View metrics for AWS accounts

This document describes how to view and monitor Amazon EC2 metrics with Cloud Monitoring. This page is intended for developers and system administrators who need to view and manage metrics for services and resources that are associated with AWS accounts.

Cloud Monitoring lets you import metrics from your Amazon Elastic Compute Cloud (Amazon EC2) instances and view them in the same context as your Google Cloud metrics. For example, you can create a dashboard with charts that display CPU utilization for your Amazon EC2 instances and your Compute Engine instances.

AWS connector projects

An AWS connector project is a Google Cloud project that lets Cloud Monitoring read metrics for a specific AWS account. The following diagram shows a Google Cloud project that has an AWS connector project as a monitored project. That AWS connector project reads the metrics from an AWS account and then stores those metrics:

An AWS connector project lets you read metrics from an AWS account.

The AWS connector project is created when you connect your AWS account to Google Cloud. For information about these steps, see Connect your AWS account to Google Cloud.

To display your AWS account metrics in multiple Google Cloud projects, connect your AWS account to Google Cloud, and then follow the steps in Add AWS connector projects to a metrics scope.

By default, the AWS connector project stores only Amazon EC2 metrics. To store your Amazon EC2 logs and system metrics, authorize and install the Logging agent and the Monitoring agent on those instances.

Before you begin

  • You must have an AWS account.

  • Define a naming convention for your AWS connector projects to make them identifiable. We recommend that an AWS connector project name includes identifying information about the AWS account it monitors. You can't change the AWS account monitored by an AWS connector project.

  • Determine if your AWS account is connected to Google Cloud.

    • If it isn't connected to Google Cloud, then follow the instructions in Connect your AWS account to a Google Cloud project.

      In these steps, an AWS connector project is created. Don't create multiple AWS connector projects for the same AWS account. AWS CloudWatch might throttle your metric collection when you create multiple AWS connector projects for the same AWS account.

    • If it is connected to Google Cloud, then you can add the AWS connector project to multiple metrics scope. For information about these steps, see View AWS metrics in multiple metrics scopes.

  • Ensure that your Identity and Access Management (IAM) role on the scoping project lets you modify its metrics scope, and that you have sufficient permissions to create a Google Cloud project:

    • For a scoping project that isn't in an organization or a folder, you don't need any additional permissions.

    • For a scoping project that is in an organization but not a folder, you need permission to create a Google Cloud project at the organization level.

    • For a scoping project that is in a folder, you currently can't add the AWS account.

    For information about IAM roles for Cloud Monitoring, see Access control.

  • To understand the costs associated with ingesting your AWS account metrics into Cloud Monitoring, see Understand your costs.

Connect your AWS account to Google Cloud

  1. In the console, select Monitoring or click the following button:
    Go to Monitoring
  2. Use the console project picker to select the Cloud project whose metrics scope you want to view or modify.
  3. In the Monitoring navigation pane, select Settings.
  4. In the Settings page, click Create AWS connector project.

    Create AWS connector project button.

  5. In the Create a connector project step and click Select a project.

  6. In the dialog, select New project and complete the new project dialog.

  7. Click Next to advance to the Authorize AWS for Monitoring step.

    In this step, you create an Amazon IAM role that grants Google Cloud read-only access to your AWS account, and then you provide that role's ARN to your Google Cloud project:

  8. Create an Amazon IAM role:

    1. Open a new window and log in to your AWS account, select the IAM page and then click Roles.
    2. Select Create Role.
    3. Select Another AWS account.
    4. In the Account ID text box, enter the account ID displayed in the Authorize AWS for Monitoring page of the Google Cloud console.
    5. Select Require external ID.
    6. In the External ID text box, enter the external ID displayed in the Authorize AWS for Monitoring page of the Google Cloud console.
    7. Leave Require MFA clear and then click Next: Permissions.
    8. In the permissions search bar, enter ReadOnlyAccess and then select ReadOnlyAccess.
    9. Expand Set Permission Boundary and ensure Create role without a permissions boundary is checked.
    10. Click Next: Tags.
    11. Click Next:Review.
    12. Enter a role name and description, and then click Create Role.
    13. Select the role you created to open its Summary page. Copy the Role ARN into your clipboard.
  9. In the Google Cloud console, paste the AWS Role ARN in the Role ARN text box and then click Add AWS Account.

    After you complete these steps, the AWS connector project is a monitored project for the current metrics scope. You can now view these AWS metrics from this metrics scope.

    After you add projects to a metrics scope, it takes about 60 seconds for changes to propagate through all Monitoring systems. Before you create a chart or alerting policy, wait at least 60 seconds. You might need to refresh the Google Cloud console page for the new metrics to be visible.

  10. (Optional) To view your AWS account metrics in multiple metrics scopes, add the AWS connector project to those metrics scopes. For information, see Add AWS connector projects to a metrics scope.

  11. (Optional) To collect AWS EC2 logs and system and application metrics and send them to your AWS connector project, authorize and install the Logging and Monitoring agents on your Amazon EC2 instances:

View AWS metrics in multiple metrics scopes

To add an existing AWS connector project to a metrics scope, do the following:

  1. In the console, select Monitoring or click the following button:
    Go to Monitoring
  2. For each metrics scope that you want to use to view your AWS metrics, do the following:

    1. Use the console project picker to select the scoping project for the metrics scope.

    2. In the Monitoring navigation pane, select Settings.

    3. In the AWS Accounts in scope pane, click Add AWS connector project.

    4. Select the AWS connector projects that you want to add and then click Add projects.

      After you add projects to a metrics scope, it takes about 60 seconds for changes to propagate through all Monitoring systems. Before you create a chart or alerting policy, wait at least 60 seconds. You might need to refresh the Google Cloud console page for the new metrics to be visible.

Remove AWS connector projects from a metrics scope

When you remove a project from a metrics scope, the metrics stored in that project aren't accessible to the metrics scope. Removing a project from a metrics scope doesn't change the configuration of charts, dashboards, alerting policies, uptime checks, or groups that you defined. However, the time series displayed on charts and the time series monitored by alerting policies might change.

To remove AWS connector projects from a metrics scope, do the following:

  1. In the console, select Monitoring or click the following button:
    Go to Monitoring
  2. Use the console project picker to select the Cloud project whose metrics scope you want to view or modify.
  3. In the Monitoring navigation pane, select Settings.
  4. In the AWS Accounts in scope pane, select the AWS connector projects that you want to remove and then click Remove project.

  5. Delete any AWS connector projects that you removed and that are no longer monitored projects.

List monitored projects

This section describes what metrics, as described by the project where the metric data is stored, are visible to the currently selected project. For example, metrics stored in monitored projects are shown on charts and they are monitored by alerting policies.

To display a list of monitored projects, do the following:

  1. In the console, select Monitoring or click the following button:
    Go to Monitoring
  2. Use the console project picker to select the Cloud project whose metrics scope you want to view or modify.
  3. In the Monitoring navigation pane, click Expand on the Metrics scope field.

    The expanded pane displays the following information:

    • A list of the projects whose metrics are accessible to the current metrics scope.
    • A list of projects whose metrics scope includes the current project.

    The following screenshot shows the page that is displayed when the AllEnvironments project is selected:

    Sample of the page that lists the monitored projects.

    The previous screenshot shows that no other projects can access the metrics stored by the AllEnvironments project. It also shows that this project contains two monitored projects: one named Staging and the other named Production.

You can also see which projects the current metrics scope monitors by selecting Settings in the Monitoring navigation pane.

Select a different metrics scope

The project selected in the console project picker is the scoping project of the current metrics scope. There is a one-to-one relationship between a scoping project and a metrics scope.

To select a different metrics scope, select a different project with the console project picker.

View AWS account metrics

To view the metrics stored in your AWS connector project, do the following:

  1. In the console, select Monitoring or click the following button:
    Go to Monitoring
  2. Select a metrics scope where the AWS connector project is a monitored project.

    To view your AWS account metrics, create a chart with Metrics Explorer or create a chart on a custom dashboard.

Stop ingestion of AWS account metrics

To stop ingestion of AWS account metrics and logs, delete the AWS connector project for that account.

Understand your costs

For information about pricing and free allotments, see Cloud Monitoring pricing.

Cloud Monitoring charges are based on the metrics ingested into a project. Charges for logging and metric data ingested by a monitored project are associated with the project's billing account. For AWS accounts, charges are applied to the billing accounts of the AWS connector projects.

What's next