Connect to AWS Using Access Key Credentials

This page explains how to connect your Cisco Cloud Observability account with Amazon Web Services (AWS) using Access Key Credentials in the Cisco Cloud Observability user interface.

If you prefer to use the Connections API, Call the Cisco Cloud Observability APIs and see Getting Started with AWS Using Access Key Credentials.

This document contains references to third-party documentation. Cisco AppDynamics does not own any rights and assumes no responsibility for the accuracy or completeness of such third-party documentation.

These are the high-level steps:

Create an AWS IAM User
Connect Your AWS IAM User Account to AppDynamics
Verify Connection and Observe Entities

1. Create an AWS IAM User

Navigate and sign in to the AWS Management Console.
Open the IAM Console.
In the Identity and Access Management (IAM) left-navigation pane, select Users.
Select Add users. If you are unable to add a user, see Access Management.
Enter the User name: appD_monitoring_user, or a user name of your choice.
Select Next.
Under Permissions options, select Attach policies directly.

Select appropriate policies for the appD_monitoring_user monitoring account. Cisco AppDynamics recommends ReadOnlyAccess policies. Additionally, you can select custom policies specific to the active resource that you want to ingest Amazon CloudWatch metrics. See Access Management and Example IAM Identity-Based Policies.
For example, these policies are selected:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:DescribeBackupPolicy",
                "ec2:DescribeInstances",
                "tag:GetResources",
                "elasticfilesystem:DescribeReplicationConfigurations",
                "cloudwatch:GetMetricData",
                "lambda:GetLayerVersion",
                "elasticfilesystem:ListTagsForResource",
                "ec2:DescribeRegions",
                "elasticfilesystem:DescribeAccountPreferences",
                "cloudwatch:ListMetrics",
                "ecs:DescribeTaskDefinition",
                "ecs:ListServices",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticfilesystem:DescribeLifecycleConfiguration",
                "ecs:ListTasks",
                "elasticfilesystem:ClientMount",
                "ec2:DescribeVolumes",
                "elasticfilesystem:DescribeFileSystemPolicy",
                "rds:DescribeDBInstances",
                "ecs:DescribeServices",
                "apigateway:GET",
                "elasticfilesystem:DescribeFileSystems",
                "ecs:DescribeContainerInstances",
                "ecs:DescribeTasks",
                "ecs:ListTaskDefinitions",
                "ecs:ListClusters",
                "ecs:ListTagsForResource",
                "elasticfilesystem:DescribeMountTargets",
                "lambda:ListFunctions",
                "elasticfilesystem:DescribeAccessPoints",
                "ecs:DescribeClusters",
                "lambda:ListFunctionEventInvokeConfigs",
                "elasticfilesystem:DescribeTags",
                "ec2:DescribeVpcs",
                "elasticloadbalancing:DescribeTargetHealth",
                "lambda:ListEventSourceMappings",
                "elasticloadbalancing:DescribeTargetGroups",
                "ec2:DescribeSubnets",
                "lambda:GetPolicy",
                "rds:DescribeDBClusters",
                "elasticfilesystem:DescribeMountTargetSecurityGroups",
                "kinesis:ListStreams",
                "kinesis:DescribeStreamSummary",
                "eks:ListClusters",
                "eks:DescribeCluster",
                "eks:ListTagsForResource",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeAutoScalingInstances",
                "autoscaling:DescribeTags",
                "dms:DescribeEndpoints",
                "dms:DescribeReplicationInstances",
                "dms:DescribeReplicationTasks",
                "dms:ListTagsForResource",
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
                "s3:GetBucketTagging",
                "s3:GetMetricsConfiguration",
                "sqs:GetQueueAttributes",
                "sqs:ListQueues",
                "sqs:ListQueueTags",
                "sns:ListTopics",
                "sns:ListSubscriptions",
                "sns:GetTopicAttributes",
                "sns:GetSubscriptionAttributes",
                "sns:ListTagsForResource",
                "kinesisanalytics:ListApplications",
                "kinesisanalytics:DescribeApplication",
                "kinesisanalytics:ListTagsForResource",
                "glue:ListJobs",
                "glue:GetJob",
                "glue:GetTriggers",
                "glue:GetJobRuns",
                "ecr:DescribeRepositories",
                "ecr:DescribeRegistry",
                "ecr-public:DescribeRegistries",
                "ecr-public:DescribeRepositories",            
                "athena:ListWorkGroups",
                "athena:GetWorkGroup",
                "cognito-idp:DescribeUserPool",
                "cognito-idp:ListUserPools",
                "cognito-idp:ListUserPoolClients",
                "codebuild:ListProjects",
                "codebuild:BatchGetProjects",
                "acm:ListCertificates",
                "acm:DescribeCertificate",
                "acm:ListTagsForCertificate",
                "elasticache:DescribeCacheClusters",
                "elasticache:DescribeReplicationGroups",
                "directconnect:DescribeConnections",
                "directconnect:DescribeVirtualInterfaces",
                "dynamodb:ListTables",
                "dynamodb:DescribeTable",
                "dynamodb:DescribeKinesisStreamingDestination",
                "mq:DescribeBroker",
                "mq:ListBrokers",
                "route53:ListHealthChecks",
                "route53:ListTagsForResources",
                "route53:GetHostedZone",
                "route53:ListQueryLoggingConfigs",
                "route53:ListHostedZones",
                "route53resolver:ListFirewallRuleGroups",
                "route53resolver:ListFirewallRules",
                "route53resolver:ListFirewallRuleGroupAssociations",
                "route53resolver:GetFirewallRuleGroup",
                "route53resolver:ListTagsForResource",
                "route53resolver:ListFirewallDomainLists",
                "kms:DescribeKey",
                "kms:ListKeys",
                "config:GetComplianceSummaryByConfigRule",
                "config:GetComplianceSummaryByResourceType",
                "config:DescribeConfigurationRecorderStatus",
                "config:GetDiscoveredResourceCounts",
                "config:DescribeDeliveryChannels",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecrets",
                "kafka:ListClustersV2",
                "kafka:ListNodes",
                "kafka:ListReplicators",
                "backup:ListBackupJobs",
                "cloudfront:ListDistributions",
                "cloudfront:ListFunctions",
                "servicecatalog:SearchProductsAsAdmin",
                "servicecatalog:ListPortfolios",
                "servicecatalog:SearchProvisionedProducts",
                "sagemaker:ListEndpoints",
                "sagemaker:ListProcessingJobs",
                "sagemaker:ListTrainingJobs",
                "sagemaker:DescribeEndpoint",
                "sagemaker:DescribeTrainingJob",
                "sagemaker:DescribeProcessingJob",
                "sagemaker:ListTags",
                "docdb-elastic:ListClusters",
                "docdb-elastic:GetCluster",
                "docdb-elastic:ListTagsForResource",
                "rds:ListTagsForResource"
            ],
            "Resource": "*"
        }
    ]
}

JSON

(Optional) Set permissions boundary.
Select Next
(Optional) Add tags.
Select Create user.
Note the Access Key ID and the Secret Access Key for the user, or click Download .csv.

Important

You need the keys to add Amazon CloudWatch to your Cisco Cloud Observability account. If you navigate away from this panel without capturing these keys, you cannot access them again. You will have to create a new appD_monitoring_user monitoring account. See Creating IAM Users (Console).

2. Connect Your AWS IAM User Account to Cisco Cloud Observability

The instructions to connect your AWS IAM user account are documented on the New AWS Connection UI page in Cisco Cloud Observability. To navigate to this page:

Log into the Cisco Cloud Observability UI.
Use the left-hand sidebar to navigate to Configure > Cloud Connections.
Click Amazon CloudWatch.
Follow the instructions on the New AWS Connection UI page to create a new AWS cloud connection.

3. Verify Connection and Observe Entities

When the connection state on the Cloud Connections page displays Active, Cisco Cloud Observability automatically begins monitoring the supported AWS services. To learn more about Connection State, see Review Connection State.
Use the left-hand sidebar to navigate to the Observe page. You can now monitor your entities using entity-centric pages (ECPs). For a list of the entities and data that can be monitored, see Observe AWS Entities.

Next Steps

Review Connection State

The Cloud Connections page displays a list of cloud connections and their current condition. To navigate to this page, use the Cisco Cloud Observability left-hand sidebar to navigate to Configure > Cloud Connections.

Refer to the connections state for troubleshooting. These are the possible Cloud Platform connection states:

State	Description
`Active`	The connection was successfully created, configured, and is receiving data. The data collection might have started or is expected to start within the next 7 minutes.
`Configured`	The user created a connection and configured the connection. The connection will remain in `Configured` state until it is manually activated. The data collection will not start until the connection is activated.
`Error`	A non-recoverable error occurred, so data is no longer being collected.
`Inactive`	The user paused the connection after the connection was created and configured.
`Insufficient license`	There are not enough Cisco Cloud Observability license units. Contact customer support to increase your license units.
`Pending configuration`	The user has successfully established a cloud connection but needs to configure the cloud service, regions, and so on.
`Warning`	A partial error occurred. The data is still being collected for some services.
`Critical`	A non-recoverable error occurred for some of the resources. The data is still being collected for other resources.

Manage Cloud Connections

Once a connection is created, you can manage the connection.

Use the Cisco Cloud Observability left-hand sidebar to navigate to Configure > Cloud Connections.
Clickin the connection row.
Select Edit Connection, Pause Connection, or Delete Connection.

To delete a connection: After selecting Delete Connection, a Delete Connection warning appears. You are required to select Delete.

Amazon Web Services, the AWS logo, AWS, and any other AWS Marks used in these materials are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or other countries.