Understand setup and services in the AWS integration

Amazon Web Services (AWS), is a collection of cloud-computing services that provide an on-demand computing platform. The Wavefront Amazon Web Services integration allows you to ingest metrics directly from AWS.

You can use the Wavefront Amazon Web Services integration for initial setup, but additional steps might be needed for some of the services. This page gives an overview.

Basics

The AWS integration ingests data from many Amazon and AWS products including:

  • CloudWatch - retrieves AWS metric and dimension data. Includes some metrics for Amazon Relational Database (RDS).
  • CloudTrail - retrieves EC2 event information and creates Wavefront System events that represent the AWS events.
  • AWS Metrics+ - retrieves additional metrics using AWS APIs other than CloudWatch. Data include EBS volume data and EC2 instance metadata like tags. You can investigate billing data and the number of reserved instances. Be sure to enable AWS+ metrics because it allows Wavefront to optimize its use of Cloudwatch, and saves money on Cloudwatch calls as a result.

Establish a Trust Relationship

Adding an AWS integration requires establishing a trust relationship between Amazon and Wavefront by specifying account information. You have to do that only once, and have 2 options:

After you’ve set up the integration, you can examine metrics from all AWS services that you subscribe to from Wavefront. The integration includes a predefined dashboard for each service. You can clone and modify Wavefront dashboards, or create your own custom dashboard.

Use Internal Metrics to Monitor AWS Integrations

You can use some Wavefront internal metrics to monitor your AWS Integration.

AWS Dashboards

If you set up an Amazon Web Services integration, Wavefront installs AWS overview dashboards Summary, Pricing, and Billing and the AWS service-specific dashboards: EC2, ECS, ELB, DynamoDB, Lambda, and Redshift, and so on. All AWS dashboards have a tag ~integration.aws.<service>. For example: ~integration.aws.ec2, ~integration.aws.lambda, etc.

Managing an AWS Integration

From the page of the integration you select, you can add an AWS integration, enable and disable it, and delete an AWS integration.

Adding an AWS Integration

  1. In Wavefront, click Integrations in the task bar.
  2. In the Featured section, click the Amazon Web Services tile.
  3. Click the Setup tab.
  4. Click Set Up Amazon Integration and click Add Integration.
  5. Follow the instructions in the right panel to give Wavefront read-only access to your Amazon account.
  6. Configure the integration properties:
    • Name - Name to identify the integration.
    • Role ARN - Role ARN from Amazon account.
    • Bucket Name - The S3 bucket containing CloudTrail logs. In your AWS account, go to CloudTrail >Trails to see the bucket name.
    • Prefix - A log file prefix specified when you created the CloudTrail.
    • CloudTrail Region - AWS Region where the CloudTrail logs reside.
  7. Click Set Up. The integration is added to the Amazon Web Services Integrations list. If you want to configure whitelists and refresh rate for the CloudWatch integration, click the CloudWatch link in the Types column and follow the instructions in Configuring CloudWatch Data Ingestion.

Enabling and Disabling AWS Integrations

Wavefront automatically disables integrations that are experiencing errors due to invalid credentials. To enable an integration after the credential has been corrected or to manually disable an integration:

  1. In Wavefront, click Integrations in the task bar.
  2. In the Featured section, click the Amazon Web Services tile.
  3. Click the Setup tab.
  4. Click the Advanced link.
  5. In the row that contains the integration that you want to enable or disable, click the three dots and select Enable or Disable.

Giving Wavefront Global Read-Only Access

Data flows from AWS to Wavefront only if the account has the required access. You have several options:

ReadOnlyAccess policy (most services) In most cases, it makes sense to give the Wavefront account the ReadOnlyAccess policy to the Amazon account.
Access to Service Limit metrics If you want to collect Service Limit metrics: - You need at least the Business-level AWS Support plan - Grant the AWSSupportAccess policy (in addition to the ReadOnlyAccess policy)
Create IAM policy to specify limited access Explicitly specify the access settings in a custom IAM policy, as discussed in Giving Wavefront Limited Access.

Give Wavefront Read-Only Access to Your Amazon Account

  1. In your Amazon Identity & Access Management settings, grant Wavefront read-only access to your Amazon account.
    1. Select Roles and click Create new role. The role creation wizard starts.
    2. Select Role for cross-account access.
    3. Select Provide access between your AWS account and a 3rd party AWS account.
    4. Enter Wavefront account info:
      • Account ID - Account ID.
      • Require MFA - unchecked
    5. Click Next Step.
    6. On the Attach Policy screen, select the ReadOnlyAccess checkbox and click Next Step.
    7. For Role name, enter wavefront and click Create role.
    8. Click the wavefront role.
    9. Copy the Role ARN value.
  2. In Wavefront, click Integrations in the task bar.
  3. In the Featured section, click the Amazon Web Services tile.
  4. Click the Setup tab.
  5. Click the Advanced link.
  6. Select Add Integration > <Integration Option>, where <Integration Option> is Register [CloudWatch | CloudTrail | AWS Metrics+].
  7. Configure the integration properties:
    • Common
      • Name - Name to identify the integration.
      • Role ARN - Role ARN from Amazon account.
    • CloudTrail
      • Bucket Name - The S3 bucket that contains CloudTrail logs. In AWS, go to CloudTrail >Trails to see the bucket name.
      • Prefix - A log file prefix specified when you created the CloudTrail.
    • CloudWatch
  8. Click Save. The selected integration(s) are created and added to the Cloud Integrations list.

Giving Wavefront Limited Access

Instead of giving Wavefront read-only access, you can instead give more limited access.

The required permissions depend on the integration and on the service you want to monitor, as shown in the following table:

IntegrationDescriptionRequired Permissions
CloudWatch Retrieves AWS metric and dimension data. ListMetrics
GetMetric*
CloudTrail
Retrieves EC2 event information and creates Wavefront System events List and Get permissions on the S3 bucket where the logs are delivered.
AWS Metrics+ Retrieves additional metrics, tags and other metadata using AWS APIs.
  • The es: permissions are needed if you want to extract AWS tags and associate them (as tags) with metrics. These permissions are especially useful when you're using ElasticSearch.
  • The iam: permission is needed if you want to pull not only numeric account IDs but also the corresponding human-readable account IDs.
ec2:DescribeVolumes
ec2:DescribeInstances
ec2:DescribeReservedInstances
rds:DescribeDBClusters
sqs:ListQueue*
sqs:GetQueue*
dynamodb:ListTables
dynamodb:DescribeTable
eks:Describe*
eks:List*
es:ListDomainNames
es:DescribeElasticsearchDomain
es:listTags
iam:ListAccountAliases
AWS Metrics+
Service Limit Metrics
Retrieves Trusted Advisor service limit metrics using AWS APIs. Requires at least a Business Level AWS Support plan. support:DescribeTrustedAdvisorChecks
support:RefreshTrustedAdvisorCheck
support:DescribeTrustedAdvisorCheckResult

Create IAM Policy to Specify Limited Access

You can explicitly specify the access permissions in a custom IAM policy, as shown in the following example snippet.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudwatch:GetMetric*",
                "cloudwatch:ListMetrics",
                "ec2:Describe*",
                "s3:List*",
                "s3:Get*",
                "rds:DescribeDBClusters",
                "sqs:ListQueue*",
                "sqs:GetQueue*",
                "dynamodb:ListTables",
                "dynamodb:DescribeTable",
                "eks:Describe*",
                "eks:List*",
                "support:DescribeTrustedAdvisorChecks",
                "support:RefreshTrustedAdvisorCheck",
                "support:DescribeTrustedAdvisorCheckResult",
                "es:ListDomainNames",
                "es:DescribeElasticsearchDomain",
                "es:ListTags",
                "iam:ListAccountAliases"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Viewing AWS Metrics

You can view AWS metrics by selecting Browse > Metrics and searching for metrics beginning with aws.:

aws metrics

You can drill into the folder for a specific service and click a metric to navigate to a chart that displays that set of data. For example, clicking clicking the folder aws.ec2., then the metric aws.ec2.cpuutilization, and then refining the query by the Region point tag and the topk function yields the following chart:

aws cpu utilization

AWS Aggregate Metrics

All AWS metrics return the following aggregate metrics: average, maximum, minimum, sample count, and sum. To view the aggregate metrics,

  1. Search for a specific metric, for example aws.ec2.cpuutilization:

    aws cpu utilization folder

  2. Click the metric folder, for example aws.ec2.cpuutilization., to display the aggregate metrics:

    aws cpu utilization aggregate metrics