This document provides step-by-step instructions on connecting your Observability product to Amazon Web Services (AWS) using the AWS Integration with the Access Keys method. This integration allows you to access and monitor your AWS resources from within OpsRamp securely.


Ensure you have the necessary IAM permissions to create IAM roles and policies in AWS.

AWS configuration

Step 1: Configure IAM Policy in AWS

  1. Log in to your AWS Management Console.

  2. Navigate to the IAM (Identity and Access Management) service.

  3. Click Policies in the left-hand navigation pane.

  4. Click Create Policy.

  5. From the Create Policy page under Specify permissions, select JSON editor, and paste the following code:

    See Permissions for AWS Resource Discovery for more details about the permissions required for discovering AWS resources.

  6. Click Next.

  7. In the Review and create page, you need to provide a name for the policy.

  8. Click Save.

Step 2: Configure IAM User in AWS

  1. Navigate to the IAM (Identity and Access Management) service.

  2. Click Users in the left-hand navigation pane.

  3. Click Create User.

  4. Provide a name and click Next.

  5. The recommended method of setting permissions for a user is through a user group in AWS. Choose to Add user to group and create or select an existing group. The group should have the IAM policy created earlier attached to it.

  6. Click Next.

  7. Click Create User.

  8. Find the user created and click the user from the Users page.

  9. Click the Create access key.

  10. Choose the Third-party service option.

  11. Click Next.

  12. Save the Access Key and Secret Access Key. As an alternative, you can download the CSV file to access the secret keys.

  13. You can now set up the AWS integration within OpsRamp using the secret keys.

Step 3: Set up AWS Integration in OpsRamp

  1. Log in to the OpsRamp portal.

  2. Navigate to Setup > Account.

  3. On the ACCOUNT DETAILS page, select Integrations and Apps.

  4. The INSTALLED INTEGRATIONS page is displayed with all the installed applications.

    Note: If there are no installed applications, it will navigate to the AVAILABLE INTEGRATIONS AND APPS page.

  5. Click + ADD on the INSTALLED INTEGRATIONS page. The AVAILABLE INTEGRATIONS AND APPS page displays all the available applications along with the newly created application.
    Note: You can even search for the application using the search option available. Also, you can use the All Categories option to search.

  6. Click ADD in the AWS application.

  7. In the ADD AWS page, enter the account information:

Name(required) Enter the name for the integration.
Region(required) Select the AWS region from the drop-down list. The services that belong to the selected regions are onboarded. You can select multiple regions to onboard the services.
If you select two regions A and B, and if you are not authorized to access region B, onboarding fails for both regions A and B.
Integration type(required) Select IAM.
Account number(required) Enter the AWS Account Number (which can be found in the top right of your AWS console).
Access Key(required) Enter the access key you received during Step 2: Configure IAM User in AWS.
Security Key(required) Enter the security key you received during Step 2: Configure IAM User in AWS.
  1. Click Next.
  2. Navigate to the Filter screen.
  3. From the Filter Criteria type, select Smart Filters.
  1. You can choose All resources or choose specific resources to discover from your AWS account. If you would like to select specific resources, check the checkboxes, and select the resources you need.

  2. Click Next.

  3. On the last screen, check Manage Device such that all the discovered resources are in a managed state and choose a discovery schedule (this runs periodically to discover new resources).

  4. See the Appendix for more information about other AWS integration options.

  5. Click Finish.
    The integration is completed.

Once the integration is completed, you should see your devices being discovered. Navigate to Infrastructure > Search or Infrastructure > Resources to see the discovered resources.

Note: It might take up to 5 minutes to see your resources.

Remove resources

When editing the AWS integration, you can choose whether to keep or remove agent-installed resources. If you edit an instance of the integration and removes a resource type from being discovered, previously discovered resources of that type will now be automatically removed from OpsRamp.

Collect Metrics

Now that you have discovered your AWS resources, you can now start collecting the metrics. See Collect Metrics for more details.


If you want to collect logs from AWS, navigate to Infrastructure > Logs and if enabled, follow the steps mentioned in the Log Management.

AWS Integration Options:

  1. Manage Device: Discover the AWS services in a managed state.
  2. Enable Metric Streaming: Enable metric streaming from Kinesis Firehose. Note: this will stop metric collection from CloudWatch APIs.
  3. Stream CloudWatch Alarms: Enter the SQS URL to get alarms. See configuring Amazon CloudWatch alarms.
  4. Ingest unsupported AWS resource alarms: Process all Amazon CloudWatch alarms and AWS services not supported by OpsRamp.
  5. Create a resource based on CloudTrail events stream: Enter the SQS URL to get events. See Configuring Amazon CloudTrail.
  6. Stream AWS Events: Enter the SQS URL to get events. See configuring AWS Events.
  7. Collect Cost Analytics: Collect project cost details of the services utilized. To collect Cost Analytics, create an Amazon S3 bucket and set up Amazon S3 for collecting AWS billing data. Amazon S3 bucket can be configured on the root account only.
  8. Assign Credentials Matching with Fingerprint: Check if the credential set of the EC2 instance matches the credential set of the key pair.
  9. Assign Gateway Management Profile: Select the gateway management profile from the drop-down list.