Enable access to your AWS account

About AWS infrastructure Monitoring

Site24x7 provides comprehensive monitoring and alerting for your IaaS and PaaS services powering your cloud application.

Monitor resource usage for key AWS resources, gain more insight into your EC2 ecosystem by combining infrastructure metrics from CloudWatch with the agent-driven system and application data and compliment metric data with dashboards, reports, policy-driven thresholds, integrated notification channels and more.

Supported Regions

With Site24x7 you can monitor resource usage and performance of your PaaS services no matter where they are deployed in the AWS cloud.

AWS Global Region
AWS GovCloud(US)
AWS China Region

Supported AWS services

Currently we support monitoring for 30 and more AWS services as mentioned here.

Monitoring support may vary depending upon service availability. For example, the CloudFront service is currently not available in US GovCloud and China (Beijing and Ningxia) Region.

Enable Site24x7 access to your AWS account

For a comprehensive AWS infrastructure monitoring, Site24x7 needs to auto discover all instances of various supported services currently running in your account. For this to happen you need to authenticate and authorize us to access your resource. This can be either done via IAM user creation or by cross-account IAM roles. To know more read below.

Create Role ARN for cross account access
Create access keys for IAM user

Before your begin

Make sure you have administrative level access in the AWS console to create to create IAM roles.

Role based Access

Securely connect your AWS account with Site24x7. Create an IAM role, establish trust relationship and enable cross account access between your AWS account and Site24x7's AWS account by following the below mentioned steps:

Create Role

Users who wish to monitor services in AWS GovCloud (US) or China Region, sign in to their respective management console and open the IAM console.

In the navigation pane click on Roles and then choose Create role.

create-new-aws-iam-role

Establish Trust

Select Another AWS account as the type of trusted entity.
Type in Site24x7's AWS account ID in the Account ID field.

Site24x7's AWS account ID may vary depending upon where the cloud resources powering your deployments are located (Global, GovCloud (US) and China). To view the Account ID, log in to the Site24x7 console, select AWS > Integrate AWS Account. Here, select the appropriate Account Type and scroll down the Register with IAM Role section to copy the 12-digit number.

Select Appropriate Role Type

Check the Require external ID field option
Type in the External ID (The External ID is displayed in the Integrate AWS Account form) and click on Next: Permissions

To get your External ID, log in to the Site24x7 console, select AWS > Integrate AWS Account. Here, select the appropriate Account Type (Global, GovCloud US or China) scroll down the Register with IAM role section to copy the unique ID generated.

The External ID is a unique customer identifier and it is regenerated every time you navigate to the Integrate AWS Account form. So, make sure you paste the correct External ID while establishing trust.

Configure Account and External ID

Make sure the "Require MFA" option remains unchecked and click on "Next: Permissions"

Attach Permissions

Site24x7 requires ReadOnly access to your AWS services and resources, you can either attach an existing AWS managed policy or create your own policy.

AWS managed policy

In the Attach permissions policies section search for the default AWS managed policy named Read Only Access
Scroll down, select the check box next to the policies ReadOnlyAccess and AmazonKinesisVideoStreamsReadOnlyAccess (Mandatory, if you want to monitor usage metrics for your Kinesis Video Streams), then choose Next: Review.

Assign Default ReadOnly Policy

Custom policy

You can also create and attach a custom policy to the cross-account IAM role being created. To do so follow the steps mentioned below:

Navigate back to the AWS IAM console, click on Policies

IAM Policy Section

Click on Create policy, select the JSON tab, paste the policy JSON shown below and click on Review Policy

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Action":[
            "cloudwatch:Describe*",
            "cloudwatch:Get*",
            "cloudwatch:List*",
            "dynamodb:Describe*",
            "dynamodb:List*",
            "ec2:Describe*",
            "sqs:Get*",
            "sqs:List*",
            "autoscaling:Describe*",
            "elasticloadbalancing:Describe*",
            "cloudfront:Get*",
            "cloudfront:List*",
            "s3:Get*",
            "s3:List*",
            "s3:Head*",
            "rds:Describe*",
            "rds:List*",
            "rds:ListTagsForResource",
            "kinesisanalytics:Describe*",
            "kinesisanalytics:Get*",
            "kinesisanalytics:List*",
            "kinesis:Describe*",
            "kinesis:Get*",
            "kinesis:List*",
            "kinesisvideo:Get*",
            "kinesisvideo:List*",
            "kinesisvideo:Describe*",
            "firehose:Describe*",
            "firehose:List*",
            "elasticache:Describe*",
            "elasticache:List*",
            "elasticbeanstalk:Describe*",
            "elasticbeanstalk:List*",
            "directconnect:Describe*",
            "apigateway:GET",
            "ecs:Describe*",
            "ecs:List*",
            "redshift:Describe*",
            "rds:Describe*",
            "elasticfilesystem:Describe*",
            "ses:Get*",
            "ses:List*",
            "ses:Describe*",
            "lambda:List*",
            "lambda:Get*",
            "logs:Describe*",
            "logs:Get*",
            "route53domains:Get*",
            "route53domains:List*",
            "route53:Get*",
            "route53:List*",
            "route53resolver:Get*",
            "route53resolver:List*",
            "states:List*",
            "states:Describe*",
            "states:GetExecutionHistory",
            "sns:Get*",
            "sns:List*",
            "kms:Describe*",
            "kms:Get*",
            "kms:List*",
            "waf:Get*",
            "waf:List*",
            "waf-regional:List*",
            "waf-regional:Get*",
            "cloudsearch:Describe*",
            "cloudsearch:List*",
            "es:Describe*",
            "es:List*",
            "es:Get*",
            "workspaces:Describe*",
            "ds:Describe*",
            "elasticmapreduce:List*",
            "elasticmapreduce:Describe*",
            "acm:GetCertificate",
            "acm:Describe*",
            "acm:List*",
            "lightsail:Get*",
            "lightsail:List*",
            "eks:Describe*",
            "eks:List*",
            "cloudwatch:ListMetrics",
            "cloudwatch:GetMetricData",
            "cloudwatch:GetMetricStatistics",
            "storagegateway:List*",
            "storagegateway:Describe*"
         ],
         "Effect":"Allow",
         "Resource":"*"
      }
   ]
}

Create New IAM Policy

Next, provide an appropriate name, description and review the custom policy elements. If everything is in order choose Create policy

Validate and Review Custom IAM Policy

Now follow the steps mentioned above for creating a cross-account IAM Role: Roles > Create role > Select type of trusted entity (Another AWS account) > specify the accounts(type in Site24x7's AWS account ID and unique External ID generated) and now in the Attach permissions policy section, search for the newly created policy, select it and click on "Next:Review"

For discovery to occur, you need to provide ReadOnly permissions for all the AWS services you've selected in the "Services to be discovered field".

Review

Type a unique name in the Role name field.
Review the information configured - Trusted entities and policies, if everything is in order, click on Create Role. Once done, a Role ARN will be created for the cross-account IAM role you created.

Review the IAM Role Created

Next step

Now to create an AWS monitor you need to connect your AWS account with Site24x7. To do so please follow the steps mentioned here.

Key based access

This authentication method is deprecated. Please use the role-based authentication method to monitor your AWS resources.

You can also enable access to your AWS resource by creating Site24x7 as an IAM user. Here, the authentication is provided by security credentials and the authorization is given by policy statements. Site24x7 uses these security credentials (Access key ID and Secret access key) to make programmatic calls to the AWS APIs. To Learn more about IAM user creation and access key generation please read on.

Before your begin

You must have administrative level access in the AWS console to create IAM users and to assign policy permissions.

Add new IAM User

Create Site24x7 as an IAM user for your AWS account by following the below mentioned steps.

Users who wish to monitor services in AWS GovCloud (US) or China Region, sign in to their respective management console and open the IAM console.

In the navigation pane click on Users and then click on Add user
Provide an appropriate user name (for example Site24x7_Integration) in the field provided
Select the Programmatic access checkbox under the Select AWS access type section and click on Next:Permissions

Assign policy permissions for the Site24x7 user created.

Site24x7 requires ReadOnlyAccess to your AWS services, you can either attach one or more existing policies directly to the Site24x7 user or create a new policy. This can be done by following the below mentioned steps.

Attach Existing ReadOnly policies

In the Set permissions window, click on the Attach existing policies directly tab
Using the search tab, search for the AWS Managed Policies named ReadOnlyAccess and AmazonKinesisVideoStreamsReadOnlyAccess (Mandatory, if you want to monitor usage metrics for kinesis video streams).
Click on the checkbox to select the policies and then click on Next: Review
Both the policies provide ReadonlyAccess to all supported AWS services and resources.

Attach a custom policy

You can create and attach a custom policy by following the below mentioned steps.

Navigate back to the AWS IAM console
Select Policies from the navigation pane
Click on Create policy, select the JSON tab and paste the policy JSON shown and click on Review policy

Site24x7 uses the above mentioned permissions to retrieve data for the supported AWS services.

The above policy document specifies the minimum permissions that Site24x7 requires, to fetch metrics and metadata. If you don’t want Site24x7 to discover and monitor specific AWS resources, you can go ahead and manually edit or remove the permissions mentioned for the said resource.

For example: If you don’t want to monitor SNS topics, you can remove the permissions “sns:Get*" and "sns:List*" from the policy statement. Once done, make sure you check for errors by validating the policy. Site24x7 doesn’t have the ability to detect issues in the policy statement, so please take due care, while editing the policy JSON.

Next, provide an appropriate name, description and review the custom policy elements. If everything is in order and choose Create policy

Your new custom policy will be created. Now follow the steps mentioned above for IAM user creation: Users > Add user > Select Programmatic access, in the Set permissions window, click on "Refresh" and search for the new policy created. Once done, click on the checkbox to select the policy and then click on Next: Review.

Review

In this Section you can review the User details and the permissions attached.

If everything is in order, finally click on Create user.

Download user security credentials

Once you have successfully created a new IAM user, you can view the Access Key ID and Secret Access Key or download them as a .csv format.

Once downloaded, the IAM security credentials will no longer be available through the AWS Management Console.

Next step

Now to connect your AWS account with Site24x7, please follow the steps mentioned here.