To begin a Live Optics AWS collection, you must enter an Access Key ID and Secret Access Key as credentials for an IAM user (with at least Read Only Access) to the list of supported AWS services for which you wish to collect information. You can use any existing IAM user Access key and Secret Key ID to run a Live Optics collection (it is recommended that you do not use root users).
This article describes how to:
- Create a temporary IAM user
- Assign the correct permissions to the user
- Create the Access Key ID and Secret Key
See Complete an AWS collection for information on completing an AWS collection using the Live Optics collector.
Pre-requisite (Optional)
Both Disk Used (GiB) and Memory Used % data points for EC2 instances are only available in the Live Optics report if the CloudWatch agent is installed on the EC2 instances, and a CloudWatch agent configuration file is created specifying the metrics to be collected. If the CloudWatch agent is not installed, the Disk Used (GiB) and Memory Used % metrics are not available.
Use the following AWS documentation to install the CloudWatch agent and create the configuration file:
- Install CloudWatch Agent:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/install-CloudWatch-Agent-on-EC2-Instance.html - Create CloudWatch Agent Configuration File: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create-cloudwatch-agent-configuration-file.html
- Log on to your AWS Console with an admin IAM user that has permissions to create other IAM users.
- Select the IAM service.
- Select User from the left menu, then select Create User.
4. Enter a User Name and click Next.
5. Select Attach Policies Directly, then click Create Policy. A new policy creation tab opens.
6. Select JSON on the right side of the screen. Under the Policy Editor, copy and paste the below JSON file. This JSON file is also attached at the bottom of this article. Click Next.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups", "cloudwatch:GetMetricData", "cloudwatch:ListMetrics", "ec2:DescribeInstances", "ec2:DescribeAvailabilityZones", "ec2:DescribeRegions", "ec2:DescribeVolumes", "ec2:DescribeInstanceTypes", "ec2:DescribeSnapshots", "ecs:DescribeCapacityProviders", "ecs:ListTagsForResource", "ecs:ListAttributes", "ecs:ListTasks", "ecs:DescribeServices", "ecs:DescribeTaskSets", "ecs:ListContainerInstances", "ecs:DescribeContainerInstances", "ecs:DescribeTasks", "ecs:DescribeClusters", "ecs:ListServices", "ecs:ListAccountSettings", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "ecs:DescribeTaskDefinition", "ecs:ListClusters", "eks:ListNodegroups", "eks:DescribeFargateProfile", "eks:ListTagsForResource", "eks:ListAddons", "eks:DescribeAddon", "eks:ListFargateProfiles", "eks:DescribeNodegroup", "eks:ListUpdates", "eks:DescribeUpdate", "eks:AccessKubernetesApi", "eks:DescribeCluster", "eks:ListClusters", "eks:DescribeAddonVersions", "elasticfilesystem:DescribeFileSystems", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTargetGroups", "glacier:ListVaults", "rds:DescribeDBSnapshots", "rds:DescribeDBInstances", "rds:DescribeDBClusters", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetBucketWebsite", "s3:ListAllMyBuckets", "s3:GetBucketVersioning", "s3:GetBucketLocation" ], "Resource": "*", "Condition": { "IpAddress": { "aws:SourceIp": "0.0.0.0/0" } } } ] } |
7. Return to the main user creation tab, and locate the newly created policy. Select the policy and click Next.
8. Enter a tag key and value (optional) and then click Create User.
9. Select Users from the menu on the left of the screen, and choose the newly created user.
10. Select Create access key.
11. Select Third-party Service, and check the Confirmation checkbox. Click Next to continue.
12. Add a Description Tag Value, and click Create access key.
13. The Access Key and the Secret Key are displayed.
NOTE: This is the only time you can view the Secret Key. Save it to enter as a credential for the Live Optics collection or download the .csv file. Click Done.