Support Center Home


Monitoring Your AWS Environment

Adding your AWS environment into LogicMonitor for monitoring is simple. To get started:

1. Navigate to the Resources page, click Add and select “Cloud Account”.

2. Under Amazon Web Services, click Add to start the “Add AWS Account” wizard.

Define the AWS account

Enter the following information to define how the AWS account should appear in your LogicMonitor environment.

  • Name: (Required) Enter a name for the account.
  • Description: Provide more information about the account.
  • Parent Group: (Required) Specify where the account will be placed in the Resources page.

Create a New AWS Role

LogicMonitor provides an AWS Account ID and External ID that you will use to create a cross-account IAM role to access your AWS resources (such as CloudWatch and SDK metrics).

1. In your AWS Console, from the IAM > Roles section, create a new role with the role type “Another AWS account”.

2. Fill in the Account ID and External ID to specify the LogicMonitor account that will use this IAM role.

Create a new Policy

The IAM role you created needs to have permission to access the data for your AWS resources.

In your AWS Console, from the IAM > Policies section, create a new policy.

You have two options for this:

1. (Recommended) Attach the default AWS ‘ReadOnlyAccess’ to your LogicMonitor role and add additional permissions for certain AWS resources as necessary. You’ll also need the ‘AWSSupportAccess’ if you desire service limit monitoring via Trusted Advisor and ‘CostExplorer’ read access if you desire monitoring for reserved instances.  We recommend this option because updates and changes are less likely to affect the collection of your AWS data.

2. Attach the custom JSON policy (provided below) that includes the minimum permissions necessary for LogicMonitor to collect data for your AWS resources. You may omit permissions for services you don’t intend to monitor with LogicMonitor.

Add Role ARN to LogicMonitor

Once you create the IAM role in AWS, you will be given an ARN. This ARN needs to be added to LogicMonitor (for the same AWS account group you got the external Id from).

Configure AWS Services to monitor

In the Services section, you can select the services you want to monitor, define your default service settings, and specify tags. For a list of AWS services monitored, see this page.

Set up monitoring for AWS Billing

LogicMonitor supports monitoring of AWS billing data using AWS Cost and Usage Reports. This step is optional when creating your AWS account–you can set it up later.

Custom JSON Policy

The following policy includes the minimum permissions necessary for LogicMonitor to collect data for your AWS resources.

Note: The elasticbeanstalk:ListTagsForResource permission is not yet supported by the AWS visual permissions editor, but it is required by LogicMonitor. You can alternatively use elasticbeanstalk:List* if desired.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "states:DescribeStateMachine",
                "lambda:GetFunctionConfiguration",
                "athena:ListWorkGroups",
                "s3:List*",
                "cloudwatch:Describe*",
                "kinesis:ListStreams",
                "opsworks:ListTags",
                "mq:DescribeBroker",
                "route53:Get*",
                "elasticbeanstalk:DescribeEnvironments",
                "kafka:Describe*",
                "fsx:ListTagsForResource",
                "glue:GetJobs",
                "lambda:List*",
                "dms:Describe*",
                "firehose:DescribeDeliveryStream",
                "elasticloadbalancing:DescribeAccountLimits",
                "firehose:ListDeliveryStreams",
                "swf:ListDomains",
                "s3:GetBucketTagging",
                "dynamodb:ListTables",
                "sns:ListTopics",
                "ce:GetCostAndUsage",
                "appstream:ListTagsForResource",
                "cloudsearch:ListTags",
                "elasticbeanstalk:ListTagsForResource",
                "swf:ListOpenWorkflowExecutions",
                "athena:GetWorkGroup",
                "elasticmapreduce:List*",
                "ce:GetReservationUtilization",
                "mq:ListTags",
                "ce:GetDimensionValues",
                "rds:DescribeDBInstances",
                "cloudsearch:DescribeDomains",
                "workspaces:DescribeWorkspaceDirectories",
                "dms:ListTagsForResource",
                "sns:GetTopicAttributes",
                "ecs:Describe*",
                "swf:DescribeWorkflowType",
                "ses:GetSendStatistics",
                "kinesis:DescribeStream",
                "glue:GetTags",
                "glue:ListJobs",
                "directconnect:Describe*",
                "es:ListDomainNames",
                "ec2:Describe*",
                "rds:ListTagsForResource",
                "workspaces:DescribeTags",
                "elasticloadbalancing:DescribeTargetGroups",
                "iam:GetUser",
                "cloudfront:list*",
                "s3:GetObjectVersion",
                "ce:GetTags",
                "states:ListTagsForResource",
                "opsworks:DescribeStacks",
                "states:ListStateMachines",
                "ses:List*",
                "es:ListTags",
                "elasticmapreduce:Describe*",
                "cloudfront:GetDistribution",
                "elasticloadbalancing:DescribeLoadBalancers",
                "dynamodb:DescribeTable",
                "autoscaling:DescribeAutoScalingGroups",
                "route53:List*",
                "apigateway:GET",
                "es:Describe*",
                "workspaces:DescribeWorkspaces",
                "sqs:GetQueueUrl",
                "elasticfilesystem:Describe*",
                "sqs:GetQueueAttributes",
                "cloudsearch:ListDomainNames",
                "swf:ListWorkflowTypes",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "s3:GetObject",
                "kafka:List*",
                "elasticache:DescribeCacheClusters",
                "elasticache:ListTagsForResource",
                "glue:GetJob",
                "fsx:DescribeFileSystems",
                "mq:ListBrokers",
                "ses:GetSendQuota",
                "autoscaling:DescribeAccountLimits",
                "appstream:DescribeFleets",
                "cloudwatch:Get*",
                "ecs:List*",
                "swf:DescribeActivityType",
                "sqs:ListQueues",
                "swf:ListActivityTypes",
                "kafka:Get*",
                "elasticloadbalancing:DescribeTags",
                "cloudwatch:List*",
                "ses:Describe*",
                "athena:ListTagsForResource",
                "support:*",
                "kinesis:ListTagsForStream",
                "redshift:DescribeClusters",
                "s3:GetBucketLocation",
                "servicequotas:GetServiceQuota",
                "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate",
                "servicequotas:ListAWSDefaultServiceQuotas",
                "servicequotas:ListRequestedServiceQuotaChangeHistory",
                "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota",
                "servicequotas:ListServices",
                "servicequotas:ListServiceQuotas",
                "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate"
            ],
            "Resource": "*"
        }
    ]
}

Next steps

After you finish adding your AWS account, you should update your DataSources by importing any recently released Cloud Monitoring DataSources into your account.

You may also want to complete the following set up steps:

In This Article