | |