New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


How do I define access rights for Amazon CloudWatch queries?

Votes:

0

Your Vote:

Up

Down

I use an Amazon CloudWatch sensor in PRTG.

I activated CloudWatch metrics in the AWS console at Amazon, but the sensor shows an error message:

You are not authorized to perform this operation.

How do I set according access rights?

amazon cloudwatch help permissions prtg

Created on Jun 28, 2012 8:13:37 AM by  Daniel Zobel [Paessler Support]

Last change on Dec 10, 2015 11:03:45 AM by  Gerald Schoch [Paessler Support]



Best Answer

Accepted Answer

Votes:

0

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 19 or later

Setting Rights for CloudWatch Metrics

The IAM account you use with the Amazon CloudWatch sensors needs sufficient rights to query CloudWatch metrics. To allow those queries for all supported services, follow these steps.

Step 1: Create a New Policy

  • Log in to the IAM console.
  • Under Policies, click Create policy to create a new policy. For example, MonitoringPolicy.

Create New Policy
Click to enlarge.

  • Select the JSON tab and enter the following definition.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1338559359622",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:DescribeVolumes"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1338559372809",
      "Action": [
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
        "cloudwatch:DescribeAlarms"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1338559399560",
      "Action": [
        "elasticache:DescribeCacheClusters"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1338559439473",
      "Action": [
        "elasticloadbalancing:DescribeLoadBalancers"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1338559468079",
      "Action": [
        "rds:DescribeDBInstances"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1338559518608",
      "Action": [
        "sns:ListPlatformApplications",
        "sns:ListTopics"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1338559548992",
      "Action": [
        "sqs:ListQueues"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1450719990448",
      "Action": [
        "autoscaling:DescribeAutoScalingGroups"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1450720132953",
      "Action": [
        "lambda:ListFunctions"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

  • Save the new policy.

Step 2: Create a New Group and Attach Policy

  • Under Groups, create a new group, for example MonitoringGroup.
  • In step 2, map the MonitoringPolicy to the new group.

Attach Policy to New Group
Click to enlarge.

Step 3: Add New User to Group

  • Under Users, create a new user.
  • Add the new user to the MonitoringGroup.

Add New User to Group
Click to enlarge.

  • Select Programmic Access in order to get this user API access.

The new IAM account now has sufficient rights to query CloudWatch metrics. To confirm sufficient rights, go to Policies and make sure CloudWatch services are available on the Policy summary tab.

CloudWatch Service Details
Click to enlarge.

Step 4: Generate Access Key

  • Under Users, select the user you created in step 3.
  • On the Security Credentials tab, select Create Access Key.
  • Either download and store the CSV file containing the ID and key or note this information yourself.
  • These credentials will only be displayed in IAM once. You will need to enter these credentials on the Settings tab of the relevant group or device in PRTG to be able to deploy any Amazon CloudWatch sensors.

Created on Jul 24, 2018 9:05:33 AM by  Brandy Greger [Paessler Support]

Last change on Jul 30, 2019 10:09:27 AM by  Brandy Greger [Paessler Support]



3 Replies

Votes:

0

Your Vote:

Up

Down

Hi is it Possible to use AWS tags to scope the sensors?

Created on Dec 7, 2017 11:32:22 AM by  nand0l (0)



Votes:

0

Your Vote:

Up

Down

In what way would you scope them? Can you give me some more information?

Created on Dec 8, 2017 3:47:39 AM by  Benjamin Day [Paessler Support]



Accepted Answer

Votes:

0

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 19 or later

Setting Rights for CloudWatch Metrics

The IAM account you use with the Amazon CloudWatch sensors needs sufficient rights to query CloudWatch metrics. To allow those queries for all supported services, follow these steps.

Step 1: Create a New Policy

  • Log in to the IAM console.
  • Under Policies, click Create policy to create a new policy. For example, MonitoringPolicy.

Create New Policy
Click to enlarge.

  • Select the JSON tab and enter the following definition.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1338559359622",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:DescribeVolumes"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1338559372809",
      "Action": [
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
        "cloudwatch:DescribeAlarms"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1338559399560",
      "Action": [
        "elasticache:DescribeCacheClusters"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1338559439473",
      "Action": [
        "elasticloadbalancing:DescribeLoadBalancers"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1338559468079",
      "Action": [
        "rds:DescribeDBInstances"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1338559518608",
      "Action": [
        "sns:ListPlatformApplications",
        "sns:ListTopics"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1338559548992",
      "Action": [
        "sqs:ListQueues"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1450719990448",
      "Action": [
        "autoscaling:DescribeAutoScalingGroups"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1450720132953",
      "Action": [
        "lambda:ListFunctions"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

  • Save the new policy.

Step 2: Create a New Group and Attach Policy

  • Under Groups, create a new group, for example MonitoringGroup.
  • In step 2, map the MonitoringPolicy to the new group.

Attach Policy to New Group
Click to enlarge.

Step 3: Add New User to Group

  • Under Users, create a new user.
  • Add the new user to the MonitoringGroup.

Add New User to Group
Click to enlarge.

  • Select Programmic Access in order to get this user API access.

The new IAM account now has sufficient rights to query CloudWatch metrics. To confirm sufficient rights, go to Policies and make sure CloudWatch services are available on the Policy summary tab.

CloudWatch Service Details
Click to enlarge.

Step 4: Generate Access Key

  • Under Users, select the user you created in step 3.
  • On the Security Credentials tab, select Create Access Key.
  • Either download and store the CSV file containing the ID and key or note this information yourself.
  • These credentials will only be displayed in IAM once. You will need to enter these credentials on the Settings tab of the relevant group or device in PRTG to be able to deploy any Amazon CloudWatch sensors.

Created on Jul 24, 2018 9:05:33 AM by  Brandy Greger [Paessler Support]

Last change on Jul 30, 2019 10:09:27 AM by  Brandy Greger [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.