Skip to main content
OnCommand Insight

Amazon AWS EC2 data source


OnCommand Insight uses this data source to discover inventory and performance for Amazon AWS EC2.


In order to collect data from Amazon EC2 devices, you must have the following information:

  • You must have the IAM Access Key ID

  • You must have the Secret Access Key for your Amazon EC2 cloud account

  • You must have the "list organization" privilege

  • Port 433 HTTPS

  • EC2 Instances can be reported as a Virtual Machine, or (less naturally) a Host. EBS Volumes can be reported as both a VirtualDisk used by the VM, as well as a DataStore providing the Capacity for the VirtualDisk.

Access keys consist of an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). You use access keys to sign programmatic requests that you make to EC@ if you use the Amanzon EC2 SDKs, REST, or Query API operations. These keys are provided with your contract from Amazon.

How to configure this data source

To configure the Amazon AWS EC2 data source, you will need the AWS IAM Access Key ID and Secret Access Key for your AWS account.

Fill in the data source fields according to the tables below:




AWS Region

Choose AWS region

IAM Role

For use only when acquired on an AU in AWS. See below for more information on IAM Roles.

AWS IAM Access Key ID

Enter AWS IAM Access Key ID. Required if you do not use IAM Role.

AWS IAM Secret Access Key

Enter AWS IAM Secret Access Key. Required if you do not use IAM Role.

I understand AWS will bill me for API requests

Check this to verify your understanding that AWS bills you for API requests made by Insight polling

Advanced Configuration:



Include Extra Regions

Specify additional regions to include in polling.

Cross Account Role

Role for accessing resources in different AWS accounts.

Inventory Poll Interval (min)

Interval between inventory polls (default 60 minutes)

HTTP connection and socket timeout (sec)

HTTP connection timeout (default 300 seconds)

Include AWS tags

Check this to enable support for AWS tags in Insight annotations

Performance Poll Interval (sec)

Interval between performance polls (default 1800 seconds)

Mapping AWS tags to Insight annotations

The AWS EC2 data source includes an option that allows you to populate Insight annotations with tags configured on AWS. The annotations must be named exactly as the AWS tags. Insight will always populate same-named text-type annotations, and will make a "best attempt" to populate annotations of other types (number, boolean, etc). If your annotation is of a different type and the data source fails to populate it, it may be necessary to remove the annotation and re-create it as a text type.

Note that AWS is case-sensitive, while Insight is case-insensitive. So if you create an annotation named “OWNER” in Insight, and tags named “OWNER”, “Owner”, and “owner” in AWS, all of the AWS variations of “owner” will map to Insight's “OWNER” annotation.

Related Information:

Include Extra Regions

In the AWS Data Collector Advanced Configuration section, you can set the Include extra regions field to include additional regions, separated by comma or semi-colon. By default, this field is set to us-.*, which collects on all US AWS regions. To collect on all regions, set this field to .*.

If the Include extra regions field is empty, the data collector will collect on assets specified in the AWS Region field as specified in the Configuration section.

Collecting from AWS Child Accounts

Insight supports collection of child accounts for AWS within a single AWS data collector. Configuration for this collection is performed in the AWS environment:

  • You must configure each child account to have an AWS Role that allows the primary account ID to access EC2 details from the children account.

  • Each child account must have the role name configured as the same string

  • Enter this role name string into the Insight AWS Data Collector Advanced Configuration section, in the Cross Account Role field.

Best Practice: It is highly recommended to assign the AWS predefined AmazonEC2ReadOnlyAccess policy to the ECS primary account. Also, the user configured in the data source should have at least the predefined AWSOrganizationsReadOnlyAccesspolicy assigned, in order to query AWS.

Please see the following for information on configuring your environment to allow Insight to collect from AWS child accounts:

IAM Roles

When using IAM Role security, you must ensure that the role you create or specify has the appropriate permissions needed to access your resources.

For example, if you create an IAM role named InstanceEc2ReadOnly, you must set up the policy to grant EC2 read-only list access permission to all EC2 resources for this IAM role. Additionally, you must grant STS (Security Token Service) access so that this role is allowed to assume roles cross accounts.

After you create an IAM role, you can attach it when you create a new EC2 instance or any existing EC2 instance.

After you attach the IAM role InstanceEc2ReadOnly to an EC2 instance, you will be able to retrieve the temporary credential through instance metadata by IAM role name and use it to access AWS resources by any application running on this EC2 instance.

Note IAM role can be used only when the Acquisition Unit is running in an AWS instance.