Support Center Home


Monitoring Your AWS Environment

Adding your AWS environment into LogicMonitor for monitoring is simple. To get started:

1. Navigate to the Resources page, click Add and select “Cloud Account”.

2. Under Amazon Web Services, click Add to start the “Add AWS Account” wizard.

Name settings

Under the “Name” settings, enter the following information to define how the AWS account should appear in your LogicMonitor environment.

  • Name: (Required) Enter a name for the account.
  • Description: Provide more information about the account.
  • Parent Group: (Required) Specify where the account will be placed in the Resources page.
  • Properties: Enter name and value pairs for the AWS account. See Resource and Instance Properties.

Permissions settings

LogicMonitor provides an AWS Account ID and External ID that you will use to create a cross-account IAM role to access your AWS resources (such as CloudWatch and SDK metrics).

1. In your AWS Console, from the IAM > Roles section, create a new role with the role type “Another AWS account”.

2. Fill in the Account ID and External ID to specify the LogicMonitor account that will use this IAM role.

Note: The generated AWS External ID is only valid for 1 hour. If you need more time to create a new integration, use the Refresh button to generate a new ID. (This new ID will be valid for 1 hour after you refresh.)

Create a new Policy

The IAM role you created needs to have permission to access the data for your AWS resources.

In your AWS Console, from the IAM > Policies section, create a new policy.

You have two options for this:

1. (Recommended) Attach the default AWS ‘ReadOnlyAccess’ to your LogicMonitor role and add additional permissions for certain AWS resources as necessary. You’ll also need the ‘AWSSupportAccess’ if you desire service limit monitoring via Trusted Advisor and ‘CostExplorer’ read access if you desire monitoring for reserved instances.  

Note: We recommend this option because updates and changes are less likely to affect the collection of your AWS data.

2. Attach the custom JSON policy (provided below) that includes the minimum permissions necessary for LogicMonitor to collect data for your AWS resources. You may omit permissions for services you don’t intend to monitor with LogicMonitor.

Add Role ARN to LogicMonitor

Once you create the IAM role in AWS, you will be given an ARN. This ARN needs to be added to LogicMonitor (for the same AWS account group you got the external Id from).

Services settings

Under the Services settings, you can select and configure the services you want to monitor, define your default service settings, and specify tags. For a list of AWS services monitored, see this page.

Use Global Settings to define the default settings for monitored services. You can then configure individual services to inherit from this default.

The Netscan Frequency defines how often LogicMonitor will automatically check for new AWS resources in your account.

You can choose to Automatically delete terminated AWS resources and specify whether to delete the resources immediately or after a time period when no data is received for the resource. This will not remove stopped instances.

Choose Automatically disable alerting for terminated AWS resources to make sure that you will not receive alerts after the resources are deleted.

Monitored Regions lets you select the regions that apply to this account and where services should be discovered.

Note: LogicMonitor does not support Government Cloud Regions for AWS.

Use Tags to define filtering criteria for the AWS resources that will be added to your account. When adding tag items:

  • You can use glob expressions with the tag filter, for example: tag value = prod*
  • Resources will be discovered if they contain one or more tags specified with an include operation but not any of the exclude tags.
  • The tag filter is case sensitive.

Billing settings

Under Billing, you can set up monitoring for AWS billing usage. This step is optional when creating your AWS account–you can set it up later.

LogicMonitor supports monitoring of AWS billing data using AWS Cost & Usage Reports. For more information about creating the Cost & Usage Report, see AWS Billing Monitoring.

After you create and configure the Cost & Usage Report in AWS, supply S3 bucket (where the report is stored) and the report path to your AWS account settings in LogicMonitor.

Custom JSON Policy

For your reference, the following policy includes the minimum permissions necessary for LogicMonitor to collect data for your AWS resources.

Note: The elasticbeanstalk:ListTagsForResource permission is not yet supported by the AWS visual permissions editor, but it is required by LogicMonitor. You can alternatively use elasticbeanstalk:List* if desired.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "apigateway:GET",
                "appstream:DescribeFleets",
                "appstream:ListTagsForResource",
                "athena:GetWorkGroup",
                "athena:ListTagsForResource",
                "athena:ListWorkGroups",
                "autoscaling:DescribeAccountLimits",
                "autoscaling:DescribeAutoScalingGroups",
                "ce:GetCostAndUsage",
                "ce:GetDimensionValues",
                "ce:GetReservationUtilization",
                "ce:GetTags",
                "cloudfront:GetDistribution",
                "cloudfront:list*",
                "cloudsearch:DescribeDomains",
                "cloudsearch:List*",
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*",
                "codebuild:List*",
                "codebuild:Describe*",
                "directconnect:Describe*",
                "dms:Describe*",
                "dms:ListTagsForResource",
                "dynamodb:DescribeTable",
                "dynamodb:ListTables",
                "documentdb:DescribeTable",
                "documentdb:ListTables",
                "ec2:Describe*",
                "ecs:Describe*",
                "ecs:List*",
                "elasticache:DescribeCacheClusters",
                "elasticache:ListTagsForResource",
                "elasticbeanstalk:DescribeEnvironments",
                "elasticbeanstalk:ListTagsForResource",
                "elasticfilesystem:Describe*",
                "elasticloadbalancing:DescribeAccountLimits",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticmapreduce:Describe*",
                "elasticmapreduce:List*",
                "es:Describe*",
                "es:ListDomainNames",
                "es:ListTags",
                "events:Describe*",
                "events:List*",
                "firehose:DescribeDeliveryStream",
                "firehose:ListDeliveryStreams",
                "fsx:DescribeFileSystems",
                "fsx:ListTagsForResource",
                "glue:GetJob",
                "glue:GetJobs",
                "glue:GetTags",
                "glue:ListJobs",
                "iam:GetUser",
                "kafka:Describe*",
                "kafka:Get*",
                "kafka:List*",
                "kinesis:DescribeStream",
                "kinesis:ListStreams",
                "kinesis:ListTagsForStream",
                "kinesisvideo:DescribeStream",
                "kinesisvideo:ListStreams",
                "kinesisvideo:ListTagsForStream",
                "lambda:GetFunctionConfiguration",
                "lambda:List*",
                "mediaconnect:Describe*",
                "mediaconnect:List*",
                "mediaconvert:Describe*",
                "mediaconvert:Get*",
                "mediaconvert:List*",
                "mediastore:Describe*",
                "mediastore:Get*",
                "mediastore:List*",
                "mediatailor:Get*",
                "mediatailor:List*",
                "mediapackage:Describe*",
                "mediapackage:List*",
                "mediapackage-vod:Describe*",
                "mediapackage-vod:List*",
                "mq:DescribeBroker",
                "mq:ListBrokers",
                "mq:ListTags",
                "opsworks:DescribeStacks",
                "opsworks:ListTags",
                "rds:Describe*",
                "rds:ListTagsForResource",
                "redshift:DescribeClusters",
                "route53:Get*",
                "route53:List*",
                "route53resolver:Get*",
                "route53resolver:List*",
                "s3:GetBucketLocation",
                "s3:GetBucketTagging",
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:List*",
                "sagemaker:Describe*",
                "sagemaker:Get*",
                "sagemaker:List*",
                "servicequotas:GetServiceQuota",
                "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate",
                "servicequotas:ListAWSDefaultServiceQuotas",
                "servicequotas:ListRequestedServiceQuotaChangeHistory",
                "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota",
                "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate",
                "servicequotas:ListServiceQuotas",
                "servicequotas:ListServices",
                "ses:Describe*",
                "ses:GetSendQuota",
                "ses:GetSendStatistics",
                "ses:List*",
                "sns:GetTopicAttributes",
                "sns:ListTopics",
                "sqs:GetQueueAttributes",
                "sqs:GetQueueUrl",
                "sqs:ListQueues",
                "states:DescribeStateMachine",
                "states:ListStateMachines",
                "states:ListTagsForResource",
                "support:*",
                "swf:DescribeActivityType",
                "swf:DescribeWorkflowType",
                "swf:ListActivityTypes",
                "swf:ListDomains",
                "swf:ListOpenWorkflowExecutions",
                "swf:ListWorkflowTypes",
                "workspaces:DescribeTags",
                "workspaces:DescribeWorkspaceDirectories",
                "workspaces:DescribeWorkspaces"
            ],
            "Resource": "*"
        }
    ]
}

Next steps

After you finish adding your AWS account, you should update your DataSources by importing any recently released Cloud Monitoring DataSources into your account.

You may also want to complete the following set up steps:

In This Article