Connect to AWS Using Role Delegation

This page explains how to connect your Cisco Cloud Observability account with Amazon Web Services (AWS) using Amazon Role Delegation using the Cisco Cloud Observability user interface.

If you prefer to use the Connections API, Call the Cisco Cloud Observability APIs and see Getting Started with AWS Using Role Delegation.

This document contains references to third-party documentation. Splunk AppDynamics does not own any rights and assumes no responsibility for the accuracy or completeness of such third-party documentation.

These are the high-level steps:

Create a Cloud Connection
Create an AWS IAM Service Policy
Create an AWS IAM Role
Configure the Cloud Connection
Verify Connection and Observe Entities

1. Create a Cloud Connection

The instructions to create a cloud connection are documented on the New AWS Connection UI page of Cisco Cloud Observability. To navigate to this page:

Log into the Cisco Cloud Observability UI.
Use the left-hand sidebar to navigate to Configure > Cloud Connections.
Click Amazon CloudWatch.
Follow the instructions on the New AWS Connection UI page to create a new AWS cloud connection.

2. Create an AWS IAM Service Policy

In the AWS IAM Management Console, attach the permission policies using either JSON or the AWS UI. Splunk AppDynamics recommends that you use JSON because it contains the minimum required permissions.

If you prefer to attach permissions policies manually, use the AWS UI. See Creating IAM Policies - AWS Identity and Access Management in the AWS documentation.

If you are using AWS Visual Editor to create or edit a policy, you may receive the following error on the AWS UI. This error can be ignored.

"IAM does not recognize one or more actions. The action name might include a typo or might be part of a previewed or custom service."

Attach Permissions Policies Using JSON

Navigate to the AWS Management Console and open the IAM Console.
Select Create policy.
Select JSON.

Replace the existing code with this code:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:DescribeBackupPolicy",
                "ec2:DescribeInstances",
                "tag:GetResources",
                "elasticfilesystem:DescribeReplicationConfigurations",
                "cloudwatch:GetMetricData",
                "lambda:GetLayerVersion",
                "elasticfilesystem:ListTagsForResource",
                "ec2:DescribeRegions",
                "elasticfilesystem:DescribeAccountPreferences",
                "cloudwatch:ListMetrics",
                "ecs:DescribeTaskDefinition",
                "ecs:ListServices",
                "ecs:ListTagsForResource",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticfilesystem:DescribeLifecycleConfiguration",
                "ecs:ListTasks",
                "elasticfilesystem:ClientMount",
                "ec2:DescribeVolumes",
                "elasticfilesystem:DescribeFileSystemPolicy",
                "rds:DescribeDBInstances",
                "ecs:DescribeServices",
                "apigateway:GET",
                "elasticfilesystem:DescribeFileSystems",
                "ecs:DescribeContainerInstances",
                "ecs:DescribeTasks",
                "ecs:ListTaskDefinitions",
                "ecs:ListClusters",
                "elasticfilesystem:DescribeMountTargets",
                "lambda:ListFunctions",
                "elasticfilesystem:DescribeAccessPoints",
                "ecs:DescribeClusters",
                "lambda:ListFunctionEventInvokeConfigs",
                "elasticfilesystem:DescribeTags",
                "ec2:DescribeVpcs",
                "elasticloadbalancing:DescribeTargetHealth",
                "lambda:ListEventSourceMappings",
                "elasticloadbalancing:DescribeTargetGroups",
                "ec2:DescribeSubnets",
                "lambda:GetPolicy",
                "rds:DescribeDBClusters",
                "elasticfilesystem:DescribeMountTargetSecurityGroups",
                "kinesis:ListStreams",
                "kinesis:DescribeStreamSummary",
                "eks:ListClusters",
                "eks:DescribeCluster",
                "eks:ListTagsForResource",               
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeAutoScalingInstances",
                "autoscaling:DescribeTags",
                "dms:DescribeEndpoints",
                "dms:DescribeReplicationInstances",
                "dms:DescribeReplicationTasks",
                "dms:ListTagsForResource",
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
                "s3:GetBucketTagging",
                "s3:GetMetricsConfiguration",
                "sqs:GetQueueAttributes",
                "sqs:ListQueues",
                "sqs:ListQueueTags",
                "sns:ListTopics",
                "sns:ListSubscriptions",
                "sns:GetTopicAttributes",
                "sns:GetSubscriptionAttributes",
                "sns:ListTagsForResource",
                "kinesisanalytics:ListApplications",
                "kinesisanalytics:DescribeApplication",
                "kinesisanalytics:ListTagsForResource",
                "glue:ListJobs",
                "glue:GetJob",
                "glue:GetTriggers",
                "glue:GetJobRuns",
                "ecr:DescribeRepositories",
                "ecr:DescribeRegistry",
                "ecr-public:DescribeRegistries",
                "ecr-public:DescribeRepositories",            
                "athena:ListWorkGroups",
                "athena:GetWorkGroup",
                "cognito-idp:DescribeUserPool",
                "cognito-idp:ListUserPools",
                "cognito-idp:ListUserPoolClients",
                "codebuild:ListProjects",
                "codebuild:BatchGetProjects",
                "acm:ListCertificates",
                "acm:DescribeCertificate",
                "acm:ListTagsForCertificate",
                "elasticache:DescribeCacheClusters",
                "elasticache:DescribeReplicationGroups",
                "directconnect:DescribeConnections",
                "directconnect:DescribeVirtualInterfaces",
                "dynamodb:ListTables",
                "dynamodb:DescribeTable",
                "dynamodb:DescribeKinesisStreamingDestination",
                "mq:DescribeBroker",
                "mq:ListBrokers",
                "route53:ListHealthChecks",
                "route53:ListTagsForResources",
                "route53:GetHostedZone",
                "route53:ListQueryLoggingConfigs",
                "route53:ListHostedZones",
                "route53resolver:ListFirewallRuleGroups",
                "route53resolver:ListFirewallRules",
                "route53resolver:ListFirewallRuleGroupAssociations",
                "route53resolver:GetFirewallRuleGroup",
                "route53resolver:ListTagsForResource",
                "route53resolver:ListFirewallDomainLists",
                "kms:DescribeKey",
                "kms:ListKeys",
                "config:GetComplianceSummaryByConfigRule",
                "config:GetComplianceSummaryByResourceType",
                "config:DescribeConfigurationRecorderStatus",
                "config:GetDiscoveredResourceCounts",
                "config:DescribeDeliveryChannels",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecrets",
                "kafka:ListClustersV2",
                "kafka:ListNodes",
                "kafka:ListReplicators",
                "backup:ListBackupJobs",
                "cloudfront:ListDistributions",
                "cloudfront:ListFunctions",
                "servicecatalog:SearchProductsAsAdmin",
                "servicecatalog:ListPortfolios",
                "servicecatalog:SearchProvisionedProducts",
                "sagemaker:ListEndpoints",
                "sagemaker:ListProcessingJobs",
                "sagemaker:ListTrainingJobs",
                "sagemaker:DescribeEndpoint",
                "sagemaker:DescribeTrainingJob",
                "sagemaker:DescribeProcessingJob",
                "sagemaker:ListTags",
                "docdb-elastic:ListClusters",
                "docdb-elastic:GetCluster",
                "docdb-elastic:ListTagsForResource",
                "rds:ListTagsForResource",
                "elasticmapreduce:ListClusters",
                "elasticmapreduce:DescribeCluster",
                "redshift:DescribeClusters" 
            ],
            "Resource": "*"
        }
    ]
}

JSON

The permission tag:GetResources was added in 22.6.0 and is required for AWS tag collection.

Paste the code under the JSON tab.
Click Next.
Enter a name for the policy, such as Splunk AppDynamicsMonitoringPolicy.
(Optional) Add Tags.
Click Create policy.
A message displays confirming that the policy is created.

Next, create an AWS IAM Role on the Identity and Access Management console.

3. Create an AWS IAM Role

In the Identity and Access Management (IAM) console left navigation pane, select Roles.
Select Create role.
Select AWS Account > Another AWS Account.
For Account ID, enter Splunk AppDynamics Account ID, copied from the Splunk AppDynamics Role Delegation page.
Select Require external ID. Leave the Require MFA option disabled.
Paste or enter the External ID generated by the Splunk AppDynamics Role Delegation page.
Click Next.
Under Permissions policies, search for and select the permissions policy that you created.
Click Next.
(Optional) Add Tags.
Enter a name for the role (for example, Splunk AppDynamicsMonitoringRole) and add an optional description.
Select Create role. A message displays: Role Splunk AppDynamicsMonitoringRole created.

To learn more, see IAM tutorial: Delegate access across AWS accounts using IAM roles in the AWS documentation.

Return to the Cisco Cloud Observability browser window to complete the next steps.

4. Configure the Cloud Connection

The instructions to configure a cloud connection are documented on the New AWS Connection UI page of Cisco Cloud Observability. To navigate to this page:

Log into the Cisco Cloud Observability UI.
Use the left-hand sidebar to navigate to Configure > Cloud Connections.
Click Amazon CloudWatch.
Follow the instructions on the New AWS Connection UI page to create a new AWS cloud connection.

5. Verify Connection and Observe Entities

It may take seven minutes for the data to be polled before metrics are visible on the Observe page, list, and detail views.

When the connection state on the Cloud Connections page displays Active, Cisco Cloud Observability automatically begins monitoring the supported AWS services. To learn more about Connection State, see Review Connection State.
Use the left-hand sidebar to navigate to the Observe page. You can now monitor your entities using entity-centric pages (ECPs). For a list of the entities and data that can be monitored, see Observe AWS Entities.

Next Steps

Review Connection State

The Cloud Connections page displays a list of cloud connections and their current condition. To navigate to this page, use the Cisco Cloud Observability left-hand sidebar to navigate to Configure > Cloud Connections.

Refer to the connections state for troubleshooting. These are the possible Cloud Platform connection states:

State	Description
`Active`	The connection was successfully created, configured, and is receiving data. The data collection might have started or is expected to start within the next 7 minutes.
`Configured`	The user created a connection and configured the connection. The connection will remain in `Configured` state until it is manually activated. The data collection will not start until the connection is activated.
`Error`	A non-recoverable error occurred, so data is no longer being collected.
`Inactive`	The user paused the connection after the connection was created and configured.
`Insufficient license`	There are not enough Cisco Cloud Observability license units. Contact your Cisco Cloud Observability customer support to increase your license units.
`Pending configuration`	The user has successfully established a cloud connection but needs to configure the cloud service, regions, and so on.
`Warning`	A partial error occurred. The data is still being collected for some services.
`Critical`	A non-recoverable error occurred for some of the resources. The data is still being collected for other resources.

Manage Cloud Connections

Once a connection is created, you can manage the connection.

Use the Cisco Cloud Observability left-hand sidebar to navigate to Configure > Cloud Connections.
Clickin the connection row.
Select Edit Connection, Pause Connection, or Delete Connection.

To delete a connection: After selecting Delete Connection, a Delete Connection warning appears. You are required to select Delete.

Amazon Web Services, the AWS logo, AWS, and any other AWS Marks used in these materials are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or other countries.