LM Cloud

2a. Adding your AWS environment into LogicMonitor

Adding your AWS account into LogicMonitor for monitoring is simple and fast, and includes the following steps:

Required setup (instructions below):

Additional, optional setup:

For a list of AWS services monitored, see this page.

Adding your AWS account into LogicMonitor

1. Select Add Cloud Account from the Devices page in LogicMonitor:

From your AWS console you will need to set up a role that LogicMonitor can assume & use to access CloudWatch and SDK metrics for your AWS resources.

LogicMonitor utilizes cross account roles to authenticate requests to get data from your AWS account.  Specifically, LogicMonitor acts as a third party to your AWS account and uses an external id to assume a designated IAM role, which then enables the retrieval of temporary credentials that are used for data requests.  Using an IAM role to authenticate requests is an AWS best practice and is more secure than using a static AWS Access Id and Secret Key to authenticate requests.  You can use the following steps to set up a cross account role for LogicMonitor to use:

2.  Create a Role that LogicMonitor will use to authenticate requests to your AWS account.

From the IAM | Roles section of your AWS console, create a new role. Select ‘Another AWS account’ for the role type:

Copy LogicMonitor's AWS Account ID and the AWS External ID from the New Cloud account dialog in LogicMonitor and paste into the Role settings in your AWS console. Note that the external ID is unique to the LogicMonitor account group you are creating.

Attach a policy to the role.  The role you create needs to have permission to access the data for your AWS resources. There are two ways that you can grant this access:

  • Attach the default AWS ‘ReadOnlyAccess’ to your LogicMonitor role & add additional permissions for certain AWS resources as necessary. You’ll also need the ‘AWSSupportAccess’ if you desire service limit monitoring via Trusted Advisor and 'CostExplorer' read access if you desire monitoring for reserved instances.  We recommend this option because updates and changes are less likely to affect the collection of your AWS data.
  • Create and attach a custom policy (below) that includes the minimum permissions necessary for LogicMonitor to collect data for your AWS resources. You may omit permissions for services you don't intend to monitor with LogicMonitor. Note that the elasticbeanstalk:ListTagsForResource permission is not yet recognized by the AWS visual permissions editor, but it is required by LogicMonitor. You can alternatively use elasticbeanstalk:List* if desired.

Custom Policy:

    "Statement": [
            "Action": [
"cloudfront:GetDistribution", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*",
"directconnect:Describe*", "dynamodb:DescribeTable", "dynamodb:ListTables", "ec2:Describe*", "ecs:Describe*", "ecs:List*", "elasticfilesystem:Describe*", "elasticache:DescribeCacheClusters", "elasticache:ListTagsForResource",
"elasticloadbalancing:DescribeAccountLimits", "elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:describeTags", "elasticmapreduce:Describe*", "elasticmapreduce:List*", "es:ListTags", "es:Describe*", "es:ListDomainNames", "firehose:DescribeDeliveryStream", "firehose:ListDeliveryStreams", "iam:GetUser", "kinesis:DescribeStream", "kinesis:listStreams", "kinesis:listTagsForStream", "lambda:List*", "lambda:getFunctionConfiguration", "rds:DescribeDBInstances", "rds:listTagsForResource", "redshift:DescribeClusters", "route53:Get*", "route53:List*", "s3:List*", "s3:GetObject", "s3:GetObjectVersion", "s3:getBucketTagging", "s3:GetBucketLocation", "ses:GetSendQuota", "ses:GetSendStatistics", "ses:List*", "ses:Describe*", "sns:listTopics", "sns:getTopicAttributes", "swf:ListActivityTypes", "swf:ListWorkflowTypes", "swf:ListDomains", "swf:ListOpenWorkflowExecutions",
"swf:DescribeWorkflowType", "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sqs:listQueues", "support:*",
"ce:GetTags", "workspaces:DescribeTags",
"workspaces:DescribeWorkspaceDirectories", "workspaces:DescribeWorkspaces" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }

3. Provide the role’s ARN in LogicMonitor 

The ARN for the role, once created, will need to be entered in LogicMonitor for the same AWS account group you got the external Id from.

4. Configure AWS Services to be monitored.

Next, in the AWS Services section of the dialog, you will need to set your default service settings.

These settings include which regions services should be discovered from (please note that we do not support Government Cloud Regions for AWS), what tag filters (if any) should be applied, and whether or not dead instances should be automatically removed.

The Auto-Discovery Frequency indicates how often LogicMonitor will check for new AWS resources in your account. You can override this setting for the EC2 service if desired.

If you specify a Tag Filter, only AWS resources that meet the filter criteria will be added to your LogicMonitor account. Note that:

- You can use glob expressions with the tag filter (e.g. tag value = prod*)
- Resources will be discovered if they contain one or more tags specified with an include operation but not any of the exclude tags
- The tag filter is case sensitive

If you choose to automatically remove dead instances, you can further select whether this should happen immediately or after a specified period of time during which no data is received for the instance. Note that currently, the automatically remove dead instances functionality only applies to terminated AWS instances (i.e. stopped instances will not be auto-deleted).

Disabling alerting for terminated instances ensures you will not receive any alerts once instances are terminated, if they are not scheduled to be automatically deleted.  While LogicMonitor intelligently and automatically stops CloudWatch API data collection once instances are terminated, this option will ensure you do not receive alerts for traditional Collector DataSources like Ping.

For example, you might add an AWS tag with a key value pair of monitoring:true to the S3 buckets you'd like to monitor, and then add a Tag Filter in LogicMonitor such that only S3 buckets with tags matching monitoring:true are added into monitoring.

For the EC2 service, you will see additional options to enable monitoring via a local Collector and configure how discovered EC2 instances are named.

5. Configure AWS Billing Monitoring

Optionally set up monitoring for your AWS spend via these instructions.

6. Done!

After going through the Add Cloud Account wizard, LogicMonitor will search for and auto-discover AWS resources using our NetScan functionality. A new device group will be created for each AWS Service selected, and each resource discovered for that AWS Service will be added as a LogicMonitor device in that device group. For example, if LogicMonitor discovers 4 DynamoDB tables for an AWS Account, a DynamoDB group will be created and 4 devices will be added to this group. Each AWS resource will get a system.categories value that determines what type of resource (e.g. EC2, EBS , ELB, etc.)

After you've added your AWS Account to LogicMonitor, you can force a NetScan to run and detect any new AWS resources in your account by selecting 'Manage' for your AWS Account group in LogicMonitor and then selecting 'save'.

Note: If you manually delete an AWS 'device' in LogicMonitor and don't change the configuration for discovering instances in your AWS account, that instance will be re-discovered as a device. Make sure to set the automatically remove dead instances field (currently only applies to terminated AWS instances), de-select the appropriate region or service, or add a tag filter to ensure that only AWS resources you'd like to monitor are being discovered.