Introduction

This document provides step-by-step instructions on connecting your Observability product to Amazon Web Services (AWS) using the AWS Integration with an External ID method. This integration allows you to access and monitor your AWS resources from within OpsRamp securely. The External ID adds an additional layer of security to the integration, enhancing access controls.

Prerequisites

Ensure you have the necessary IAM permissions to create IAM roles and policies in AWS.

AWS configuration

Step 1: Generate External ID

  1. Log in to the OpsRamp portal.

  2. Navigate to Setup > Account.

  3. On the ACCOUNT DETAILS page, select Integrations and Apps.

  4. The INSTALLED INTEGRATIONS page is displayed with all the installed applications.

    Note: If there are no installed applications, it will navigate to the AVAILABLE INTEGRATIONS AND APPS page.

  5. Click + ADD on the INSTALLED INTEGRATIONS page. The AVAILABLE INTEGRATIONS AND APPS page displays all the available applications along with the newly created application.
    Note: You can even search for the application using the search option available. Also, you can use the All Categories option to search.

  6. Click ADD in the AWS application.

  7. In the ADD AWS page, enter the account information:

FunctionalityDescription
Name(required) Enter the name for the integration.
Region(required) Select the AWS region from the drop-down list. The services that belong to the selected regions are onboarded. You can select multiple regions to onboard the services.
If you select two regions A and B, and if you are not authorized to access region B, onboarding fails for both regions A and B.
Integration type(required) Select IAM Role with External ID (Recommended).
Account number(required) The AWS account number is automatically populated. Copy the account number as you need these details to create a role in the AWS console.
External ID(required) The External ID is automatically populated. Copy the External ID as You need these details to create a role in the AWS console.
AssumeRole ARNThe AssumeRole ARN is generated only after creating the role. To enter the ARN in this field, navigate to your AWS account and do the actions described in Step 3: Configure IAM Role in AWS.

Step 2: Configure IAM Policy in AWS

  1. Log in to your AWS Management Console.

  2. Navigate to the IAM (Identity and Access Management) service.

  3. Click Policies in the left-hand navigation pane.

  4. Click Create Policy.

  5. From the Create Policy page under Specify permissions, select JSON editor, and paste the following code:

{
"Version": "2012-10-17",
	"Statement": [{
		"Effect": "Allow",
		"Resource": "*",
		"Action": [
			"autoscaling:Describe*",
			"cloudtrail:Describe*",
			"cloudtrail:Get*",
			"cloudtrail:List*",
			"cloudformation:Describe*",
			"cloudformation:Get*",
			"cloudformation:List*",
			"cloudfront:Describe*",
			"cloudfront:Get*",
			"cloudfront:List*",
			"cloudwatch:Describe*",
			"cloudwatch:Get*",
			"cloudwatch:List*",
			"dynamodb:Describe*",
			"dynamodb:Get*",
			"dynamodb:List*",
			"ec2:Describe*",
			"ec2:Get*",
			"elasticache:Describe*",
			"elasticache:List*",
			"elasticloadbalancing:Describe*",
			"elasticmapreduce:Describe*",
			"elasticmapreduce:Get*",
			"elasticmapreduce:List*",
			"iam:Describe*",
			"iam:Get*",
			"iam:List*",
			"kinesis:Describe*",
			"kinesis:Get*",
			"kinesis:List*",
			"route53:List*",
			"route53:Get*",
			"redshift:Describe*",
			"redshift:List*",
			"redshift:Get*",
			"rds:Describe*",
			"rds:List*",
			"s3:Describe*",
			"s3:List*",
			"s3:Get*",
			"sdb:List*",
			"sdb:Get*",
			"sns:List*",
			"sns:Get*",
			"sqs:Get*",
			"sqs:List*",
			"lambda:list*",
			"lambda:get*",
			"MachineLearning:describe*",
			"MachineLearning:get*",
			"StorageGateway:describe*",
			"StorageGateway:list*",
			"ApiGateway:get*",
			"ecs:describe*",
			"ecs:list*",
			"workspaces:list*",
			"workspaces:describe*",
			"lightsail:get*",
			"dms:Describe*",
			"dms:List*",
			"states:Describe*",
			"states:Get*",
			"states:List*",
			"connect:Describe*",
			"connect:Get*",
			"connect:List*",
			"mq:Describe*",
			"mq:List*",
			"appmesh:Describe*",
			"appmesh:List*",
			"appstream:Describe*",
			"appstream:Get*",
			"appstream:List*",
			"appsync:Get*",
			"appsync:List*",
			"athena:Get*",
			"athena:List*",
			"gamelift:Describe*",
			"gamelift:Get*",
			"gamelift:List*",
			"guardduty:Describe*",
			"guardduty:Get*",
			"guardduty:List*",
			"glue:Get*",
			"glue:List*",
			"kms:Describe*",
			"kms:Get*",
			"kms:List*",
			"lex:Describe*",
			"lex:Get*",
			"lex:List*",
			"kafka:Describe*",
			"kafka:Get*",
			"kafka:List*",
			"translate:Describe*",
			"translate:Get*",
			"translate:List*",
			"cloudhsm:Describe*",
			"cloudhsm:Get*",
			"cloudhsm:List*",
			"cloudsearch:Describe*",
			"cloudsearch:List*",
			"cognito-idp:Describe*",
			"cognito-idp:Get*",
			"cognito-idp:List*",
			"codebuild:Describe*",
			"codebuild:Get*",
			"codebuild:List*",
			"codecommit:Describe*",
			"codecommit:Get*",
			"codecommit:List*",
			"codedeploy:Get*",
			"codedeploy:List*",
			"codepipeline:Get*",
			"codepipeline:List*",
			"directconnect:Describe*",
			"directconnect:List*",
			"elasticfilesystem:Describe*",
			"elasticfilesystem:List*",
			"elasticbeanstalk:Describe*",
			"elasticbeanstalk:List*",
			"es:Describe*",
			"es:Get*",
			"es:List*",
			"elastictranscoder:List*",
			"events:Describe*",
			"events:List*",
			"inspector:Describe*",
			"inspector:Get*",
			"inspector:List*",
			"iot:Describe*",
			"iot:Get*",
			"iot:List*",
			"mediaconnect:Describe*",
			"mediaconnect:List*",
			"mediaconvert:Describe*",
			"mediaconvert:Get*",
			"mediaconvert:List*",
			"mediapackage:Describe*",
			"mediapackage:List*",
			"mediatailor:Get*",
			"mediatailor:List*",
			"opsworks:Describe*",
			"opsworks:Get*",
			"opsworks:List*",
			"sagemaker:Describe*",
			"sagemaker:Get*",
			"sagemaker:List*",
			"waf:Get*",
			"waf:List*",
			"waf-regional:Get*",
			"waf-regional:List*",
			"wafv2:Describe*",
			"wafv2:Get*",
			"wafv2:List*",
			"swf:Describe*",
			"swf:Get*",
			"swf:List*"
		]
	}]
}

  1. Click Next.

  2. In the Review and create page, you need to provide a name for the policy.

  3. Click Save.

Step 3: Configure IAM Role in AWS

  1. Log in to your AWS Management Console.

  2. Navigate to the IAM (Identity and Access Management) service.

  3. Click Roles in the left-hand navigation pane.

  4. Click Create Role.

  5. On the Create role page, under the Select trusted entity type section, select AWS account.

  6. Under An AWS account section, select Another AWS account.

  7. Enter the OpsRamp account number and check the option for Require external ID.

  8. Enter the External ID generated earlier in the corresponding field.

  9. Click Next.

  10. In the Add permissions section, find the policy created earlier.

  11. Provide a name to the role.

  12. Click Save.

  13. Navigate to the newly created role in AWS.

  14. Copy the role ARN and paste it into the OpsRamp integration page.

Step 4: Finish up the Integration

To complete the AWS integration:

  1. Navigate to the Filter screen.

  2. From the Filter Criteria type, select Smart Filters.

  3. You can choose All resources or choose specific resources to discover from your AWS account. If you would like to select specific resources, check the checkboxes, and select the resources you need.

  4. Click Next.

  5. On the last screen, check Manage Device such that all the discovered resources are in a managed state and choose a discovery schedule (this runs periodically to discover new resources).

  6. See the Appendix for more information about other AWS integration options.

  7. Click Finish.
    The integration is completed.

Once the integration is completed, you should see your devices being discovered. Navigate to Infrastructure > Search or Infrastructure > Resources to see the discovered resources.

Note: It might take up to 5 minutes to see your resources.

Collect Metrics

Now that you have discovered your AWS resources, you can now start collecting the metrics. See Collect Metrics for more details.

Appendix

If you want to collect logs from AWS, navigate to Infrastructure > Logs and if enabled, follow the steps mentioned in the Log Management.

AWS Integration Options:

  1. Manage Device: Discover the AWS services in a managed state.
  2. Enable Metric Streaming: Enable metric streaming from Kinesis Firehose. Note: this will stop metric collection from CloudWatch APIs.
  3. Stream CloudWatch Alarms: Enter the SQS URL to get alarms. See configuring Amazon CloudWatch alarms.
  4. Ingest unsupported AWS resource alarms: Process all Amazon CloudWatch alarms and AWS services not supported by OpsRamp.
  5. Create a resource based on CloudTrail events stream: Enter the SQS URL to get events. See Configuring Amazon CloudTrail.
  6. Stream AWS Events: Enter the SQS URL to get events. See configuring AWS Events.
  7. Collect Cost Analytics: Collect project cost details of the services utilized. To collect Cost Analytics, create an Amazon S3 bucket and set up Amazon S3 for collecting AWS billing data. Amazon S3 bucket can be configured on the root account only.
  8. Assign Credentials Matching with Fingerprint: Check if the credential set of the EC2 instance matches the credential set of the key pair.
  9. Assign Gateway Management Profile: Select the gateway management profile from the drop-down list.