Before you configure a CloudWatch data source in the platform, you must obtain values for the AWS user account access credentials. To configure the
AWS authentication and obtain the required
values, complete the procedure based on the type of authentication you require.
Before you begin
- Log in to the AWS management console as
administrator
- On the Service tab, search and select IAM.
For key-based authentication, complete the procedure steps 1-4. For role-based authentication,
complete the procedure steps 1-6 without the Group steps.
About this task
AWS
Identity and Access Management (IAM) is a web service that helps you securely
control access to AWS resources. Use IAM to control who is authenticated and authorized
to use the connection between the CloudWatch data source and the platform.
With key-based authentication, the access key values uniquely identify the data source that you
want to establish the connection with. These values are required to authenticate the connection
request. With role-based authentication, an extra parameter value is required.
IAM role-based authentication works for
AssumeRole access, which provides a set of temporary security credentials that you can use to access
AWS resources that you might not normally have
access to.
For more information, see AWS Identity and Access
Management Documentation
(https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html).
Procedure
-
Create a policy.
- From the main menu click Policies.
- On the Policies tab, click Create Policy.
- Select the service CloudWatch Logs.
- From the List access level menu, select
DescribeLogGroups.
- From the Read access level menu, select
StartQuery, GetQueryResults, and
StopQuery.
- From the Resources menu, select All Resources; alternatively, for access
to a specific log group, select Specific.
- Click Review Policy.
- Enter a policy name and click Create Policy.
-
Create a group.
- From the main menu click Groups.
- On the Group tab, click Create Group.
- Enter name of the group and click Next.
- To attach the policy that you created in step 1, select the checkbox, and click
Next.
- Click Create Group.
-
Create a user.
- From the main menu click Users.
- On the Users tab, click Add User.
- Enter the username.
- Check the Programmatic access checkbox.
- On the Permissions tab, select the group that you created in step
2.
- On the Tags tab, add the tag key and value if required.
- Click Review.
- Click Create User.
-
Create base security credentials.
- On the Security Credentials tab of the user, create an access key.
- Download the security credentials .csv file and store it in a
secure location.
You can view the secret access key only at the time it is created.
-
Create an IAM role.
- From the main menu, select Roles.
- Click Create role.
- Select Another AWS account.
- Enter the account ID for the user that you created in step 3, and click
Next: Permissions.
- Select the policy that you created in step 1, and click Next:
Tags.
- Add the tag key and value if required, and click Next:
Review.
- Enter the role name, review the information, and click Create
Role.
-
Create a trust relationship.
- Select the IAM role that you
created in step 5.
- On the Summary page, note the value of the Role ARN (Amazon
Resource Name).
- Select Trust Relationships tab and click Edit trust relationship.
By default, the root user is added in the Principal section.
- Update the Principal value with the value of the user created
in step 3.
- Click Update Trust policy.
Most resources have a friendly name (for example, a user named Bob or a group named Developers).
However, the permissions policy language requires you to specify the resource or resources by using
the Amazon Resource Name (ARN) format.