Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Server & Application Monitor (SAM) > SAM 6.4 Administrator Guide > Monitor cloud instances with Cloud Infrastructure Monitoring > Learn more about Amazon EC2 credentials for cloud monitoring

Learn more about Amazon EC2 credentials for cloud monitoring

 

Updated: 2-21-2017

To monitor Amazon EC2 instances, you should have an AWS account with up to 10 IAM user accounts. You use IAM account access IDs to access cloud infrastructure monitoring in SAM and integrated VMAN, not your direct AWS account.

For AWS monitoring in SAM and integrated VMAN, you should have:

  • AWS IAM user account with assigned permissions for CloudWatch metrics
  • Account Access Key ID and Secret Access Key for the AWS account. Locate these values through the AWS console.

Use these access IDs to configure cloud infrastructure monitoring the first time or to add another account.

To poll metrics through Amazon APIs into the Orion Platform, your AWS IAM accounts require a set of permissions.

You can add these permissions to existing AWS user accounts or policies using one of the following options:

SolarWinds recommends setting permissions using the console and JSON as described in this section. You can also set permissions using command line. For information, see the AWS Command Line Reference.

For more information for AWS IAM user accounts, see this FAQ and the AWS documentation.

AWS permissions

The AWS IAM user account should include the following permissions required for cloud infrastructure monitoring:

  • ec2:DescribeInstances
  • ec2:DescribeAddresses
  • ec2:DescribeVolumes
  • ec2:DescribeVolumeStatus
  • cloudwatch:GetMetricStatistics
  • autoscaling:DescribeAutoScalingInstances

For additional management actions, add the following permissions to the AWS IAM user account:

  • ec2:StartInstances
  • ec2:StopInstances
  • ec2:RebootInstances
  • ec2:TerminateInstances

If your AWS IAM user account has read-only access, you may receive an unauthorized message when issuing management actions: "You are not authorized to perform this operation".

Restrict management actions for cloud instance nodes

To restrict Orion account users from node Management options, do not include one or all of the following permissions in the AWS IAM account permissions.

  • ec2:StartInstances
  • ec2:StopInstances
  • ec2:RebootInstances
  • ec2:TerminateInstances

The following sections include JSON code snippets including these permissions. To restrict users, use this JSON code snippet:

{
	"Version": "2012-10-17",
	"Statement": [{	
		"Effect": "Allow",
		"Action": [
		"ec2:DescribeInstances",
		"ec2:DescribeAddresses",
		"ec2:DescribeVolumes", 
		"ec2:DescribeVolumeStatus",
		"cloudwatch:GetMetricStatistics",
		"autoscaling:DescribeAutoScalingGroups", 
		"autoscaling:DescribeAutoScalingInstances"
	],
	"Resource": "*"
    }
  ]
}

When an Orion user without the management AWS permissions attempts to use those options in the Orion Web Console, an error message displays indicating the user does not have correct permissions: "You are not authorized to perform this operation".

Create an AWS policy and assign to a user account

Create a policy to assign to a group or account for best management of all permissions.

  1. Access the AWS Identity and Access Management (IAM) console.
  2. Click Policies and Create Policy.
  3. Click Create Your Own Policy option.
  4. Enter information for the policy like name and description.
  5. To enter policies in a policy editor, add the following permission statements to the Policy Document:

    {
    	"Version": "2012-10-17",
    	"Statement": [{	
    		"Effect": "Allow",
    		"Action": [
    		"ec2:DescribeInstances",
    		"ec2:DescribeAddresses",
    		"ec2:DescribeVolumes", 
    		"ec2:DescribeVolumeStatus",
    		"cloudwatch:GetMetricStatistics",
    		"autoscaling:DescribeAutoScalingInstances",
    		"ec2:StopInstances", 
    		"ec2:StartInstances",
    		"ec2:RebootInstances", 
    		"ec2:TerminateInstances"
    	],
    	"Resource": "*"
        }
      ]
    }
    
  6. Click Validate Policy to test the policies.
  7. Click Create Policy.

With the policy created, assign it to the user account:

  1. Click Policies and search for the policy you created.
  2. Select the checkbox for the policy, and select Policy Actions > Attach.
  3. Select the All Types option and Users.
  4. Search for a user account and select the checkbox for it.
  5. Click Attach Policy.

Add AWS account permissions using Inline Policies

Use the custom Inline Policies option to add custom policies per AWS IAM user account.

  1. Access the AWS Identity and Access Management (IAM) console.
  2. Click Users, and Permissions.
  3. Click Create User Policy, and Custom Policy.
  4. Enter a name for the policy and the following policies for the policy document:

    {
    	"Version": "2012-10-17",
    	"Statement": [{	
    		"Effect": "Allow",
    		"Action": [
    		"ec2:DescribeInstances",
    		"ec2:DescribeAddresses",
    		"ec2:DescribeVolumes", 
    		"ec2:DescribeVolumeStatus",
    		"cloudwatch:GetMetricStatistics",
    		"autoscaling:DescribeAutoScalingInstances", 
    		"ec2:StopInstances", 
    		"ec2:StartInstances",
    		"ec2:RebootInstances", 
    		"ec2:TerminateInstances"
    	],
    	"Resource": "*"
        }
      ]
    }
    
  5. Click Validate Policy.
  6. Click Apply Policy.
Last modified
07:29, 14 Mar 2017

Tags

Classifications

Public