AWS plugin

For more information about what this plugin does and the data streams it retrieves, see:

Monitor your AWS environment, including EC2, Lambda Functions, CloudWatch and more.

To add a data source click on the + next to Data Sources on the left-hand menu in SquaredUp. Search for the data source and click on it to open the Configure data source page.

Before you start

Recommended authentication

SquaredUp uses IAM Role based authentication as the default method of connecting to AWS and providing permissions to the plugin.

To make this process as easy as possible, when configuring the data source and the IAM Role Based option is selected, you're presented with a Create IAM role button.

Clicking this button takes you to the Quick create stack page of the AWS console, where a CloudFormation template is automatically populated with the information needed to create an IAM role with read access to your AWS environment.

Simply click the Create stack button to begin role creation. This may take a few moments to complete and progress can be viewed on the Events tab of the Stack details page.

Once role creation has completed, select the Ouputs tab to view the rest of the credentials required for adding the data source to SquaredUp.

Alternative authentication

While IAM Role authentication is strongly encouraged, SquaredUp also supports IAM User based authentication when configuring the AWS data source. This requires The Access key ID and Secret access key of an IAM user with programmatic access.

When configuring the data stream and selecting an Authentication Type of IAM Role Based, complete the following fields:

Access Key ID: Enter the access key ID of the user.
Secret Access Key: Enter the secret access key of the user.
Target Regions: Specify the Target Regions for your AWS resources, i.e. us-east-2, eu-west-1.
Account ID: Enter your AWS Account ID.
Account Name: Enter a name to help you remember which account and credentials you have used above. For example, enter Prod to remind you that you used the production account details.

Additionally, if you don't want to use the IAM Role button to automatically generate credentials (although this is also strongly encouraged), you can choose to manually configure an IAM Role for the plugin.

Whether manually creating a role or user, it must be granted a ReadOnlyAccess AWS managed policy. This policy provides the necessary rights for the integration to function. Alternatively, this policy can also be used as a starting point for a custom policy if, for example, sensitive services need to be removed.

Warning: While it is possible to use a custom policy, restricting access can severely impact the usability of the plugin such as preventing the use of scoped data streams. The ability to search for objects can also be impacted

A small number of data streams do require additional access rights such as the AmazonTimestreamReadOnlyAccess AWS managed policy (required for the Timestream Query data stream), which are documented in the corresponding data stream sections of this article.

See AWS credentials - Programmatic access ,Creating an IAM user in your AWS account and Creating a role to delegate permissions to an IAM user.

Configuring the data source

Display Name:
Enter a name for your data source. This helps you to identify this data source in the list of your data sources.
Authentication Type:
Select one of the following options depending on your chosen authentication method:
- IAM Role Based:
  This is the default authentication method and strongly encouraged (see Authentication). Click the Create IAM Role button to generate the necessary credentials in AWS, then complete the following fields:
  - Role ARN: Copy and paste the RoleArn from AWS.
  - External ID: Copy and paste the ExternalId from AWS.
  - Target Regions: Copy and paste the Region from AWS.
  - Account ID: Copy and paste the AccountId from AWS.
  - Account Name: Enter a name to help you remember which account and credentials you have used above. For example, enter Prod to remind you that you used the production account details.
- IAM User Based:
  Supply the credentials for an IAM User with programmatic access. See
Install Sample Dashboards:
Select whether you would like to install sample dashboards with the data source. By default, this is set to on.

Restrict access to this data source:
You can enable this option if you only want certain users or groups to have access to the data source, or the permission to link it to new workspaces. See data source access control for more information.

The term data source here really means data source instance. For example, a user may configure two instances of the AWS data source, one for their development environment and one for production. In that case, each data source instance has its own access control settings.

By default, Restrict access to this data source is set to off. The data source can be viewed, edited and administered by anyone. If you would like to control who has access to this data source, switch Restrict access to this data source to on.

Use the Restrict access to this data source dropdown to control who has access to the workspace:

By default, the user setting the permissions for the data source will be given Full Control and the Everyone group will be given Link to workspace permissions.
Tailor access to the data source, as required, by selecting individual users or user groups from the dropdown and giving them Link to workspace or Full Control permissions.
If the user is not available from the dropdown, you are able to invite them to the data source by typing in their email address and then clicking Add. The new user will then receive an email inviting them to create an account on SquaredUp. Once the account has been created, they will gain access to the organization.
At least one user or group must be given Full Control.
Admin users can edit the configuration, modify the Access Control List (ACL) and delete the data source, regardless of the ACL chosen.

Access level	Permissions
Link to workspace	User can link the data source to any workspace they have at least Editor permissions for. Data from the data source can then be viewed by anyone with any access to the workspace. User can share the data source data with anyone they want. User cannot configure the data source in any way, or delete it.
Full Control	User can change the data source configuration, ACL, and delete the data source.

See Access control for more information.

Click Test and add to validate the data source configuration. SquaredUp will now attempt to connect to SquaredUp using the provided authentication method. If this process fails, see Testing and troubleshooting for assistance with the corresponding errors.
The index time will depend on the size of your AWS environment.

Testing and troubleshooting

The following errors or warnings may be displayed while using the data source. If you encounter an error, refer to the guidance below or contact [email protected] for assistance.

Error	What to do
Check AWS Access Credentials	Ensure that the AWS Access Key ID and Secret Access Key you are using are correct. Double-check for any typos or formatting issues.
Validate IAM Role Permissions	Ensure that the IAM role associated with your AWS account has the necessary permissions to access the AWS services and resources required. If you are using an External ID, confirm that it has been configured correctly in both the IAM role and the data source definition.
Review IAM Role Trust Relationships	Verify that the IAM role's trust relationship policy allows the correct AWS account to assume the role. This is especially important as cross-account access is being used

Next steps

Objects indexed

SquaredUp indexes the following objects. These objects are used to build dashboards and are visible when searching across SquaredUp. Drilling down into an object will provide useful metrics and properties.

Object	Description
Account	An AWS account is an entity that you create to use AWS services.
Cognito User Pool	Amazon Cognito user pools provide a secure user directory that scales to millions of users.
WAF WebACL	AWS WAF Web ACLs help protect web applications from common web exploits.
CloudWatch Alarm	CloudWatch Alarms send notifications or automatically make changes based on rules.
MWAA Workspace	Managed Workflows for Apache Airflow (MWAA) is a managed orchestration service for Apache Airflow.
ELB Target Group	Target groups are used to route requests to one or more registered targets (such as EC2 instances) in a load balancer.
ElastiCache Redis	Amazon ElastiCache for Redis is a blazing fast in-memory data store that provides sub-millisecond latency.
ElastiCache Memcached	Amazon ElastiCache for Memcached is a Memcached-compatible in-memory key-value store service.
Budget	AWS Budgets allows you to set custom cost and usage budgets and receive alerts when you exceed them.
Backup Job	AWS Backup enables you to centralize and automate data protection across AWS services.
Backup Plan	AWS Backup Plan enables you to define your backup requirements and then backup and restore across AWS services.

Data streams

The following data streams are installed with this plugin.

Data streams standardize data from all the different shapes and formats your tools use into a straightforward tabular format.

While creating a tile you can tweak data streams by grouping or aggregating specific columns.

Depending on the kind of data, SquaredUp will automatically suggest how to visualize the result, for example as a table or line graph.

Data streams can be either global or scoped:

Global data streams are unscoped and return information of a general nature (e.g. "Get the current number of unused hosts").
A scoped data stream gets information relevant to the specific set objects supplied in the tile scope (e.g. "Get the current session count for these hosts").

See Data Streams for more information.

Data stream	Description	Parameters
Actions	Shows the execution of actions within stages of pipelines.
All AWS Support Cases	Retrieves all support cases created in the specified time frame.
Budgets	Retrieves the details and states of the specified budgets.
Budget Alerts/Notifications	Retrieves the alerts and notifications for the specified budgets.
CloudWatch Logs	Displays CloudWatch Log data.	Region: Enter the AWS region to target. Log Groups: For each log group you wish to query, paste or type its name or ARN and then hit return. Limit: Enter the number of results per query returned. Query: Use a log insights query (using the syntax supported by the CloudWatch > Logs Insights page in the AWS console).
CloudWatch Alarms	Retrieves AWS CloudWatch alarm details.
CloudWatch Metric	Retrieves AWS metrics information for one or more objects.	Metric: Enter the metric name from CloudWatch. Statistic: Specify the required statistic. Note that the list of valid statistics varies from metric to metric; consult the AWS documentation page for the metric you are querying to find the list of valid statistics. Period: Enter the aggregation period for metric query; optionally with unit suffix, 's' for seconds (default), 'm' for minutes, 'h' for hours.
CloudWatch Metric List	List of CloudWatch metrics.
CloudWatch Metrics Query	Query CloudWatch Metric data using an Insights SQL query or raw metric source JSON.	Region: Specify the AWS region to target. Query: Enter a CloudWatch Metric Insights SQL Query (or copy the JSON from CloudWatch Metrics source tab). A `region` value must be supplied for each expression that refers to a row that is not in the default Region which you previously selected.
Concurrent Executions	The number of function instances that are processing events.
Cost (Account)	Retrieves AWS account cost/usage by service.
Cost (Account - Configurable)	Retrieves AWS account cost/usage by service.	Metric: Enter the metric name from the Cost Explorer. Granularity: Select the data granularity. Group By: Add grouping for the cost request by DIMENSION, TAG, or COST. Filter By: Add filtering for the cost request using an expression.
Cost Anomalies (Account)	Displays Cost Explorer Anomalies.
Cost Anomalies (Global)	Displays Cost Explorer Anomalies (un-scoped).
Cost (Global)	Retrieves AWS account cost/usage by service (un-scoped).
Cost (Global - Configurable)	Retrieves AWS account cost/usage by service (un-scoped).	Metric: Enter the metric name from the Cost Explorer. Granularity: Select the data granularity. Group By: Add grouping for the cost request by DIMENSION, TAG, or COST. Filter By: Add filtering for the cost request using an expression.
Count	The total number of API requests in a given period.
Data Processed	The amount of data processed in bytes.
Duration	The amount of time that your function code spends processing an event.
DynamoDB Metric	Retrieves AWS DynamoDB CloudWatch metrics information for one or more DynamoDB tables.	Metric: Enter the metric name from CloudWatch. Statistic: Specify the required statistic. The list of valid statistics varies from metric to metric- consult the AWS documentation page for the metric you are querying to find the list of valid statistics. Operation (optional): Enter the operation name from CloudWatch (only required for Table Operation metrics).
ELB Health	Retrieves the status of the specified Elastic Load Balancers.
Environment Status	Retrieves the status of the specified MWAA environments.
Errors	The number of invocations that result in a function error.
Executions	Returns the most recent executions of pipelines.
Instance Status Checks	Retrieves the instance status checks for the provided objects.
Instance Health	Retrieves the instance health for the provided objects.
Invocations	The number of times that your function code is invoked.
Logs	Displays CloudWatch Log data for the selected lambda functions.
Open AWS Support Cases (Anytime)	Retrieves open support cases.
Regions List	List of AWS Regions.
S3 Metric	Retrieves AWS S3 CloudWatch metrics information for one or more S3 buckets.	Metric: Enter the metric name from CloudWatch. Statistic: Specify the required statistic. The list of valid statistics varies from metric to metric- consult the AWS documentation page for the metric you are querying to find the list of valid statistics. Storage type: Choose between which storage type you want to use as a dimension in your CloudWatch query. Other Storage type: Choose between which storage type you want to use as a dimension in your CloudWatch query if not specified above.
State History	Retrieves AWS CloudWatch alarm state changes over time.
Stages	Shows the status of stages within a pipeline.
Status	Returns the status of scoped pipelines.
Synthetics Runs	Displays CloudWatch Synthetics historical runs.
Throttles	The number of invocation requests that are throttled.
Volume Health	Retrieves the instance health for the provided objects.

Was this article helpful?

Have more questions or facing an issue?

Submit a ticket