View metrics for AWS accounts

This page describes how to view and monitor AWS metrics with Cloud Monitoring. This page is intended for developers and system administrators who need to view and manage metrics for services and resources that are associated with AWS accounts.

Before you begin

  • If you aren't familiar with the terms metrics scope and scoping project, then see metrics scopes.

  • If you don't have an AWS account, then create that account before continuing with the instructions on this page.

  • Ensure that your Identity and Access Management (IAM) role on the scoping project lets you modify its metrics scope, and that you have sufficient permissions to create a Google Cloud project:

    • If the scoping project isn't in an organization or a folder, you don't need any additional permissions.

    • If the scoping project is in an organization but not a folder, then you need permission to create a Google Cloud project at the organization level.

    • If the scoping project is in a folder, you currently can't add the AWS account.

    For information about IAM roles for Monitoring, see Access control.

  • To understand the costs associated with ingesting your AWS account metrics into Cloud Monitoring, see Understand your costs.

AWS connector projects

An AWS connector project is a Google Cloud project that lets Cloud Monitoring read metrics for a specific AWS account. When you connect your AWS account to a Google Cloud project, you create the AWS connector project. The following diagram shows a Google Cloud project that has an AWS connector project as a monitored project. That AWS connector project reads the metrics from an AWS account and then stores those metrics:

An AWS connector project lets you read metrics from an AWS account.

By default, the AWS connector project stores only AWS metrics. To store your AWS logs and system metrics, authorize and install the Cloud Logging agent and the Cloud Monitoring agent on your Amazon Elastic Compute Cloud (Amazon EC2) instances.

AWS connector projects behave differently than typical projects:

  • These projects are created when you configure a metrics scope to monitor AWS account metrics.
  • You can't change the AWS account monitored by the AWS connector project.
  • AWS connector projects collect logs and metrics while the AWS connector project is a monitored project for at least one metrics scope. If you remove the AWS connector project from all metrics scopes, then collection of metric and log data stops after 2 hours.

Because of these behaviors, we recommend the following:

  • Always create a project specifically to be the AWS connector project. Don't use AWS connector projects for any other purpose.

  • Define a naming convention for your AWS connector projects to make them easy to identify.

  • Don't add a monitored project to the metrics scope of an AWS connector project.

  • To view the metrics stored in your AWS connector project, select a metrics scope where the AWS connector project is a monitored project. Don't select the AWS connector project with the Cloud Console project picker. This practice ensures that your AWS connector project is always a monitored project.

Configure Monitoring to read AWS account metrics

When you configure Monitoring to read your AWS account, you create an AWS connector project and an Amazon IAM role using authentication information provided by Monitoring for that project. The AWS connector project is automatically configured as a monitored project for the current metrics scope. After an AWS connector project is created, you can add it to other metrics scopes.

To configure an AWS account to let Google Cloud read its metrics, do the following:

  1. In the Google Cloud Console, select Monitoring:

    Go to Monitoring

  2. Select the Google Cloud project that you want to have access to your AWS account metrics.

  3. In the Monitoring navigation pane, select Settings.

  4. In the Settings page, click Create AWS connector project.

    Create AWS connector project button.

  5. In the Create a connector project step, click Select a project, and then create a project.

  6. Click Next to advance to the Authorize AWS for Monitoring step.

    In this step, you create an Amazon IAM role that grants Google Cloud read-only access to your AWS account, and then you provide that role's ARN to your Google Cloud project:

  7. Create an Amazon IAM role:

    1. Open a new window and log in to your AWS account, select the IAM page and then click Roles.
    2. Select Create Role.
    3. Select Another AWS account.
    4. In the Account ID text box, enter the account ID displayed in the Authorize AWS for Monitoring page of the Google Cloud Console.
    5. Select Require external ID.
    6. In the External ID text box, enter the external ID displayed in the Authorize AWS for Monitoring page of the Google Cloud Console.
    7. Leave Require MFA clear and then click Next: Permissions.
    8. In the permissions search bar, enter ReadOnlyAccess and then select ReadOnlyAccess.
    9. Expand Set Permission Boundary and ensure Create role without a permissions boundary is checked.
    10. Click Next: Tags.
    11. Click Next:Review.
    12. Enter a role name and description, and then click Create Role.
    13. Select the role you created to open its Summary page. Copy the Role ARN into your clipboard.
  8. In the Google Cloud Console, paste the AWS Role ARN in the Role ARN text box and then click Add AWS Account.

After you complete these steps, the current metrics scope lists the AWS connector project as a monitored project. You can now view these AWS metrics from this metrics scope.

After you add projects to a metrics scope, it takes about 60 seconds for changes to propagate through all Monitoring systems. If after 60 seconds, the metrics for the added projects aren't available to you when you create a chart or an alerting policy, then refresh the Google Cloud Console page.

To collect AWS logs and system and application metrics and send them to your AWS connector project, authorize and install the Cloud Logging and Cloud Monitoring agents on your Amazon EC2 instances:

Add AWS connector projects to a metrics scope

To add AWS connector projects to a metrics scope, do the following:

  1. In the Google Cloud Console, select Monitoring:

    Go to Monitoring

  2. Ensure the project whose metrics scope you want to modify is selected.

  3. In the Monitoring navigation pane, select Settings.

  4. In the AWS Accounts in scope pane, click Add AWS connector project.

  5. Select the AWS connector projects that you want to add and then click Add projects.

    After you add projects to a metrics scope, it takes about 60 seconds for changes to propagate through all Monitoring systems. If after 60 seconds, the metrics for the added projects aren't available to you when you create a chart or an alerting policy, then refresh the Google Cloud Console page.

Remove AWS connector projects from a metrics scope

If you remove a project from a metrics scope, then the metrics stored in that project aren't accessible to the metrics scope. Removing a project from a metrics scope doesn't change the configuration of charts, dashboards, alerting policies, uptime checks, or groups that you defined. However, the time series displayed on charts and the time series monitored by alerting policies might change.

To remove AWS connector projects from a metrics scope, do the following:

  1. In the Google Cloud Console, select Monitoring:

    Go to Monitoring

  2. Ensure the project whose metrics scope you want to modify is selected.

  3. In the Monitoring navigation pane, select Settings.

  4. In the AWS Accounts in scope pane, select the AWS connector projects that you want to remove and then click Remove project.

  5. Delete any AWS connector projects that you removed and that are no longer monitored projects.

Stop ingestion of AWS account metrics

To stop ingestion of AWS account metrics and logs, delete the AWS connector project for that account.

Understand your costs

For information about pricing and free allotments, see Cloud Monitoring pricing.

Cloud Monitoring charges are based on the metrics ingested into a project. Charges for logging and metric data ingested by a monitored project are associated with the project's billing account. For AWS accounts, charges are applied to the billing accounts of the AWS connector projects.

What's next