AWS

The AWS integration is used to fetch logs and metrics from Amazon Web Services.

Use the AWS integration to collect metrics and logs across many AWS services managed by your AWS account. Visualize that data in Kibana, create alerts to notify you if something goes wrong, and reference data when troubleshooting an issue.

Extra AWS charges on CloudWatch API requests will be generated by this integration. Please see API Requests for more details.

Data streams

The AWS integration collects two types of data, logs and metrics, across many AWS services.

Logs help you keep a record of events that happen in your AWS account. This may include every user request that CloudFront receives, every action taken on your services by an AWS user or role, and more.

Metrics give you insight into the state of your AWS services. his may include understanding where you're spending the most and why, the volume of storage you're using, CPU utilization of your instances, and more.

For a complete list of all AWS services and the data streams available for each, see Reference.

API requests

Overview

The AWS integration uses different AWS API to bootstrap and collect metrics and logs. The following table illustrates which APIs are used by the AWS integration and how.

Each of these APIs may generate extra charges on your AWS Account. Please refer to AWS Princing for more information.

Metrics collection and cost considerations

For each AWS service you enable metrics data collection for, the AWS integration will collect metrics in all the AWS regions where there are available metrics for that service. The collection period is also set to sensible defaults that should fit the majority of use cases.

The extra-charges generated by GetMetricData API calls are proportional to the frequency we collect data and the amount of metrics that are queried for. If you are concerned about the cost derived by enabling any metrics collection, we recommend reviewing the following parameters:

• Regions. By selecting only the AWS Regions you are interested in, you can make sure that no unnecessary Cloudwatch API call is performed against irrelevant AWS regions.
• Collection Period and Data Granularity. By setting Collection Period and Data Granularity together, you can control, respectively, how frequently you want your metrics to be collected and how granular they have to be. If you can tolerate an extra delay in retrieving metrics as trade off, you may consider setting data_granularity and increase the value for Collection Period to reduce extra charges. For example, setting Data Granularity to your current value for Period, and doubling the value of Period, may lead to a 50% savings.
• Tags Filter. By specifying a tag, you can ensure that no Cloudwatch API call is performed for AWS resources you are not interested in.

Requirements

Before using the AWS integration you will need:

• AWS Credentials to connect with your AWS account.
• AWS Permissions to make sure the user you're using to connect has permission to share the relevant data.

AWS Credentials

AWS credentials are required for running AWS integrations. There are a few ways to provide AWS credentials:

• Use access keys directly
• Use temporary security credentials
• Use a shared credentials file
• Use an IAM role Amazon Resource Name (ARN)

Use access keys directly

Access keys are long-term credentials for an IAM user or the AWS account root user. To use access keys as credentials, you need to provide:

• access_key_id: The first part of the access key.
• secret_access_key: The second part of the access key.

For more details see AWS Access Keys and Secret Access Keys.

Use temporary security credentials

Temporary security credentials can be configured in AWS to last for some period of time. They consist of an access key ID, a secret access key, and a security token, which is typically returned using GetSessionToken. IAM users with multi-factor authentication (MFA) enabled need to submit an MFA code while calling GetSessionToken. For more details see Temporary Security Credentials.

You can use AWS CLI to generate temporary credentials. For example, you would use sts get-session-token if you have MFA enabled:

aws> sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --duration-seconds 129600 --token-code 123456

Then, use the response to provide the following options to the AWS integration:

• access_key_id: The first part of the access key.
• secret_access_key: The second part of the access key.
• session_token: A token required when using temporary security credentials.

Because temporary security credentials are short term, after they expire, you will need to generate new ones and manually update the package configuration to continue collecting AWS metrics. This will cause data loss if the configuration is not updated with the new credentials before the old ones expire.

Use a shared credentials file

If you use different credentials for different tools or applications, you can use profiles to configure multiple access keys in the same configuration file. For more details see Create Shared Credentials File

Instead of providing the access_key_id and secret_access_key directly to the integration, you will provide two advanced options to look up the access keys in the shared credentials file:

• credential_profile_name: The profile name in shared credentials file.
• shared_credential_file: The directory of the shared credentials file.

Note: If you don't provide values for all keys, the integration will use defaults:

• If access_key_id, secret_access_key and role_arn are all not provided, then the package will check for credential_profile_name.
• If there is no credential_profile_name given, the default profile will be used.
• If shared_credential_file is empty, the default directory will be used.
  • In Windows, shared credentials file is located at C:\Users\<yourUserName>\.aws\credentials.
  • For Linux, macOS, or Unix, the file is located at ~/.aws/credentials.

Use an IAM role Amazon Resource Name (ARN)

An IAM role ARN is an IAM identity that you can create in your AWS account. You determine what the role has permission to do. A role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role it provides you with temporary security credentials for your role session. IAM role ARN can be used to specify which AWS IAM role to assume to generate temporary credentials. For more details see AssumeRole API documentation.

To use an IAM role ARN, you need to provide either a credential profile or access keys along with the role_arn advanced option. role_arn is used to specify which AWS IAM role to assume for generating temporary credentials.

Note: If role_arn is given, the package will check if access keys are given. If they are not given, the package will check for a credential profile name. If neither is given, the default credential profile will be used.

AWS Permissions

Specific AWS permissions are required for the IAM user to make specific AWS API calls. To enable the AWS integration to collect metrics and logs from all supported services, make sure these permissions are given:

• ec2:DescribeInstances
• ec2:DescribeRegions
• cloudwatch:GetMetricData
• cloudwatch:ListMetrics
• iam:ListAccountAliases
• rds:DescribeDBInstances
• rds:ListTagsForResource
• s3:GetObject
• sns:ListTopics
• sqs:ChangeMessageVisibility
• sqs:DeleteMessage
• sqs:ListQueues
• sqs:ReceiveMessage
• sts:AssumeRole
• sts:GetCallerIdentity
• tag:GetResources

Setup

Use the AWS integration to connect to your AWS account and collect data from multiple AWS services. When you configure the integration, you can collect data from as many AWS services as you'd like.

If you only need to collect data from one AWS service, consider using the individual integration (for example, to only collect billing metrics, you can use the AWS CloudFront integration).

For step-by-step instructions on how to set up an integration, see the Getting started guide.

Reference

Below is an overview of the type of data you can collect from each AWS service. Visit the page for each individual AWS integration to see details about exported fields.

Changelog