When an AWS account is created, you are signed-in as a root user (a single sign in entity) with unrestricted access to the subscribed AWS services, using an email and password unique to your organization. As a best practice, avoid using the root user account for basic tasks. Use Identity and Access Management (IAM) credentials to authorize OpsRamp to manage your resources.

Install the AWS integration on the OpsRamp console using Identity and Access Management (IAM) access key ID and secret access key. IAM is a web service that helps in securely controlling access to AWS services. For more information, see What is IAM?


Process Flow - Installing AWS integration with IAM credentials

AWS configuration

To configure AWS integration:

  1. Sign in to your root account in the AWS management console.

  2. On the navigation bar, click your account name, and choose My Security Credentials.

  3. From the Identity and Access Management navigation pane, click Users > Add user and give a suitable name to the new user.

    Familiarize yourself with Creating users on AWS console.

  4. Select programmatic access as a type of access and click Next: Permissions.

    Programmatic access is for the users who require access to the API, AWS CLI, or Tools for Windows PowerShell. The programmatic access option creates an access key and security access key for each new user.

  5. On the Set permissions page, specify how you want to assign permissions to the user and click Next: Tags. Refer to Creating IAM Policies (console).

  6. (Optional) Add metadata to the user by attaching tags as key-value pairs and click Next: Review to see the details.

  7. Click Create user. The page displays the user access key ID and secret access keys.

  8. Save the access keys by clicking Download.csv at a safe location.

This is your only opportunity to view or download the secret access keys. Save the access key ID and secret access key generated in a secure place. You do not have access to the secret keys again after this step.

OpsRamp configuration

To configure AWS integration:

  1. Click All Clients and from the drop-down list, select a client.

  2. Go to Setup > Integrations and Apps. If apps are already installed, the INSTALLED APPS page is displayed, else the AVAILABLE APPS page is displayed.

  3. Search for an AWS app using the search option. You can also use the All Categories dropdown and select the appropriate public cloud category.

  4. Click ADD. The Add AWS page is displayed.

  5. Provide the details in the fields:

    • Name: Give a suitable name for the integration.

    • Region(s): Select the AWS region from the drop-down list. The services that belong to the selected region are onboarded.
      You can select multiple regions to onboard the services.
      If you select two regions A and B, and if you are not authorized to access region B, onboarding fails for both regions A and B.

    • Integration type: Select IAM.

    • Account Number: Enter the account number.

    • Access Key: Provide Access Key generated in the AWS console.

    • Security Key: Provide Security Key generated in the AWS console.

  6. Click NEXT.

    In the Filter page:

  7. Choose Any or All to match any one or all of the defined conditions for filtering.

  8. Select the options for the filter criteria:

    • Resource Type: List all the supported resource types.
    • Attribute Name: List attributes for the selected resource type. Attributes are resource type-dependent.
    • Logic condition: Logical match criteria for search: Contains, Not Contains, Equals, Not Equals, Starts With, Ends With, and Regex.
    • Value: Value corresponding to the attribute name and logical condition.

    Select the required resource types.

  9. Click NEXT.

  10. Select the actions you want to run on the services:

    • Manage Device: Discover the AWS services in a managed state.
    • Stream CloudWatch Alarms: Enter SQS URL to get alarms. See configuring Amazon CloudWatch alarms.
    • Ingest unsupported AWS resource alarms: Process all Amazon CloudWatch alarms and AWS services not supported by OpsRamp.
    • Create a resource based on CloudTrail events stream: Enter SQS URL to get events. See Configuring Amazon CloudTrail.
    • Stream AWS Events: Enter SQS URL to get events. See configuring AWS Events.
    • Collect Cost Analytics: Collect project cost details of the services utilized. To collect Cost Analytics, create an Amazon S3 bucket and set up Amazon S3 for collecting AWS billing data. Amazon S3 bucket can be configured on the root account only.
    • Assign Credentials Matching with Fingerprint: Check if the credential set of EC2 instance matches the credential set of the key pair.
    • Assign Gateway Management Profile: Select the gateway management profile from the drop-down list.

  11. If the agent needs to be installed on the device click Install Agent (Linux only) and select the device credentials.

    Select Agent Type:

    • Direct: Outbound port 443 is used on EC2 and other types of AWS compute services, such as desktops and servers.
    • Proxy: Outbound port 3128 is used on EC2 and other types of AWS compute services, such as desktops and servers.

  12. Select the Discovery Schedule option to schedule a discovery and define the Recurrence pattern.

  13. To discover the Amazon Web Services in your environment, you can:

    • Set a discovery schedule and define a preferred recurrence pattern. The system scans regularly at the defined schedule to discover any new services added to your environment.

  14. Click FINISH. The AWS app is installed.

    All the discovered services are visible in the Infrastructure page under
    Resources > AWS

  15. Click AWS. The list of installed AWS integrations are displayed. You can perform actions like Edit, Uninstall, Rescan.