OnCommand Insight uses this data source to discover inventory and performance for Amazon AWS EC2.
To configure the Amazon AWS EC2 data source, you will need the AWS IAM Access Key ID and Secret Access Key for your AWS account.
Fill in the data source fields according to the tables below:
Field | Description |
---|---|
AWS Region | Choose AWS region |
IAM Role | AWS IAM Role if running on EC2 instance to retrieve IAM temporary access key, secret and token. Required if you do not use IAM Access Key ID and Secret Access Key fields. |
AWS IAM Access Key ID | Enter AWS IAM Access Key ID. Required if you do not use IAM Role. |
AWS IAM Secret Access Key | Enter AWS IAM Secret Access Key. Required if you do not use IAM Role. |
I understand AWS will bill me for API requests | Check this to verify your understanding that AWS bills you for API requests made by Insight polling |
Field | Description |
---|---|
Include Extra Regions | Specify additional regions to include in polling. |
Cross Account Role | Role for accessing resources in different AWS accounts. |
Inventory Poll Interval (min) | Interval between inventory polls (default 60 minutes) |
HTTP connection and socket timeout (sec) | HTTP connection timeout (default 300 seconds) |
Include AWS tags | Check this to enable support for AWS tags in Insight annotations |
Performance Poll Interval (sec) | Interval between performance polls (default 1800 seconds) |
The AWS EC2 data source includes an option that allows you to populate Insight annotations with tags configured on AWS. The annotations must be named exactly as the AWS tags. Insight will always populate same-named text-type annotations, and will make a "best attempt" to populate annotations of other types (number, boolean, etc). If your annotation is of a different type and the data source fails to populate it, it may be necessary to remove the annotation and re-create it as a text type.
Note that AWS is case-sensitive, while Insight is case-insensitive. So if you create an annotation named OWNER
in Insight, and tags named OWNER
, Owner
, and owner
in AWS, all of the AWS variations of owner
will map to Insight's OWNER
annotation.
Related Information:
In the AWS Data Collector Advanced Configuration section, you can set the Include extra regions field to include additional regions, separated by comma or semi-colon. By default, this field is set to us-.*, which collects on all US AWS regions. To collect on all regions, set this field to .*.
If the Include extra regions field is empty, the data collector will collect on assets specified in the AWS Region field as specified in the Configuration section.
Best Practice: It is highly recommended to assign the AWS predefined AmazonEC2ReadOnlyAccess policy to the ECS master account. Also, the user configured in the data source should have at least the predefined AWSOrganizationsReadOnlyAccess policy assigned, in order to query AWS.
Please see the following for information on configuring your environment to allow Insight to collect from AWS child accounts:
Tutorial: Delegate Access Across AWS Accounts Using IAM Roles
AWS Setup: Providing Access to an IAM User in Another AWS Account That You Own
When using IAM Role security, you must ensure that the role you create or specify has the appropriate permissions needed to access your resources.
For example, if you create an IAM role named InstanceEc2ReadOnly, you must set up the policy to grant EC2 read-only list access permission to all EC2 resources for this IAM role. Additionally, you must grant STS (Security Token Service) access so that this role is allowed to assume roles cross accounts.
After you create an IAM role, you can attach it when you create a new EC2 instance or any existing EC2 instance.
After you attach the IAM role InstanceEc2ReadOnly to an EC2 instance, you will be able to retrieve the temporary credential through instance metadata by IAM role name and use it to access AWS resources by any application running on this EC2 instance.
Note: IAM role can be used only when the Acquisition Unit is running in an AWS instance.