Set up DESK SaaS for AWS monitoring

You can integrate DESK with Amazon Web Services (AWS) for intelligent monitoring of services running in the Amazon Cloud. AWS integration helps you stay on top of the dynamics of your data center in the cloud.

Important

DESK can be deployed with or without an Environment ActiveGate. Configuring role-based access differs for DESK deployments that use an Environment ActiveGate.

Overview

Follow these basic steps to integrate DESK SaaS with Amazon Web Services (AWS):

Create AWS monitoring policy.

Choose an access method:

Key-based access.
Role-based access.
If you choose role-based access, use the appropriate procedure for your deployment scenario:
- Role-based access for SaaS deployments with Environment ActiveGate.
- Role-based access for SaaS deployments with NO Environment ActiveGate.

Define AWS resource tagging.

Cost

DESK makes Amazon API requests every 5 minutes. In addition to CloudWatch API calls, DESK makes API calls to the monitored AWS services in order to learn about their instances, tags, etc. The list of called services and actions is available below in the Create the monitoring policy section. Here's a rough estimate of AWS monitoring costs:

AWS service	Number of metrics	Daily cost per instance (USD)
Elastic Compute Cloud (EC2)	7	$0.02016
Elastic Block Store (EBS)	8	$0.02304
Elastic Load Balancer (ELB)	11	$0.03168
Relational Database Service (RDS)	11	$0.03168
DynamoDB	15	$0.06912
Lambda	4	$0.01152

Amazon charges

Amazon will charge about $0.01 per 1,000 metrics requested from the CloudWatch API and include the cost in the bill for the AWS account you use with DESK.

AWS monitoring policy

The AWS monitoring policy defines the minimum scope of permissions you need to give to DESK to monitor the services running in your AWS account. Create it once and use anytime when enabling DESK access to your AWS account.

Go to Identity and Access Management (IAM) in your Amazon Console.

Go to Policies and click Create policy.

Select the JSON tab, and paste the predefined policy from the box below.

Predefined policy in JSON

Download

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:DescribeAutoScalingGroups",
        "cloudwatch:GetMetricData",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeInstances",     
        "ec2:DescribeVolumes",             
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTags",
        "elasticloadbalancing:DescribeInstanceHealth",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:DescribeRules",
        "elasticloadbalancing:DescribeTargetHealth",
        "rds:DescribeDBInstances",
        "rds:DescribeEvents",
        "rds:ListTagsForResource",
        "dynamodb:ListTables",
        "dynamodb:ListTagsOfResource",
        "lambda:ListFunctions",
        "lambda:ListTags",
        "elasticbeanstalk:DescribeEnvironments",
        "elasticbeanstalk:DescribeEnvironmentResources",
        "s3:ListAllMyBuckets",
        "sts:GetCallerIdentity",
        "cloudformation:ListStackResources",
        "tag:GetResources",
        "tag:GetTagKeys"
      ],
      "Resource": "*"
    }
  ]
}

Give the policy a name. For example DESK_monitoring_policy. Type it in the Name field.

Click the Create policy button.

Access methods

To get the information required for comprehensive AWS cloud-computing monitoring, DESK needs to identify all the virtualized infrastructure components in your AWS environment and collect performance metrics related to those components. We use this information to understand the context of your applications, services, and hosts. For this to happen, you need to authorize DESK to access your Amazon metrics.

You can enable DESK access to your AWS metrics by either using a private access key (key-based access) or defining a special role for DESK (role-based access). In all the cases, make sure that your Environment ActiveGate has a working connection to AWS. Configure your proxy for ActiveGate, or whitelist *.amazonaws.com in your firewall settings.

As a best practice, use temporary security credentials (IAM roles) instead of access keys, and disable any AWS account root user access keys.

Key-based access

If you decide to use the key-based authentication, remember to rotate the keys periodically. Keep in mind that you need to perform this procedure each time you change the key.

What you need

Rights to create a new AWS user
Your AWS account ID
Your Amazon Access key ID and Secret access key

Enabling access to your Amazon account using key-based access

DESK can use access keys to make secure REST or Query protocol requests to the AWS service API. You'll need to generate an Access key ID and a Secret access key that DESK can use to get metrics from Amazon Web Services.

In your Amazon Console, go to Users and click Add User.

Enter a name for the key you want to create (for example, DESK_monitoring_user). In Select AWS access type, select the Programmatic access option and click Next:Permissions button.

Click Attach existing policies directly and choose the monitoring policy you defined, for example DESK_monitoring_policy. Click Next: Review.

Review the user details and click the Create user button.

Store the Access Key ID name (AKID) and Secret access key values.
You can either download the user credentials or copy the credentials displayed online (click Show).

Connecting your Amazon account to DESK using key-based access

Once you've granted AWS access to DESK, it's time to connect DESK to your Amazon AWS account.

In DESK, go to Settings > Cloud and virtualization > AWS and click Connect new instance.

Select Key based authentication method.

Create a name for this connection. This is mandatory. DESK needs this name to identify and display the connection.
In the Access key ID field, paste the identifier of the key you created in Amazon for DESK access.
In the Secret access key field, paste the value of the key you created in Amazon for DESK access.
Click Connect to verify and save the connection.

Once the connection is successfully verified and saved, your AWS account will be listed in the Cloud and virtualization settings page. You should soon begin to see AWS cloud monitoring data.

Role-based access

DESK SaaS deployments may vary. Integrating DESK SaaS with AWS is different when deployment includes an Environment ActiveGate. Select the appropriate set up procedure for your DESK SaaS deployment scenario.

Deployments with Environment ActiveGate Deployments with NO Environment ActiveGate

Role-based access for SaaS deployments with Environment ActiveGate

In typical setup, you'll create and attach two roles, one for DESK and one for your Environment ActiveGate hosted in your AWS infrastructure.

What you need

Environment ActiveGate installed on an AWS EC2 host. They must be able to assume a role within your AWS account that allows it to read the DESK monitoring data.
DESK AWS account ID: 509560245411
The ID of the AWS account that hosts the ActiveGate (i.e., the account that hosts your DESK components, in this case, the one hosting Environment ActiveGate).
The Amazon Web Services monitored account ID, that is the account you want to monitor.
The name of the role with which your Environment ActiveGate was started.
The External Id copied from Settings > Cloud and virtualization > AWS.

Enabling access to your Amazon account using role-based access

The steps described below apply both when the source and monitored accounts are the same and when they're different. If you want to monitor multiple accounts, repeat Step 1 for each account and add them all to the Statement.Resource array in the policy in Step 2.4.

Step 1. Create a monitoring role for DESK on your monitored account

In your browser, open a new tab and sign in to DESK to get the External Id. Go to Settings > Cloud and virtualization > AWS, click Connect new instance, select Role based authentication method and click Copy next to the Token field.

Go to Identity and Access Management (IAM) in your Amazon Console.

Go to Roles and click Create role

Select the Another AWS account tile and establish trust with the DESK account.

Paste the 12-digit account ID (hosting the ActiveGate) that is used to access the monitored account.

Select Require external ID option.

Paste the External ID you copied in the first step. Click Next: Permissions.

In the Attach permissions policies section, choose the monitoring policy you created, for example DESK_monitoring_policy. Click Next: Review.

On the Review page, provide the role name, for example DESK_monitoring_role. Remember it, you'll need it later to connect your Amazon account to DESK. Click the Create Role button.

Step 2. Create a role for the ActiveGate host on the account that hosts the ActiveGate

Once the DESK_monitoring_role is created on the monitored account, create a role for Environment ActiveGate that will be responsible for AWS monitoring.

In your Amazon Console, go to Roles, click Create role. Select AWS service and EC2 as the service that will use the role. Click Next: Permissions and skip to the Review page.

On the Review page, provide the role a name, for example DESK_ActiveGate_role and click Create role.

Select DESK_ActiveGate_role and click Add inline policy

Select the JSON and paste the predefined policy from below. Edit it and add:

The 12-digit monitored account number,

The role name created in previous steps, (for example DESK_monitoring_role), that is used to assume a monitoring role.

Don't include the < and > characters.

If you want to monitor multiple target accounts, add monitoring roles Amazon Resource Names (ARNs) of all monitoring accounts to "Resource" array.

DESK assume policy

Download

{
    "Statement": [
        {
            "Resource": [
                "arn:aws:iam::<12-digit target account number>:role/<role created in previous step (DESK_monitoring_role)>"
            ],
            "Action": [
                "sts:AssumeRole"
            ],
            "Effect": "Allow"
        }
    ],
    "Version": "2012-10-17"
}

When done, paste Update policy and then click Review policy.

Name the inline policy you've just created, for example DESK_assume_policy and click Create policy.

Go back to the DESK_monitoring_role you created earlier and select Trust relationships tab in the role summary page and click Edit Trust Relationships.

Paste the JSON sample below into a text editor. Edit it and add:

The 12-digit AWS number of the account hosting the ActiveGate

The role with which your Environment ActiveGate was started and the external ID you copied in previous steps

Don't include the < and > characters.

DESK trust policy

Download

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",

      "Principal": {
        "AWS": [
          "arn:aws:iam::<12-digit source account number>:role/< role for your Environment ActiveGate (DESK_ActiveGate_role)>",
          "arn:aws:iam::509560245411:root"
        ]
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<External ID generated from tenant>"
        }
      }
    }
  ]
}

Paste the modified text and click Update Trust Policy button.

Go to EC2 console, right-click an instance hosting your Environment ActiveGate and select Instance settings > Attach/Replace IAM Role.

Select the role created earlier, DESK_ActiveGate_role, and click Apply.

Step 3. Modify ActiveGate configuration

Edit the custom.properties file of your Environment ActiveGate.

Set the following properties as below:

[vertical.topology]
use_aws_proxy_role = false

[aws_monitoring]
aws_monitoring_enabled = true

If the ActiveGate is dedicated to AWS monitoring, you must also set the MSGrouter property to false:

[collector]
MSGrouter = false

Remove aws_proxy_account and aws_proxy_role properties.

Save the file and restart ActiveGate.

Role-based access for SaaS deployments without Environment ActiveGate

To give DESK SaaS the role-based monitoring access to your AWS account, you need to create a dedicated monitoring role for DESK in your AWS account. DESK will use this role to authenticate in your AWS environment with the scope of permissions as defined by the monitoring policy. For multiple accounts, you must repeat the following steps for every account that you wish to monitor.

What you need

Your Amazon Web Services account ID
DESK AWS account ID: 509560245411
Rights to assign role-based access to your AWS account
The External ID copied from Settings > Cloud and virtualization > AWS

Go to Identity and Access Management (IAM) in your Amazon Console.

Go to Roles and create a new role for DESK.

Select the Another AWS account tile and establish trust with the DESK account.
Paste the External ID you copied in the first step. Type 509560245411 as the Account ID that can access your account. Click Next: Permissions.

In the Attach permissions policies section, choose the monitoring policy you created, for example DESK_monitoring_policy. Click Next: Review.

On the Review page, provide the role name, for example DESK_monitoring_role. Remember it, you'll need it later to connect your Amazon account to DESK. Click the Create Role button.

Connecting your Amazon account to DESK using role-based access

Once you've granted AWS access to DESK, it's time to connect DESK to your Amazon AWS account.

In DESK, go to Settings > Cloud and virtualization > AWS and click Connect new instance.

Select either the Role based authenticationmethod.

Create a name for this connection. If you leave this field empty, the name Role will be used on DESK pages to define this connection.
In the Role field, type the name of the role you created in Amazon for DESK, for example DESK_monitoring_role.
Type your Account ID (the account you want us to pull metrics from).
Click Connect to verify and save the connection.

Once the connection is successfully verified and saved, your AWS account will be listed in the Cloud and virtualization settings page.
You should soon begin to see AWS cloud monitoring data.