Skip to main content

Amazon CloudWatch integration

APEX AIOps Incident Management can collect both time series metrics and alarms from Amazon CloudWatch. Incident Management performs anomaly detection on all metrics and generates events for these anomalies before ingestion. See also Amazon CloudWatch API.

Note

Amazon CloudWatch is a paid service. Before you enable this integration, you should review Amazon's pricing policies to avoid unexpected charges. For more information, go to the AWS documentation and search for "CloudWatch pricing."

Note

It is good practice to create only one integration per Amazon account.

Before you begin

This integration was validated with Amazon CloudWatch on May 14, 2020. Before you start to set up your integration, ensure you have met the following requirements:

  • You have an active AWS account.

  • You have the necessary permissions to create permissions and roles in AWS.

Amazon CloudWatch setup: Create a new policy and role

  1. Open the Credentials Store in Incident Management:

    1. Open a browser window and log in to the Incident Management UI.

    2. Choose Settings > Credentials Store.

    3. Click Add Credential and choose AWS IAM.

    4. Click Show required AWS policy and copy the script that displays in the popup window.

  2. Open a separate browser window and log in to the AWS Console. Go to Services > IAM.

    Leave both the Incident Management Credentials Store and the AWS Console browser windows open until you finish this process. You will need to copy/paste information between the two windows.

  3. In the AWS Console, go to Policies and define a new permissions policy:

    1. Click Create Policy and then click the JSON tab.

    2. Paste the policy you copied from the Incident Management Credentials Store.

      Note

      This policy includes the iam:SimulatePrincipalPolicy action, which Incident Management uses to test the integration with your Amazon CloudWatch estate. You can remove this action if desired, but this will disable the integration testing functionality.

    3. Click Review Policy, enter a policy name, and then click Create Policy.

  4. Go to Roles and create a new role as follows:

    1. Click Create Role.

    2. Under Select type of trusted entity, click Another AWS account.

    3. For Account ID, copy and paste the APEX AIOps AWS account number shown in the Incident Management Credentials Store.

      This is the APEX AIOps account that will receive data from CloudWatch.

    4. Under Options, enable Require external ID.

    5. Copy and paste the External ID from the Incident Management Credentials Store. Click Generate External ID if necessary.

    6. Do not enable Require MFA.

    7. Click Next: Permissions and add the policy you created previously.

    8. Proceed through the remaining steps of the Create Role wizard, accepting the default settings. In the Review page, enter a role name and click Create Role.

Incident Management setup

To configure the Amazon CloudWatch integration:

  1. Return to the Incident Management Credentials Store window and define your AWS IAM credentials as follows:

    • AWS Account Number — In the AWS Console, go to My Security Credentials. Then copy and paste the AWS account ID.

    • IAM Role — Enter the role you defined previously.

    • External ID — Do not change or update this ID. It must be the same ID you used when you created your role.

  2. Click Save to save your IAM credentials.

  3. Choose Ingestion Services > Amazon CloudWatch and create a new integration.

  4. Enter an integration name.

  5. Select the AWS credentials you defined previously.

  6. Click Test to verify that Incident Management can connect to your AWS account.

  7. Specify the other CloudWatch integration settings as follows:

    • Region — Select the AWS regions to observe.

    • AWS Services — Select the AWS services to observe.

    • Collect CloudWatch Alarms — Enable this option if you want to collect alarms in addition to standard CloudWatch metrics. Incident Management ingests alarms as events and converts them to alerts.

    • Collect Custom Metrics — Enable this option if you want to send any custom metrics you are collecting to Amazon CloudWatch.

    Note

    It is generally good practice to collect only the metrics and alarms that you want Incident Management to observe.

  8. Click Save.

  9. Optionally, you can go to the Configuration tab and customize anomaly detection settings for individual metrics.

In this section: