Adding Amazon Web Services Environment into LogicMonitor
Last updated on 22 March, 2023With LogicMonitor, monitor Amazon Web Services (AWS) accounts and the underlying services and license usage. This allows you to identify faults and manage performance. Adding AWS into LogicMonitor involves creating an AWS Policy, Role, and exchanging a series of identifiers with LogicMonitor.
To add an AWS account to LogicMonitor from the LogicMonitor console, initiate the LogicMonitor and AWS credential exchange and integration (Account ID, External ID, and Policy values). From the AWS console, create a Policy, create a Role, attach the policy to the role, and optionally add Billing monitoring to LogicMonitor. For more information, see AWS Billing Monitoring – Cost & Usage Report. In the final steps, return to the LogicMonitor console and complete the following: monitoring-configuration, configuration testing, and confirm the LogicMonitor dashboard creation.
Note: AWS environments may be added programmatically, which can be more efficient when adding multiple accounts. For more information, see AWS Device Groups.
Requirements to Set up the AWS Environment
A default or similarly configured AWS account. For more information, see AWS’ Create an AWS Account.
Initiating the LogicMonitor and AWS Identifier Exchange
LogicMonitor provides the Account ID, External ID, and Policy JSON for entry into the AWS console. AWS provides the Role ARN (Amazon Resource Name) to enter into the LogicMonitor portal.
1. From the LogicMonitor portal, navigate to Resources > Add > Cloud Account.
2. Select Add on the AWS tile.
3. Enter a Name for how the AWS account displays in the LogicMonitor portal. (Optional) Enter a Description.
4. In the lower right section of the screen, select Next: Permissions.
5. At the Permissions page in the wizard, Copy the Policy JSON.
Creating an AWS Policy with LogicMonitor JSON
1. In your AWS Console, search “iam” in the search bar, hover over the first result to allow the Top Features menu to appear, and select Policies.
2. From the top right of the Policy page, select the Create Policy button.
3. Select the JSON tab.
4. Delete the current JSON and enter the JSON policy that you created in your LogicMonitor portal. For more information, visit step 6 in the Initiate the LogicMonitor and AWS Identifier Exchange section.
Note: The elasticbeanstalk:ListTagsForResource permission is not yet supported by the AWS visual permissions editor, but it is required by LogicMonitor. You can alternatively use elasticbeanstalk:List* if desired.
5. In the lower-right of the screen, select Next: Tags.
6. Select Next: Review.
7. Enter a policy name in the Name* field. You will need this Name later to add this policy to the role.
8. In the lower right of the screen, select Create policy.
The AWS policy for the Logic Monitor integration is now successfully created.
Creating an AWS Role with the New Policy, LogicMonitor Account ID, and LogicMonitor External ID
1. From the IAM left side-bar, select Roles.
2. Return to the LogicMonitor portal, which was left on the AWS Account Permissions page. Copy the Account ID.
3. Return to the AWS Console (IAM > Roles page). Select Create role.
4. Select the AWS account option.
5. Select Another AWS account.
6. Enter the Account ID, which was copied from the LogicMonitor Portal, an example is pictured above in the previous step.
7. Under Options, select Require external ID.
8. In your LogicMonitor portal, copy the External ID from the Permissions section wizard.
9. Enter the External ID from LogicMonitor into the External ID field in your AWS Console.
10. From the Add permissions page, search for the permission name that was created (step 7 in the “Create an AWS Policy with LogicMonitor JSON” section). Select the previously created policy and then select the Next button, which is located at the lower right portion of the scrolled-page, to attach the policy to the AWS role that is currently being created.
11. Under the Role details heading and in the Role name field, type in a Role name, review the page, and select the Create Role button, which is located in the lower-right of the scrolled page.
12. Role creation may take a moment. Select the View role button within the green success bar.
Add the Amazon Role Name (ARN) to LogicMonitor and Testing the Permissions Synchronization
1. In your AWS Console, find the newly created role or specified role page, copy the ARN to your clipboard.
2. In your LogicMonitor portal, enter the ARN in the Role ARN field on the Permissions step of the LogicMonitor wizard’s Permission’s page. Select Next: Services.
3. Review the services that you want to monitor. Select the Default Settings and review the different monitoring options (scan frequency, regions, tags, and more).
4. Select Test Permissions. A Success notification displays near the bottom of the page.
Note: Note: Testing the credentials and permissions synchronization may take 5-10 seconds.
5. In the lower-right of the scrolled-down LM Wizard Services page, select Next: Billing. For more information, see AWS Billing Monitoring – Cost & Usage Report.
6. To finish without adding AWS Billing monitoring, select Skip and Finish.
Additional Information
For more information, see Setting up AWS Logs Ingestion
For more information, see Visualize your cloud environments with auto-generated dashboards and reports
For more information, see Specify any custom Cloudwatch metrics you want to be monitored in LogicMonitor
For more information, see Set up LogicMonitor’s custom AWS event integration
For more information, see LogicModule Updates