Support Center Home


2a. Adding Amazon Web Services environment into LogicMonitor


With LogicMonitor, you can monitor the state of your Amazon Web Services (AWS) accounts and the underlying services and license usage that allows you to identify faults and manage performance.

Prerequisites

  • Role ARN (Amazon Resource Names) for a registered application in Amazon Web Services (AWS).

Note: You may want to create a role in the AWS portal before you start so that you have the Role ARN available for setting up permissions. For more information, follow the steps for Creating a Role in AWS.

  • S3 Bucket Name and Report Path Prefix information are required for setting up billing information. For more information, see Creating an S3 Bucket in AWS.

For a list of AWS services monitored, see Cloud Monitoring Overview.

Creating a Role in AWS

To create a role in AWS, complete the following steps:

1. Sign into AWS portal as a user that has permissions to manage IAM Roles.

2. Navigate to AWS portal > AWS Management Console > Services > IAM.

3. On the left side of the IAM Dashboard, click Roles and click Create Role.

4. On the Create role page, click Another AWS account.

5. Enter the Account ID.

Note: For Account ID information, navigate to LogicMonitor Exchange> Cloud Integrations> AWS Account> Permissions.

6. From the Options, select Require external ID.

7. Enter the External ID.

Note: For External ID information, navigate to LogicMonitor Exchange> Cloud Integrations> AWS Account> Permissions.

8. Click Next: Permissions and click Create policy.

9. Select Services and click on the JSON tab. You can also see the Custom JSON policy section.

Note: Copy the JSON document from the Permissions page of the LogicMonitor portal.

10. Click Tags and click Reviews.

11. On the Review policy page, enter the policy name and click Create policy. You will need the policy name for the next step.

12. Navigate to Create role > Attach permission policies > Create policies > search for the <LogicMonitor policy name>.

13. Select the policy name and click Tags.

14. On the Add tags page, click Review.

15. On the Review page, enter the Role name and click Create role. You will need the role name for the next step.

16. Click on the <LogicMonitor role name> and from the Summary page, copy the Role ARN number.

Note: Role ARN information is required while setting up the AWS account in LogicMonitor.

Create S3 Bucket in AWS

To create an S3 bucket in AWS, complete the following steps:

1. Navigate to AWS Management Console > Services > Storage> S3.

2. On the Amazon S3 page, click Create bucket.

3. On the Create bucket page, enter the Bucket name, select the required options, and click Create bucket.
You can see the Bucket name on the Buckets page.

4. To add objects to the bucket, click View details on the top-right corner of the Buckets page.

Adding AWS account into LogicMonitor

For adding your AWS account into LogicMonitor for monitoring, complete the following steps:

1. Add your AWS account into LogicMonitor from Exchange > Cloud Integrations.

2. Select AWS and click Add.

3. On the Name page, enter the following details:

  • Name: (Required) Enter a name for the AWS account.
  • Description: Provide a description for the AWS account.
  • Parent Group: (Required) Assign the AWS account to a parent group. By default, it will be assigned to the root group of the portal.
  • Properties: Define properties and values.

4. On the Permissions page, Account ID, External ID, and a JSON document are available for creating the IAM Policy and IAM Role with read-only permissions. LogicMonitor will use that role to access your AWS account. 

Once the IAM Role is created, you can copy and enter the ARN information in the Role ARN field.

Note: You can find Role ARN information on the AWS portal > Roles > Summary page. For more information, see Creating a Role in AWS.

5. Click Next: Services and on the Services page, select the services that you want to monitor.

6. Click Default Settings to configure services. For more information, see Configuring AWS Services for Monitoring section.

7. Click Test Permissions.

8. Click Next: Billing.

9. On the Billing page, enter S3 Bucket Name, and the Report Path Prefix.
For more information on AWS billing, see AWS Billing Monitoring – Cost & Usage Report.


For billing information details, navigate to your AWS account > S3 > select the required S3 bucket name and copy the name.

11. Click Add Billing.

12. Click View AWS Resources.

You should be able to view resources and dashboards from your AWS application.

Configure AWS Services for Monitoring

To configure AWS services for Monitoring complete the following steps:

1. In the AWS Services section of the dialog, click Default Settings.

2. On the Default Settings page, click Global Settings.

3. From the NetScan Frequency drop-down list, you can select the preferred frequency for scheduling NetScans.

4. Enable Automatically delete terminated AWS resources option, to automatically remove dead instances.
You can further select whether this should happen immediately or after a specified period during which no data is received for the instance.

5. Enable Automatically disable alerting for terminated AWS resources to disable alerting for terminated instances ensures you will not receive any alerts once instances are terminated if they are not scheduled to be automatically deleted.

Note: LogicMonitor intelligently and automatically stops AWS Monitor API data collection once instances are terminated, this option will ensure you do not receive alerts for traditional Collector DataSources like Ping.

6. In the Monitored Regions section, you can select the regions that you want to monitor.

7. Click Tags, to monitor only certain AWS instances for a particular service, you can tag those instances from your Azure portal and apply a tag filter to that service in LogicMonitor.

Note: If you specify a Tag filter, only AWS resources that meet the filter criteria will be added to your LogicMonitor account. Following are the criteria

  • You can use glob expressions with the tag filter (e.g. tag value = prod*).
  • Resources will be discovered if they contain one or more tags specified with an include operation but not any of the exclude tags.
  • The tag filter is case-sensitive.

Custom JSON Policy

For your reference, the following policy includes the minimum permissions necessary for LogicMonitor to collect data for your AWS resources.

Note: The elasticbeanstalk:ListTagsForResource permission is not yet supported by the AWS visual permissions editor, but it is required by LogicMonitor. You can alternatively use elasticbeanstalk:List* if desired.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "apigateway:GET",
        "appstream:DescribeFleets",
        "athena:List*",
        "autoscaling:Describe*",
        "cloudfront:Get*",
        "cloudfront:List*",
        "cloudsearch:DescribeDomains",
        "cloudsearch:ListDomainNames",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "codebuild:List*",
        "cognito-idp:Describe*",
        "cognito-idp:List*",
        "directconnect:Describe*",
        "dms:Describe*",
        "dynamodb:DescribeTable",
        "dynamodb:ListTables",
        "dynamodb:ListTagsOfResource",
        "ec2:Describe*",
        "ecs:Describe*",
        "ecs:List*",
        "elasticache:DescribeCacheClusters",
        "elasticbeanstalk:Check*",
        "elasticbeanstalk:Describe*",
        "elasticbeanstalk:List*",
        "elasticfilesystem:Describe*",
        "elasticloadbalancing:Describe*",
        "elasticloadbalancing:DescribeLoadBalancerAttributes",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTags",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticmapreduce:Describe*",
        "elasticmapreduce:List*",
        "elastictranscoder:ListPipelines",
        "es:Describe*",
        "es:List*",
        "events:List*",
        "firehose:DescribeDeliveryStream",
        "firehose:ListDeliveryStreams",
        "firehose:ListTagsForDeliveryStream",
        "fsx:Describe*",
        "glue:GetJobs",
        "health:DescribeEvents",
        "kafka:List*",
        "kinesis:DescribeStream",
        "kinesis:ListStreams",
        "kinesis:ListTagsForStream",
        "kinesisvideo:Describe*",
        "kinesisvideo:Get*",
        "kinesisvideo:List*",
        "lambda:Get*",
        "lambda:List*",
        "mediaconnect:DescribeFlow",
        "mediaconnect:List*",
        "mediaconvert:DescribeEndpoints",
        "mediaconvert:ListQueues",
        "mediaconvert:ListTagsForResource",
        "mediapackage-vod:ListPackagingConfigurations",
        "mediapackage-vod:ListTagsForResource",
        "mediapackage:DescribeOriginEndpoint",
        "mediapackage:List*",
        "mediapackage:ListOriginEndpoints",
        "mediastore:Describe*",
        "mediastore:List*",
        "mediatailor:ListPlaybackConfigurations",
        "mediatailor:ListTagsForResource",
        "mq:List*",
        "opsworks:DescribeStacks",
        "pi:Describe*",
        "pi:Get*",
        "rds:DescribeDBClusters",
        "rds:DescribeDBInstances",
        "rds:ListTagsForResource",
        "redshift:DescribeClusters",
        "route53:Get*",
        "route53:List*",
        "route53resolver:List*",
        "s3:GetBucketLocation",
        "s3:GetBucketTagging",
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:List*",
        "sagemaker:List*",
        "ses:Describe*",
        "ses:GetSendQuota",
        "ses:GetSendStatistics",
        "ses:List*",
        "sns:List*",
        "sqs:GetQueueAttributes",
        "sqs:GetQueueUrl",
        "sqs:ListQueueTags",
        "sqs:ListQueues",
        "states:ListStateMachines",
        "support:*",
        "swf:Count*",
        "swf:Describe*",
        "swf:Get*",
        "swf:List*",
        "swf:ListActivityTypes",
        "swf:ListDomains",
        "wafv2:ListWebACLs",
        "waf:GetWebACL",
        "waf:ListWebACLs",
        "workspaces:DescribeTags",
        "workspaces:DescribeWorkspaceDirectories",
        "workspaces:DescribeWorkspaces"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Next steps

After you finish adding your AWS account, you should update your DataSources by importing any recently released Cloud Monitoring DataSources into your account.

You may also want to complete the following setup steps:

In This Article