This integration is powered by Elastic Agent. Elastic Agent is a single, unified agent that you can deploy to hosts or containers to collect data and send it to the Elastic Stack. Behind the scenes, Elastic Agent runs the Beats shippers or Elastic Endpoint required for your configuration. Please refer to our documentation for a detailed comparison between Beats and Elastic Agent.
This integration is used to fetches logs and metrics from Amazon Web Services.
AWS credentials are required for running AWS integration.
- access_key_id: first part of access key.
- secret_access_key: second part of access key.
- session_token: required when using temporary security credentials.
- credential_profile_name: profile name in shared credentials file.
- shared_credential_file: directory of the shared credentials file.
- endpoint: URL of the entry point for an AWS web service.
- role_arn: AWS IAM Role to assume.
There are three types of AWS credentials can be used: access keys, temporary security credentials and IAM role ARN.
AWS_SECRET_ACCESS_KEY are the two parts of access keys.
They are long-term credentials for an IAM user, or the AWS account root user.
Please see AWS Access Keys and Secret Access Keys
for more details.
Temporary security credentials has a limited lifetime and consists of an
access key ID, a secret access key, and a security token which typically returned
GetSessionToken. MFA-enabled IAM users would need to submit an MFA code
default_region identifies the AWS Region
whose servers you want to send your first API request to by default. This is
typically the Region closest to you, but it can be any Region. Please see
Temporary Security Credentials
for more details.
sts get-session-token AWS CLI can be used to generate temporary credentials.
For example. with MFA-enabled:
aws> sts get-session-token --serial-number arn:aws:iam::1234:firstname.lastname@example.org --duration-seconds 129600 --token-code 123456
Because temporary security credentials are short term, after they expire, the
user needs to generate new ones and manually update the package configuration in
order to continue collecting
aws metrics. This will cause data loss if the
configuration is not updated with new credentials before the old ones expire.
An IAM role is an IAM identity that you can create in your account that has specific permissions that determine what the identity can and cannot do in AWS. A role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. IAM role Amazon Resource Name (ARN) can be used to specify which AWS IAM role to assume to generate temporary credentials. Please see AssumeRole API documentation for more details.
- Use access keys: Access keys include
role_arn is used to specify which AWS IAM role to assume
for generating temporary credentials. If
role_arn is given, the package will
check if access keys are given. If not, the package will check for credential
profile name. If neither is given, default credential profile will be used.
Please make sure credentials are given under either a credential profile or
role_arn are all not given, then
the package will check for
credential_profile_name. If you use different
credentials for different tools or applications, you can use profiles to
configure multiple access keys in the same configuration file. If there is
credential_profile_name given, the default profile will be used.
shared_credential_file is optional to specify the directory of your shared
credentials file. If it's empty, the default directory will be used.
In Windows, shared credentials file is at
For Linux, macOS or Unix, the file locates at
~/.aws/credentials. Please see
Create Shared Credentials File
for more details.
Specific AWS permissions are required for the IAM user to make specific AWS API calls. In order to enable AWS integration, please make sure these permissions are given: