AWS Device Groups
You can use LogicMonitor's REST API to manage AWS groups. AWS groups are just LogicMonitor device groups with a few key differences. This document covers the differences, as well as how to add & update AWS Groups.
AWS Group Differentiators
- AWS Specific groupType: AWS groups have a special groupType value. Specifically, normal and dynamic groups will have a groupType value of Normal, while AWS device groups will have a value of AWS/SERVICE, where SERVICE is the AWS service the group was created for (e.g. EC2, RDS, S3, etc.). The AWS account level group will have a groupType value of AWS/AwsRoot.
- AWS specific fields: The awsRegionsInfo, awsTestResult and awsTestResultCode are all read-only fields specific to AWS groups. More importantly, AWS group specific information, such as AWS account credentials & AWS service/region configurations, are included in the 'extra' object in the device group JSON. Specifically the extra object includes the following information:
Adding an AWS Group
LogicMonitor requires a designated AWS IAM Cross Account Role to authenticate CloudWatch data collection requests. When you add your AWS account into LogicMonitor you'll need to provide such a role. As such, to add an AWS Group you'll need to:
- Make a GET request to /aws/externalId resource (i.e. GET "https://ACCOUNT.logicmonitor.com/santaba/rest/aws/externalId") to get an external Id. Note that this external Id is only valid for one hour, and must be requested by the same user that will perform step 2 (which enables LM to verify the external Id for step 2).
- Create an AWS cross account role with the external Id from step 1 for LogicMonitor's Account Id (282028653949). You can do this programmatically via AWS development tools (e.g. CLI, SDK).
- Make a POST request to the /device/groups resource to add your AWS account into LogicMonitor.
1. Get External ID
The following Python script requests an external Id for account api.logicmonitor.com:
2. POST new AWS group
The following Python script request adds an AWS Group named 'LM AWS'. The default service settings section only has three regions selected: us-east-1, us-west-1 and us-west-2, and resources are not set to be automatically deleted. The EC2 service is selected for monitoring, where EC2 has two tag filters applied, nine regions selected, and resources are set to be automatically deleted after 7 days. The auto discovery frequency for the account is not set, and will default to every hour, and a billing bucket named 'ProdS3Billing' is provided with prefix 'billing/prod'. Additionally, a property 'customer' is added to the group and set to the value 'customerA'.
Updating an AWS Group
If you're updating an AWS Group, we recommend first making a GET request to get the group JSON, parsing the output, replacing the desired values, and then using PUT to update the resource.
The following Python script makes a GET request to get device group 39 (which happens to be the AWS root group), parses out the response, replaces the assigned Collector, adds the configuration object, and then makes a PUT request to update the group 39: