AWS Probe EC2 Factory Template Being Applied not getting ECS metrics
Article ID: 116786
Updated On:
Products
DX Unified Infrastructure Management (Nimsoft / UIM)
Issue/Introduction
Made a copy of the EC2 Default template, modified it and activated a few other services like ECS. See that the new EC2 template is being applied, but the probe is not collecting any of the ECS data that was activated in the modified template. Also, the aws Dashboards are no populating with CPU and Network data for EC2 instances even though all the metrics are turned on to collect the data.
Message seen in the aws.log when running the connection test are similar to the following:
EC2Discovery::EC2 DescribeInstance Caught Exception for Region: [ap-northeast-1]You are not authorized to perform this operation. (Service: AmazonEC2; ; Request ID: <request ID>)
Using AWS global user policies for user authentication in AWS.
Message seen in the aws.log when running the connection test are similar to the following:
EC2Discovery::EC2 DescribeInstance Caught Exception for Region: [ap-northeast-1]You are not authorized to perform this operation. (Service: AmazonEC2; ; Request ID: <request ID>)
Using AWS global user policies for user authentication in AWS.
Environment
UIM 8.51
aws: 5.40
aws: 5.40
Cause
Insufficient permissions defined in AWS for the user associated with the configured Access Key and Secret Access Key values
The aws probe through the 5.40 release uses AWS Identity and Access Management (IAM) authentication.
The aws probe through the 5.40 release uses AWS Identity and Access Management (IAM) authentication.
Resolution
Policies that may need to be enabled in AWS for the user associated with the configured Access Key Id in the aws probe configuration file for AWS Identity and Access Management (IAM) authentication:
The following policies should be checked:
- AmazonReadOnlyAccess ***
- AmazonDynamoDBReadOnlyAccess
- AmazonEC2ReadOnlyAccess
- AmazonElastiCacheReadOnlyAccess
- AmazonRDSReadOnlyAccess
- AmazonRoute53ReadOnlyAccess
- AmazonS3ReadOnlyAccess *** (Note: The probe requires the AmazonS3FullAccess *** policy to monitor S3 Write performance)
- AmazonSNSReadOnlyAccess
- AmazonSQSReadOnlyAccess
To monitor root account billing details, in addition to ReadOnly access for CloudWatch service the probe requires the following policies:
- AWSAccountUsageReportAccess ***
- AWSAccountActivityAccess ***
To monitor EC2 containers:
- AmazonEC2ContainerServiceFullAccess
If the following policies exist (the documentation may be a little bit lacking), these should also be checked:
- AmazonECSReadOnlyAccess
- AmazonLambdaReadOnlyAccess
Policies marked with *** are the only ones called for in the Installation Consideration section of the aws (Amazon Web Services Monitoring Release Notes
The following policies should be checked:
- AmazonReadOnlyAccess ***
- AmazonDynamoDBReadOnlyAccess
- AmazonEC2ReadOnlyAccess
- AmazonElastiCacheReadOnlyAccess
- AmazonRDSReadOnlyAccess
- AmazonRoute53ReadOnlyAccess
- AmazonS3ReadOnlyAccess *** (Note: The probe requires the AmazonS3FullAccess *** policy to monitor S3 Write performance)
- AmazonSNSReadOnlyAccess
- AmazonSQSReadOnlyAccess
To monitor root account billing details, in addition to ReadOnly access for CloudWatch service the probe requires the following policies:
- AWSAccountUsageReportAccess ***
- AWSAccountActivityAccess ***
To monitor EC2 containers:
- AmazonEC2ContainerServiceFullAccess
If the following policies exist (the documentation may be a little bit lacking), these should also be checked:
- AmazonECSReadOnlyAccess
- AmazonLambdaReadOnlyAccess
Policies marked with *** are the only ones called for in the Installation Consideration section of the aws (Amazon Web Services Monitoring Release Notes
Feedback
Yes
No
Powered by
