Configure AWS accounts for cloud monitoring

This topic applies only to the following products:

SolarWinds Observability Self-Hosted

IPAM — NAM — SAM — VMAN

To monitor an AWS instance with the SolarWinds Platform, you need to:

Configure Identity and Access Management Permissions (IAM) in the AWS Management Console. These permissions allow the SolarWinds Platform access to status and other metrics for AWS instances.
Configure IAM policies and assign them to the AWS account. The policies define that you can integrate the AWS cloud service with the SolarWinds Platform.

Consult your system administrator and refer to Amazon AWS documentation for details.

Establish AWS IAM permissions

To interact with the SolarWinds Platform, an AWS account must be able to retrieve CloudWatch metrics from various resources. Use this section as a reference for specific permissions.

Although you can embed inline policies to set permissions, SolarWinds recommends attaching an IAM policy to an account so JSON code can be used to permit or restrict user actions.

Required for	Permissions	Description
Basic permissions	ec2:DescribeInstances ec2:DescribeAddresses ec2:DescribeVolumes ec2:DescribeVolumeStatus ec2:DescribeVpcs ec2:DescribeVpnGateways ec2:DescribeVpnConnections ec2:DescribeRegions cloudwatch:GetMetricStatistics autoscaling:DescribeAutoScalingInstances	These resource-level permissions are required for each AWS account for cloud monitoring in SolarWinds Platform Self-Hosted.
Instance actions	ec2:StartInstances ec2:StopInstances ec2:RebootInstances ec2:TerminateInstances	Required for the user to define actions that can be performed against an instance.
Amazon RDS	cloudwatch:GetMetricData rds:DescribeDBInstances	Required for monitoring Amazon RDS.
AWS Direct Connect	directconnect:DescribeConnections	Required for monitoring AWS Direct Connect connections.
Amazon S3 Bucket	s3:ListBucket s3express:ListAllMyDirectoryBuckets	Required for monitoring Amazon S3 buckets.
Elastic Load Balancing (ELB)	elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:DescribeListeners	Required for monitoring the Elastic Load Balancing service.
Amazon DynamoDB	dynamodb:ListTables dynamodb:DescribeTable	Required for monitoring Amazon DynamoDB data.
Amazon Elastic Kubernetes Service (EKS)	eks:ListClusters eks:DescribeCluster eks:ListNodegroups eks:DescribeNodegroup	Required for monitoring Amazon Elastic Kubernetes Service. Monitoring container insights metrics may require extra configuration. See Container insights metrics.
AWS Lambda	lambda:ListFunctions lambda:GetFunction	Required for monitoring AWS Lambda. Monitoring lambda insights metrics may require extra configuration. See Lambda insights metrics.

Additional configuration

Some metrics collected from AWS services require additional configuration before they can be monitored.

Container insights metrics

To configure the following container insights metrics, see Setting up Container Insights on Amazon EKS and Kuberentes in the AWS documentation.

node_cpu_utilization
node_gpu_usage_total
node_memory_utilization
node_network_total_bytes
node_filesystem_utilization
node_number_of_running_containers
node_number_of_running_pods
cluster_failed_node_count
cluster_node_count

Lambda insights metrics

To configure the following lambda insights metrics, see Monitor function performance with Amazon CloudWatch Lambda Insights.

memory_utilization
cpu_total_time
rx_bytes
tx_bytes
used_memory_max
total_memory

Example JSON with standard access

The following JSON code provides standard access to a SolarWinds Platform user.

To monitor additional resources, assign the required permissions. For details, see Establish AWS IAM permissions.

{
	"Version": "2012-10-17",
	"Statement": [{	
		"Effect": "Allow",
		"Action": [
		"ec2:DescribeInstances",
		"ec2:DescribeAddresses",
		"ec2:DescribeVolumes", 
		"ec2:DescribeVolumeStatus",
		"ec2:DescribeVpcs",
		"ec2:DescribeVpnGateways",
		"ec2:DescribeVpnConnections",
		"ec2:DescribeRegions",
		"cloudwatch:GetMetricStatistics",
		"autoscaling:DescribeAutoScalingInstances"
	],
	"Resource": "*"
    }
  ]
}

Create an IAM policy and attach it to an account

Create the IAM policy in your AWS Management Console. See Creating IAM policies and Create and attach a policy to a user in Amazon AWS documentation for details.

To enter policies in a policy editor, add the following permission statements to the Policy Document:

{
    "Version": "2012-10-17",
    "Statement": [{    
        "Effect": "Allow",
        "Action": [
        "ec2:DescribeInstances",
        "ec2:DescribeAddresses",
        "ec2:DescribeVolumes", 
        "ec2:DescribeVolumeStatus",
        "ec2:DescribeVpcs",
        "ec2:DescribeVpnGateways",
        "ec2:DescribeVpnConnections",
        "ec2:DescribeRegions",
        "cloudwatch:GetMetricStatistics",
        "autoscaling:DescribeAutoScalingInstances",
        "ec2:StopInstances", 
        "ec2:StartInstances",
        "ec2:RebootInstances", 
        "ec2:TerminateInstances"
    ],
    "Resource": "*"
    }
  ]
}