Submit a ticketCall us
Home > Success Center > Orion Platform > Orion Documentation > Orion Platform Administrator Guide > Monitor cloud instances and VMs > Configure cloud accounts for the Orion Platform > Configure an AWS account for cloud monitoring

Configure an AWS account for cloud monitoring

Updated May 15, 2018

Before adding AWS accounts to the Orion Platform, IAM permissions must be configured in the AWS Management Console to provide access to the Orion Platform so it can collect status and metrics for AWS instances.

To integrate the AWS cloud service with the Orion Platform, Identity and Access Management (IAM) permissions must be configured and IAM policies must be assigned to AWS accounts., as described next. Consult your system administrator and refer to AWS documentation for details.

Establish AWS IAM permissions

To interact with the Orion Platform, an AWS account must be able to retrieve CloudWatch metrics from various resources. Review Authentication and Access Control for Amazon CloudWatch and use this section as a reference for specific permissions.

Although you can embed inline policies to set permissions, SolarWinds recommends attaching an IAM policy to an account so JSON code can be used to permit or restrict user actions.

Each AWS account requires the following resource-level permissions:

  • ec2:DescribeInstances
  • ec2:DescribeAddresses
  • ec2:DescribeVolumes
  • ec2:DescribeVolumeStatus
  • cloudwatch:GetMetricStatistics
  • autoscaling:DescribeAutoScalingInstances

To define actions that can be performed against an instance, add the following permissions:

  • ec2:StartInstances
  • ec2:StopInstances
  • ec2:RebootInstances
  • ec2:TerminateInstances

The following JSON code provides standard access to an Orion Platform user:

{
	"Version": "2012-10-17",
	"Statement": [{	
		"Effect": "Allow",
		"Action": [
		"ec2:DescribeInstances",
		"ec2:DescribeAddresses",
		"ec2:DescribeVolumes", 
		"ec2:DescribeVolumeStatus",
		"cloudwatch:GetMetricStatistics",
		"autoscaling:DescribeAutoScalingGroups", 
	],
	"Resource": "*"
    }
  ]
}

Per AWS documentation (© 2018 Amazon Web Services, Inc., available at https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html, obtained on May 16, 2018), the Version element must appear before the Statement element. The only allowed values include:

  • 2012-10-17. This is the current version of the policy language that you should for all policies.
  • 2008-10-17. This earlier version of the policy language may appear on existing policies. Do not use this version when adding or updating policies.

Add an IAM policy to AWS accounts

These steps describe how to create an AWS IAM policy to attach to AWS accounts.

  1. Log into the AWS Management Console and open the IAM console.
  2. Click Policies.
  3. If this is your first time adding Policies, the Welcome page appears. Click Get Started.
  4. Click Create Policy.
  5. On the Create Policy page, click Select > Create Your Own Policy.
  6. Enter policy details, such as name and description.
  7. To enter policies in a policy editor, add the following permission statements to the Policy Document:

    {
    	"Version": "2012-10-17",
    	"Statement": [{	
    		"Effect": "Allow",
    		"Action": [
    		"ec2:DescribeInstances",
    		"ec2:DescribeAddresses",
    		"ec2:DescribeVolumes", 
    		"ec2:DescribeVolumeStatus",
    		"cloudwatch:GetMetricStatistics",
    		"autoscaling:DescribeAutoScalingGroups", 
    		"ec2:StopInstances", 
    		"ec2:StartInstances",
    		"ec2:RebootInstances", 
    		"ec2:TerminateInstances"
    	],
    	"Resource": "*"
        }
      ]
    }
  8. Click Validate Policy.
  9. Click Create Policy.

To attach the policy to an account:

  1. In the AWS Management Console, click Policies.
  2. Navigate to the policy and selects its check box.
  3. Click Policy Actions > Attach.
  4. Select the All Types option and Users.
  5. Navigate to the account and selects its check box.
  6. Click Attach Policy.

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.

 
Last modified

Tags

Classifications

Public