Hi Brian,
Configuration of role- based AWS monitoring for Managed is a little bit more trickier than for SaaS. Below are instructions how to do it. Please let me know if it worked for you.
*****************************************************************************************
Short description:
To monitor target instances with role-based permissions, a Security Gateway needs to assume a role on the target account which allows it to read the monitoring data. For security reasons the Security Gateway first assumes an additional internal role (“proxy”), before it assumes the target role in a second step.
The solution therefore describes how to prepare your AWS environment:
- 1.Create a proxy role in step 1,
- 2.then adjust the role of the Security Gateway,
- 3.change Security Gateway configuration settings to point to the right AWS account,
- 4.and create a role and its permissions on the target account.
- 5.Last step are the standard configuration settings in the Dynatrace product.
What you need:
- Your Amazon Web Services source account ID in which your Dynatrace Managed servers are running.
- The name of the role with which your Dynatrace Managed Server (or Public Security Gateway) was started.
- Your Amazon Web Services target account ID of the account you want to monitor.
Detailed instructions:
- 1.Create a cross-account access role in the source account
- a.Login to the source AWS account
- b.Go to IAM in your AWS Console
- c.Go to Roles and create a new role, name it “roleXassume”, you’ll need it later
- d.Select the Role for Cross-Account Access, then Provide access between AWS accounts you own
- e.Enter the source AWS account ID (yes, this means cross-account access on the same account)
- f.Skip attaching existing policy by going to next step
- g.In the Review page click Create Role
- h.Select the just created role and go to the Permissions tab
- i.In Permissions expand Inline Policies, and create a new inline policy there (follow the click here link)
- j.In Set Permissions select Custom Policy
- k.Create the policy with the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
}
]
}
- l.After the roleXassume role is created, please select the role in the IAM roles section and go to the “Trust Relationships” tab
- m.Click “Edit Trust Relationships” and change the permissions (for security reasons, the default policy permissions need to be restricted to the calling PSG role):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [ "arn
iam::<12 digit target account number>:role/<role name of the Dynatrace Managed PSG>" ]
}
]
}
- Note: if you do not know upfront the role (or roles) on target accounts being monitored, you may need to alter the resource filter (e.g. include multiple roles). You may use also wildcard (“*”) as a resource, but note that this will then allow assuming any other role you have in your source account. In such cases, you can consider using a separate “proxy” account for greater security.
- 2.Modify the role policy for the Dynatrace Managed server
- a.Login to the source AWS account, if not done in step 1
- b.Go to IAM in your AWS Console
- c.Select the role with which your Dynatrace Managed server is being started and go to the Permissions tab
- d.In Permissions expand Inline Policies, and create a new inline policy there (follow the click here link)
- e.In Set Permissions select Custom Policy
- f.Create the policy with the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arniam::<12 digit source account number>:role/roleXassume"
}
]
}
- Note: the roleXassume in the policy must match the policy you created in step 1c.
- 3.Add configuration settings
- a.On the Dynatrace Managed server change the config.properties section:
[vertical.topology]
aws_proxy_account = <12 digit source account number>
aws_proxy_role = roleXassume
- Note: the roleXassume in the policy must match the policy you created in step 1c.
- 4.Create a cross-account access role in the target account (similar as in the help documentation, but with a different account ID)
- a.Login to the target AWS account
- b.Go to IAM in your AWS Console
- c.Go to Roles and create a new role
- d.Select the Role for Cross-Account Access, then Allow IAM users from a 3rd party AWS account to access this account
- e.Establish trust with your source account. Type the 12 digit source account number that can access the target account. Take note of the External ID, you’ll need it later.
- f.Skip attaching existing policy by going to next step
- g.In the Review page click Create Role
- h.Select the just created role and go to the Permissions tab
- i.In Permissions expand Inline Policies, and create a new inline policy there (follow the click here link)
- j.In Set Permissions select Custom Policy
- k.Create the policy with the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"rds:DescribeDBInstances",
"rds:List*",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"lambda:ListFunctions",
"lambda:GetFunction",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEnvironmentResources",
"s3:List*",
"s3:Get*",
"sts:GetCallerIdentity"
],
"Resource": "*"
}
]
}
- l.Optional step: After the target role is created, please select the role in the IAM roles section again and go to the “Trust Relationships” tab. Then click “Edit Trust Relationships” and change the permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [ "arniam::<12 digit source account number>:role/roleXassume" ]
}
]
}
- 5.Connect your Amazon account to Dynatrace Managed – as described in the help documentation
Best Regards,
Karolina
